Thank you very much for detailed and honest answer, Alexander. Based on what you wrote, I
think I will bite the bullet and just start everything "fresh" with regards to
the root CA. I don't have tons of LDAPS clients, so I'm willing to go through the
hassle of changing their configured root CA in order to start with a fresh one. In order
to ease the transition from IdM to FreeIPA, I'll most likely run both clusters in
parallel (making sure to put all new user/group changes in FreeIPA only) so that I can
switch over the LDAP clients gradually. As for the passwords, if I had any doubts, now
I'm convinced that it's just safer and easier (if not convenient) to start anew
here as well.
And thanks for that link to the Fraser articles. Should be some interesting reading for
me; I definitely need to acquaint myself more with how FreeIPA and its handling of
certificates.
Regards,
-Martin