Hi again,
So, if re-keying is not supported, what is the process that is recommended for the cases where for instance the root keys are compromised? Is this limitation also valid in the case when the root CA is external?
Thanks, Nelson V.
On Thu, 6 Feb 2025 at 12:41, Florence Blanc-Renaud flo@redhat.com wrote:
Hi,
On Thu, Feb 6, 2025 at 12:18 PM N. V. via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi,
In our FreeIPA deployment we need to find a way to rekey the self-signed root CA and afterwards update the chain and the certificates all the way down. I have been unable to find detailed instructions in the official documentation or through my own research, so I am reaching out for guidance.
Could someone please provide instructions or point me to any relevant resources on how to properly rekey the self-signed root CA in FreeIPA? Any advice, tips, or potential pitfalls to avoid during this process would be greatly appreciated.
Unfortunately we don't have any solution yet for this type of request. Please read more in *Bug 1873696* https://bugzilla.redhat.com/show_bug.cgi?id=1873696 - [RFE] Need an option to replace the root CA key with another key with 3072 bits
It would require to cross-sign the old CA with the new one but we never managed to find time to investigate this possibility. flo
Thank you in advance for your assistance!
Nelson V.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue