Hi Fraser,
We did use the command twice. Once to generate the CSR and a second time to to supply the new certificates.
I'll check with our security agent if I may supply the certificates. I'm afraid I may not supply them because of the firm security policies.
Kind regards,
wim vinckier.
On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote:
> Hi All,
>
> We are using our own (selfsigned) root CA for our installations. We just
> started to use ipa and after exploring the possibilities we want to switch
> to the root CA we normally use. According to [1] it should be done using
> these instruction [2]. When we tray to renew the certificate we get this
> error:
>
> [root@ipa ~]# ipa-cacert-manage renew
> --external-cert-file=/root/Certificate_Authority.pem
> --external-cert-file=root.cer
> t
> Importing the renewed CA certificate, please wait
> CA certificate chain in /root/Certificate_Authority.pem, root.cert is
> incomplete: missing certificate with subject 'CN=Example SCRL'
> The ipa-cacert-manage command failed.
>
> When we check the subject of the file, it seems to be correct to me:
>
> [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
> subject= /CN=Example SCRL
>
> Is there anyone who can help me with this?
>
> Kind regards,
>
> wim vinckier.
>
Dear Wim,
Did you first run `ipa-cacert-manage renew --external-ca` to
generate the CSR for submission to the new CA. Then you invoke
`ipa-cacert-manage renew` a second time, supplying the new IPA CA
certificate and superior CA certificate(s) via the
`--external-cert-file` option.
If you did these steps, then please convey your certificates so we
can inspect them and determine what the problem is.
Cheers,
Fraser
--
I would love to change the world, but they wont give me the source code.