Hi Fraser,

We did use the command twice. Once to generate the CSR and a second time to to supply the new certificates.

I'll check with our security agent if I may supply the certificates.  I'm afraid I may not supply them because of the firm security policies.

Kind regards,

wim vinckier.

On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftweedal@redhat.com> wrote:
On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote:
> Hi All,
> We are using our own (selfsigned) root CA for our installations.  We just
> started to use ipa and after exploring the possibilities we want to switch
> to the root CA we normally use.  According to [1]  it should be done using
> these instruction [2].  When we tray to renew the certificate we get this
> error:
> [root@ipa ~]# ipa-cacert-manage renew
> --external-cert-file=/root/Certificate_Authority.pem
> --external-cert-file=root.cer
> t
> Importing the renewed CA certificate, please wait
> CA certificate chain in /root/Certificate_Authority.pem, root.cert is
> incomplete: missing certificate with subject 'CN=Example SCRL'
> The ipa-cacert-manage command failed.
> When we check the subject of the file, it seems to be correct to me:
> [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
> subject= /CN=Example SCRL
> Is there anyone who can help me with this?
> Kind regards,
> wim vinckier.
Dear Wim,

Did you first run `ipa-cacert-manage renew --external-ca` to
generate the CSR for submission to the new CA.  Then you invoke
`ipa-cacert-manage renew` a second time, supplying the new IPA CA
certificate and superior CA certificate(s) via the
`--external-cert-file` option.

If you did these steps, then please convey your certificates so we
can inspect them and determine what the problem is.


I would love to change the world, but they wont give me the source code.