[Freeipa-users] howto replace an externally signed CA

Hi folks, Problem: I have setup freeipa using a bad external CA. Long story: I have setup my freeipa servers using ipa-server-install -n example.com -r EXAMPLE.COM --no-ntp --external-ca --subject="O=example AG,C=DE" --setup-dns --forwarder=... on ipa1.example.com. It created a csr, it was signed by the external PKI, and then I re-run ipa-server-install ipa-server-install -n example.com -r EXAMPLE.COM --subject="O=example AG,C=DE" --external-cert-file=/root/ipa_ipa1.crt --external-cert-file=/root/root-ca.crt --setup-dns --forwarder=... Problem: The root-ca.crt is bad. It doesn't follow RFC5280. It is not accepted by libressl, e.g. on OpenBSD. I have to replace both ipa_ipa1.crt and root-ca.crt. Of course I have found ipa-cacert-manage(1) and https://www.freeipa.org/\ page/V4/CA_certificate_renewal, but they don't really tell how to proceed in this case. I don't want to renew, but to install a new certificate chain. The old csr file is still available. I have 5 servers (Centos 7.3, freeipa 4.4.0) and >100 clients. 3 servers are CS replicas. The servers are not yet affected by the bad root certificate, but it might be just a matter of time til openssl follows RFC5280 more closely. Every helpful comment is highly appreciated. Harri