Hi,

We decided to follow this guide and just replace the certificate of the webserver and ldap:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP  It did what wanted to do, for now.  Maybe we will switch the CA later on.

Kind regards,

Wim Vinckier.

On Wed, 5 Sep 2018 at 17:30, Wim Vinckier <wimpunk@gmail.com> wrote:
Hi,

You can find the files at https://drive.google.com/drive/folders/1KsMv4NZ07LU0tSFyy-FgA88uYalthCXz?usp=sharing

Kind regards,

Wim Vinckier.

On Mon, 3 Sep 2018 at 07:42, Wim Vinckier <wimpunk@gmail.com> wrote:
Hi Fraser,

We did use the command twice. Once to generate the CSR and a second time to to supply the new certificates.

I'll check with our security agent if I may supply the certificates.  I'm afraid I may not supply them because of the firm security policies.

Kind regards,

wim vinckier.

On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftweedal@redhat.com> wrote:
On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote:
> Hi All,
>
> We are using our own (selfsigned) root CA for our installations.  We just
> started to use ipa and after exploring the possibilities we want to switch
> to the root CA we normally use.  According to [1]  it should be done using
> these instruction [2].  When we tray to renew the certificate we get this
> error:
>
> [root@ipa ~]# ipa-cacert-manage renew
> --external-cert-file=/root/Certificate_Authority.pem
> --external-cert-file=root.cer
> t
> Importing the renewed CA certificate, please wait
> CA certificate chain in /root/Certificate_Authority.pem, root.cert is
> incomplete: missing certificate with subject 'CN=Example SCRL'
> The ipa-cacert-manage command failed.
>
> When we check the subject of the file, it seems to be correct to me:
>
> [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
> subject= /CN=Example SCRL
>
> Is there anyone who can help me with this?
>
> Kind regards,
>
> wim vinckier.
>
Dear Wim,

Did you first run `ipa-cacert-manage renew --external-ca` to
generate the CSR for submission to the new CA.  Then you invoke
`ipa-cacert-manage renew` a second time, supplying the new IPA CA
certificate and superior CA certificate(s) via the
`--external-cert-file` option.

If you did these steps, then please convey your certificates so we
can inspect them and determine what the problem is.

Cheers,
Fraser


--
I would love to change the world, but they wont give me the source code.


--
I would love to change the world, but they wont give me the source code.


--
I would love to change the world, but they wont give me the source code.