From: Fraser Tweedale via FreeIPA-users <freeipa-
On Mon, Jan 30, 2023 at 11:27:47AM +0000, Schrock, Chad - 0336 - MITLL via
FreeIPA-users wrote:
> I remember a discussion on here about converting an IdM root CA
in to
> an intermediate CA, but for the life of me I can't find the discussion
> or any related documentation. (Was I hallucinating?)
> * Is what I'm talking about even possible?
> * If it is possible, is there some documentation somewhere where I
can
> read up on the process and potential risks?
> * If it isn't possible, short of creating a new domain[1] and moving
> all of the clients to it, what might work here?
>
It is possible and supported. See docs:
https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/8/html-
single/managing_certificates_in_idm/index#renew-with-externally-signed-
CA_ipa-ca-renewal
See also ipa-cacert-manage man page. Command is:
ipa-cacert-manage renew --external-ca
But you may need extra args if the external issuer is AD-CS.
Hi Fraser, Thank you so much for your reply, that's exactly what I needed and
somehow completely missed.
Thank you again,
Chad
--
Chad Schrock, he/him
Supporting MIT Lincoln Laboratory, Lexington, MA