[Freeipa-users] Re: issues while switching to other root CA

Hi, You can find the files at https://drive.google.com/drive/folders/1KsMv4NZ07LU0tSFyy-FgA88uYalthCXz?... Kind regards, Wim Vinckier. On Mon, 3 Sep 2018 at 07:42, Wim Vinckier <wimpunk(a)gmail.com&gt; wrote: > Hi Fraser, > > We did use the command twice. Once to generate the CSR and a second time > to to supply the new certificates. > > I'll check with our security agent if I may supply the certificates. I'm > afraid I may not supply them because of the firm security policies. > > Kind regards, > > wim vinckier. > > On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftweedal(a)redhat.com&gt; wrote: > >> On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users >> wrote: >> > Hi All, >> > >> > We are using our own (selfsigned) root CA for our installations. We >> just >> > started to use ipa and after exploring the possibilities we want to >> switch >> > to the root CA we normally use. According to [1] it should be done >> using >> > these instruction [2]. When we tray to renew the certificate we get >> this >> > error: >> > >> > [root@ipa ~]# ipa-cacert-manage renew >> > --external-cert-file=/root/Certificate_Authority.pem >> > --external-cert-file=root.cer >> > t >> > Importing the renewed CA certificate, please wait >> > CA certificate chain in /root/Certificate_Authority.pem, root.cert is >> > incomplete: missing certificate with subject 'CN=Example SCRL' >> > The ipa-cacert-manage command failed. >> > >> > When we check the subject of the file, it seems to be correct to me: >> > >> > [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert >> > subject= /CN=Example SCRL >> > >> > Is there anyone who can help me with this? >> > >> > Kind regards, >> > >> > wim vinckier. >> > >> Dear Wim, >> >> Did you first run `ipa-cacert-manage renew --external-ca` to >> generate the CSR for submission to the new CA. Then you invoke >> `ipa-cacert-manage renew` a second time, supplying the new IPA CA >> certificate and superior CA certificate(s) via the >> `--external-cert-file` option. >> >> If you did these steps, then please convey your certificates so we >> can inspect them and determine what the problem is. >> >> Cheers, >> Fraser >> > > > -- > I would love to change the world, but they wont give me the source code. > -- I would love to change the world, but they wont give me the source code.