Dear Stephan,

thanks for your reply.

We are facing a similar issue (on cloudera CDH) and I wanted to ask you 

> removed the expired X3 CA and cross-signed X1 with `ipa-cacert-manage` (using the force flag), 

I do not see force flag in my v. (4.6.4) of the command...