On Mon, Jan 13, 2020 at 04:58:05AM -0500, Rob Foehl via FreeIPA-users wrote:
On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote:
> The question remains: how do I get rid of the self-signed CA entirely?
Best hint toward this I've managed to find thus far is in the comments on
https://pagure.io/freeipa/issue/7283 , with got me as far as the
cACertificate and ipaCertIssuerSerial entries corresponding to the
extraneous self-signed cert... If I remove those and the cert from the
NSSDBs, then what? Reissue all dependent certs in the IPA CA chain?
If the IPA CA's key and subject did not change, then there is no
need to reissue end-entity or other subordinate certificates. Only
the IPA CA certificate needs to be renewed (from self-signed to
externally signed) and distributed.
Cheers,
Fraser