On Mon, Apr 25, 2022 at 5:01 AM Adam Bishop via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
We're in the process of decomissioning our oldest IPA servers
(built in
2014). We've migrated the roles successfully and are making sure everything
is ready to switch over to the new set, and just wanted to check a few
observations/inconsistencies.
* On some of our newer clients /etc/ipa/ca.crt contains the root and the
server certificate of the enrolment server instead of just the root - did
the behaviour of ipa-client-install change at some point?
Hi,
I just want to make sure we are using the same terminology. When you refer
to the root certificate, do you mean that IPA was installed with an
externally signed CA? If that's the case, it's expected that
/etc/ipa/ca.crt contains both the external CA and IPA CA.
Or are you referring to IPA CA?
* Our root contains the OCSP URI of one of the servers to be
decomissioned
in the Authority Information Access field. My understanding is that a
client would never do an OCSP lookup on a root certificate so do we need to
re-sign or add a CNAME prior to switching off?
* When enroling a client, ipa-client-install pulls down an expired RA
certificate - however /var/lib/ipa/ra-agent.pem on all servers is current.
Where might the expired cert be stored? Doesn't appear to cause an issue in
any case.
Where do you see this expired RA certificate? Clients do not have any RA
certificate, only servers do.
flo
Adam
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure