On Fri, 2023-04-14 at 17:54 +0000, Shawn Asmussen via FreeIPA-users wrote:
Our organization has a large number of existing certificates that we want to make modifications to the options for. Specifically, we have certificates used by a couple of different services, that we want to add in a service restart when the certificate auto-renews, and we also have a lot of certificates that were created before we knew about the options like -O/-M/etc... where we manually set file permissions on the certs after creation. I know how to do these things on a a new cert request, using the various options, but I'd like to update these options on certificates that are already being tracked. The only way I've managed to do it so far is by using ipa- getcert resubmit, with the options that I want changed. However, this method results in the entire certificate being regenerated on the spot. If we had a small number of certs that we wanted to update, this wouldn't be a huge problem, but we have several different certs on a few thousand production systems that we want to update this way, and I'd prefer not to send 10,000 cert renewals up to the master server, and that would also end up making all of those thousands of certs auto renew at roughly the same time every year, which we consider to be undesirable. I assume that manual edits of the files in /var/lib/certmonger/requests is not the proper way to handle this, but what IS the correct way to make such modifications after the initial ipa-getcert request that created the certs originally?
You can update the properties of an existing tracking request with 'getcert start-tracking'. Use -i to identify the request and then add any -M, -O, etc. options and the original request will be modified to add/change those options.