Hi again,

So, if re-keying is not supported, what is the process that is recommended for the cases where for instance the root keys are compromised? Is this limitation also valid in the case when the root CA is external?

Thanks,
Nelson V.

On Thu, 6 Feb 2025 at 12:41, Florence Blanc-Renaud <flo@redhat.com> wrote:
Hi,

On Thu, Feb 6, 2025 at 12:18 PM N. V. via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hi,

In our FreeIPA deployment we need to find a way to rekey the self-signed root CA and afterwards update the chain and the certificates all the way down. I have been unable to find detailed instructions in the official documentation or through my own research, so I am reaching out for guidance.

Could someone please provide instructions or point me to any relevant resources on how to properly rekey the self-signed root CA in FreeIPA? Any advice, tips, or potential pitfalls to avoid during this process would be greatly appreciated.


Unfortunately we don't have any solution yet for this type of request. Please read more in Bug 1873696 - [RFE] Need an option to replace the root CA key with another key with 3072 bits

It would require to cross-sign the old CA with the new one but we never managed to find time to investigate this possibility.
flo

Thank you in advance for your assistance!

Nelson V.

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue