[Freeipa-users] Re: issues while switching to other root CA

Hi Fraser, We did use the command twice. Once to generate the CSR and a second time to to supply the new certificates. I'll check with our security agent if I may supply the certificates. I'm afraid I may not supply them because of the firm security policies. Kind regards, wim vinckier. On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftweedal(a)redhat.com&gt; wrote: > On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users > wrote: > > Hi All, > > > > We are using our own (selfsigned) root CA for our installations. We > just > > started to use ipa and after exploring the possibilities we want to > switch > > to the root CA we normally use. According to [1] it should be done > using > > these instruction [2]. When we tray to renew the certificate we get > this > > error: > > > > [root@ipa ~]# ipa-cacert-manage renew > > --external-cert-file=/root/Certificate_Authority.pem > > --external-cert-file=root.cer > > t > > Importing the renewed CA certificate, please wait > > CA certificate chain in /root/Certificate_Authority.pem, root.cert is > > incomplete: missing certificate with subject 'CN=Example SCRL' > > The ipa-cacert-manage command failed. > > > > When we check the subject of the file, it seems to be correct to me: > > > > [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert > > subject= /CN=Example SCRL > > > > Is there anyone who can help me with this? > > > > Kind regards, > > > > wim vinckier. > > > Dear Wim, > > Did you first run `ipa-cacert-manage renew --external-ca` to > generate the CSR for submission to the new CA. Then you invoke > `ipa-cacert-manage renew` a second time, supplying the new IPA CA > certificate and superior CA certificate(s) via the > `--external-cert-file` option. > > If you did these steps, then please convey your certificates so we > can inspect them and determine what the problem is. > > Cheers, > Fraser > -- I would love to change the world, but they wont give me the source code.