Thank you! 

> You'll need to delete the blobs out of LDAP using ldapmodify or ldapdelete.

But those certs are located not only in LDAP, am I correct? Wouldn't I brake the consistency of the IPA if I will ldapdelete them?

On Mon, Oct 15, 2018 at 4:52 PM Rob Crittenden <rcritten@redhat.com> wrote:
Andrey Bondarenko via FreeIPA-users wrote:
> Hello,
>
> after some tests with Letsencrypt on my test env DEVDOMAN.COM
> <http://DEVDOMAN.COM> I have something like this:
>  ipa-replica-install  --mkhomedir   --setup-ca  --setup-dns
> --auto-forwarders -p password
>
> Successfully retrieved CA cert
>     Subject:     CN=Certificate Authority,O=DEVDOMAIN.COM
> <http://DEVDOMAIN.COM>
>     Issuer:      CN=Certificate Authority,O=DEVDOMAIN.COM
> <http://DEVDOMAIN.COM>
>     Valid From:  2018-09-27 12:48:51
>     Valid Until: 2038-09-27 12:48:51
>
>     Subject:     CN=DST Root CA X3,O=Digital Signature Trust Co.
>     Issuer:      CN=DST Root CA X3,O=Digital Signature Trust Co.
>     Valid From:  2000-09-30 21:12:19
>     Valid Until: 2021-09-30 14:01:15
>
>     Subject:     CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
>     Issuer:      CN=DST Root CA X3,O=Digital Signature Trust Co.
>     Valid From:  2016-03-17 16:40:46
>     Valid Until: 2021-03-17 16:40:46
>
> (2) and (3)  should be deleted.

Ok, unfortunately there is no remove option in cacert-manage :-( (there
is an RFE for it).

You'll need to delete the blobs out of LDAP using ldapmodify or ldapdelete.

You will find them in cn=certificates,cn=ipa,cn=etc,dc=example,dc=com

rob

>
>
> On Fri, Oct 12, 2018 at 9:49 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
>     Andrey Bondarenko via FreeIPA-users wrote:
>     > Hello,
>     >
>     > If anyone can point me in the right direction how to remove CA's
>     certs I
>     > don't need from the freeipa safely?
>
>     Remove from where? How were they added?
>
>     rob
>
>
>
> --
>
>
> With best regards, Andrey Bondarenko mail:me@andreybondarenko.com
> <mailto:mail%3Ame@andreybondarenko.com> https://andreybondarenko.com
> <https://andreybondarenko.com/> skype:andrey.bondarenko phone, Telegram,
> WhatsApp, etc:+420-773-591-443
>
>
> 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
>
>
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>



-- 

With best regards,
Andrey Bondarenko
mail:me@andreybondarenko.com
https://andreybondarenko.com
skype:andrey.bondarenko
phone, Telegram, WhatsApp, etc:+420-773-591-443

7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B