On Thu, 25 May 2017, Fraser Tweedale wrote:
This is not correct. The CA cert must be valid for the leaf cert to
be valid, but the CA cert *can* be renewed without requiring leaf
certificates to be reissued. So long as the following conditions
are met, everything will be fine:
1. The CA's key (and Subject Key Identifier) do not change
2. The CA's Subject DN does not change
3. The new CA certificate gets distributed to clients.
Huh? The CA cert's validity wasn't in question -- it was still valid, and
was used to issue a slew of new certificates, all of which expire in two
weeks, at expiration of the original CA cert. It has since been renewed,
but that doesn't change the state of any of the leaf certs issued in the
interim. Also not sure what the list of conditions has to do with
anything, when it's up to "ipa-cacert-manage renew" to get those right.