I'm using an IPA CA but also a third-party Trusted Root Cert and Chain to allow users with Smartcards issued by the third-party CA for authentication. I'm runing 4.6.6.-11
The external CA rekeyed a cert that is part of their chain which means that newly issued cards are using the new cert chain, and the old smartcards are using the old cert chain. The old cert chain is valid and so is the new cert chain. Now I thought I would be able to deal with this by using ipa-cacert-manage install <NEW Certs from the chain> However, when I do that I get an error: Failed to install the certificate: subject public key info mismatch or Not a valid CA certificate: certutil: certificate is invalid: Peer's Certificate issuer is not recognized. depending on the position in the chain. Now the one that gives Failed to install the certificate: subject public key info mismatch is the rekey which has the same Subject. This article ( https://access.redhat.com/solutions/3237961) shows how I can remove the old one and add the new one but I need both of them in there. Is there a solution in this situation where I can import both chains even though the subjects are the same but the expiration and ids are unique and have it loaded in IPA properly so it can also be replicated. Thanks! _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
