10:25 a.m.
I am running ipa-server 4.6.6 with the same version clients. This IPA server has been
around since pre-v1 and has been upgraded till the current version that is shipped with
Centos7.
The IPA CA Cert was/is set to expire on Aug 10, 2020.
On the server that is the IPA CA renewal master, I checked the output of `getcert list`
and the CA with the certificate "subject: CN=Certificate Authority,O=DOMAIN.COM"
and nickname nickname='caSigningCert cert-pki-ca' is shown as renewed till 2040.
All other certs that appear in that list are updated without intervention to 2022.
It's located at `location='/etc/pki/pki-tomcat/alias'`. So far so good;
BUT I noticed that /etc/ipa/ca.crt on the same server shows as still expiring on August
10:
# openssl x509 -inform pem -enddate -noout -in /etc/ipa/ca.crt
notAfter=Aug 10 21:29:31 2020 GMT
So that means that the caSigningCert cert-pki-ca is set to automatically renew for 20
years But the IPA CA Cert is not.
Next, I saw that there are certs located in /etc/pki/pki-tomcat/alias, /etc/ipa/nssdb/,
/etc/httpd/alias/, and /etc/pki/nssdb/.
My questions:
* Is my self-signed IPA CA Cert supposed to be automatically renewed?
* Or is it required that I run `ipa-cacert-manage renew` on the IPA CA renewal master, and
then `ipa-certupdate` on all the other server replicas and clients?
* Why do I appear to have duplicate DOMAIN IPA CA certs listed in /etc/ipa/nssdb/,
/etc/httpd/alias/? Is one location deprecated?
Thank you for your help!