Philipp Leusmann via FreeIPA-users wrote:
Hi,
I have just renewed freeipas externally signed CA certificate using 'ipa-cacert-manage renew --external-ca' Given the new CSR contains the same key elements as the previous one, I already had to ignore the duplicate while signing. Maybe that's the cause for the issues following?
After renewing I now have the new and the old CA key in /etc/ipa/ca.crt and also in exported certificate chains which for example nginx cannot handle properly.
- Did I do anything wrong during renewal?
- how can I remove the previous CA cert?
You didn't do anything wrong. It's common to retain the existing CA cert particularly if it is not yet expired.
There is no tool to remove it currently but you can remove it over LDAP. You'll need to be very careful to remove the right one. I haven't tried to duplicate this so don't have precise instructions.
I'd start by looking in cn=certificates,cn=ipa,cn=etc,dc=example,dc=test.
These are the sources used by ipa-certupdate to push out changes.
rob