I'm currently running ipaServer 4.6.8 on Centos7. I have an IPA CA, and an external CA
for user smartcard authentication provided by a third party. I have used ipa-cacart-manage
to add the external CA chain to IPA, and it worked fine.
The external CA re-keyed one of the certs in the chain, and kept the subject name the
same. So the key, serial, expiration are different, but the placement in the chain, the
the ipaCertSubject are the same. Both the old cert and the new one are valid, and some
cards have the old chain still valid, and some have the new chain valid.
So if I go and try to use ipa-cacert-manage to add the NEW cert, I get "Failed to
install the certificate: subject public key info mismatch" which I assume is due to
the ipaCertSubject being the same (docs:
https://www.freeipa.org/page/V4/CA_certificate_renewal )
Is this expected behavior? Is there a workaround? Or will i have to use ldapdelete and
certutil -D to delete the old key, and then install the new key. In this process, the
users with the OLD key will lose the ability to log in with their smart cards until new
certs are issued to them. Thanks!