Hi All,

We are using our own (selfsigned) root CA for our installations. We just started to use ipa and after exploring the possibilities we want to switch to the root CA we normally use. According to [1] it should be done using these instruction [2]. When we tray to renew the certificate we get this error:

[root@ipa ~]# ipa-cacert-manage renew --external-cert-file=/root/Certificate_Authority.pem --external-cert-file=root.cer

Importing the renewed CA certificate, please wait

CA certificate chain in /root/Certificate_Authority.pem, root.cert is incomplete: missing certificate with subject 'CN=Example SCRL'

The ipa-cacert-manage command failed.

When we check the subject of the file, it seems to be correct to me:

[root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert

subject= /CN=Example SCRL

Is there anyone who can help me with this?

Kind regards,

wim vinckier.

[1] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/WXC4IHUM3J5KHLGR4YU6HZEGBGN6IUZS/

[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/cert-renewal#manual-cert-renewal-ext

I would love to change the world, but they wont give me the source code.