I got it resolved - IPA does not seem to support importing a rechained external CA. It doesn't seem to have anything to do with ipaCertSubject being unique but it's something else where there are two different chains for the same external CA.
I was able to ldapdelete the old problematic certs from ldap> etc > ipa > certificates. And then I was able to successfully run the ipa-advise script for adding the CA certs. This time ipa-cacert-manage worked without throwing the public key info mismatch error. And then I ran ipa-certupdate on all Ipa servers, and clients that required smartcard auth. And it seemed to work fine for the new certs. Unfortunately, this likely means that the cards with the old chain will stop working but they are in the small minority and we'll likely have to get them new cards signed by the external CA with the new chain. I would like to suggest that the ability to rechain and have two different chains for the same external CA be added to FreeIPA. It's likely a rare situation but it happens. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
