Thanks for this, Rob. Is there a command that we can run on clients to verify that the CA certs are removed? 'ipa-cacert-manage list' won't work as that appears to be server-side tool only.
-Scott -----Original Message----- From: Rob Crittenden <[email protected]> Sent: Thursday, January 7, 2021 10:40 AM To: FreeIPA users list <[email protected]> Cc: Dungan, Scott A. <[email protected]> Subject: Re: [Freeipa-users] Remove unused external ca certs Dungan, Scott A. via FreeIPA-users wrote: > Happy new year, everyone. > > Â > > We have an unused letsencrypt CA cert and associated the DSTRootCAX3 > cert installed on version 4.8.7. Due to firewall issues, we moved to a > paid commercial cert (Comodo) for the https service. My question is, > how can we remove the two unused CA certs? If we do so, is it > necessary to update the clients with ipa-certupdate, or will the removal be > transparent? > > Â > > ~]# ipa-cacert-manage list > > xxx.xxx.xxx.edu IPA CA > > DSTRootCAX3 > > letsencryptx3 > > CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater > Manchester,C=GB > > CN=USERTrust RSA Certification Authority,O=The USERTRUST > Network,L=Jersey City,ST=New Jersey,C=US > > CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann > Arbor,ST=MI,C=US > > The ipa-cacert-manage command was successful From ipa-cacert-manage(1): SYNOPSIS ... ipa-cacert-manage delete [options] NICKNAME ipa-certupdate will need to be run on all enrolled machines. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
