Hi folks,
Problem: I have setup freeipa using a bad external CA.
Long story:
I have setup my freeipa servers using
ipa-server-install -n
example.com -r
EXAMPLE.COM --no-ntp --external-ca
--subject="O=example AG,C=DE" --setup-dns --forwarder=...
on
ipa1.example.com. It created a csr, it was signed by the
external PKI, and then I re-run ipa-server-install
ipa-server-install -n
example.com -r
EXAMPLE.COM --subject="O=example AG,C=DE"
--external-cert-file=/root/ipa_ipa1.crt --external-cert-file=/root/root-ca.crt --setup-dns
--forwarder=...
Problem: The root-ca.crt is bad. It doesn't follow RFC5280. It
is not accepted by libressl, e.g. on OpenBSD. I have to replace
both ipa_ipa1.crt and root-ca.crt.
Of course I have found ipa-cacert-manage(1) and
https://www.freeipa.org/\
page/V4/CA_certificate_renewal, but they don't really tell how to
proceed in this case. I don't want to renew, but to install a
new certificate chain.
The old csr file is still available.
I have 5 servers (Centos 7.3, freeipa 4.4.0) and >100 clients.
3 servers are CS replicas. The servers are not yet affected by
the bad root certificate, but it might be just a matter of time
til openssl follows RFC5280 more closely.
Every helpful comment is highly appreciated.
Harri