Thank you for the link (and the blog). We tried following those instructions, but unfortunately, using that approach results in the loss of all configurations linked to the CA, which is not exactly what we need.
To provide more context, we are currently analysing the following scenarios to meet our customer’s requirements:
- Rekeying the Root CA – This is mandatory, even if it requires an unsupported manual process.
- Transferring PKI Ownership to Third Parties – This involves introducing an external CA to sign FreeIPA’s root CA (whether externally or internally self-signed) and eventually rekeying FreeIPA's CA.
- Deployment at Scale – The eventual solution will be rolled out across several hundred OT sites, with licensed support being considered.
We are currently exploring the possibility of manually replacing the CA and all internal certificates, but we are encountering challenges. Is this a viable approach? One of our attempts involved using Certmonger’s rekey feature to rekey the root CA. This generated a new CA certificate, which was then used for issuing new certificates and even for the CRL. However, this process did not update internal certificates automatically, and attempting to manually resubmit them led to failures.
Another approach we tested was manually replacing the CA certificate in the NSS DB and LDAP, followed by manually triggering Certmonger’s renew feature to propagate the new CA. However, this process also eventually failed. We are now attempting a full manual replacement of all certificates but we are loosing faith ...
If we cannot successfully address these challenges, we may need to explore alternative solutions in the market. Given your expertise, do you see a viable path forward for this manual replacement, or is this approach fundamentally flawed?
Looking forward to your insights.
Best regards,
Nelson