Hi All After deploying FreeIPA with an embedded self-signed CA, the ipa servers were configured to use commercially signed, 3rd party certificates for the HTTP service only. The directory server was left default. This was accomplished by importing the external CA and then the signed certificate, following the instructions on freeipa.org: ipa-cacert-manage -t C,, install InCommon_interm.cer ipa-certupdate ipa-server-certinstall --http /var/lib/ipa/private/httpd.key /var/lib/ipa/private/InCommon_signed.cer ipactl restart A commercially signed web certificate on the ipa servers is no longer required and we would like to revert back to using certificates from the freeipa self-signed CA. Is there a way to do so? Regards, Scott