On 6/24/20 2:01 PM, White, David via FreeIPA-users wrote:
We have IdM / FreeIPA running on RHEL 7 boxes.
This is a 6-node cluster that has an existing 1-way trust back to Active
Directory.
IdM is still acting as the CA for its own clients, and when we setup the trust,
we used the following command:
ipa trust-add --type=ad example.com --admin admin_user
We just learned very recently that our Active Directory team is generating and
installing a new Root CA certificate into AD.
That is happening tonight at 9pm.
The existing Root CA will remain in place until it expires in about 1 month.
Is there anything that we will have to do to IdM to get it to trust the new
certificate?
Even though the existing Root CA should remain in place for the next month, is
there any chance something will break tonight when the new Root certificate is
installed?
Hi,
are you using smart card authentication with certificates delivered by
AD's Root CA? If it is the case, you will need to re-run the scripts
used to configure the clients and servers for smart card authentication,
providing the new AD's Root CA. See "Preparing the Identity Management
Client for Smart-card Authentication" [1] and "Preparing the Identity
Management Server for Smart-card Authentication in the Web UI" [2].
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/auth-idm-client-sc#sc-auth-idm-client-prereqs
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/sc-web-ui-auth#sc-idm-users-auth-preparing-the-server
I know we would be facing a lot more work, had we used AD’s Root CA for the
client connections. So I feel fortunate in that regard.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
