Run ipa-certupdate on all IPA-enrolled machines, including servers,
to
update local files.
Thanks. I ran ipa-certupdate on a client and I see that it completed successfully.
The output of `certutil -L -d /etc/ipa/nssdb/` shows a second `DOMAIN IPA CA` now with the
new certificate with the new expiration date. It still has the old cert as well which is
expected.
However, `/etc/ipa/ca.crt` changed in file size AND the filesystem modified data changed
to the time where ipa-certupdate was ran today. but the output of `openssl x509 -inform
pem -enddate -noout -in /etc/ipa/ca.crt` is still "notAfter=Aug 10 21:29:31 2020
GMT"
-rw-r--r--. 1 root root 12351 Aug 6 12:20 ca.crt
-rw-r--r--. 1 root root 4145 Aug 6 12:20 ca.crt.original
When I ran `ipa-certupdate -v` it showed a "File not found" for `IPA CA` but
then it found `DOMAIN IPA CA` so that's probably not relevant.
So far it looks like everything updates but ca.crt does not show the updated cert.
Is this something that can be changed so that ca.crt is also showing the correct
certificate?
K