Good afternoon Rob,
TL;DR We cant renew FreeIPA certificate because we lost our Root certificate
private key and replacing it doesn't work
We are currently using:
- CentOS Linux release 7.3.1611 (Core)
- FreeIPA 4.4.0-14.el7.centos.1.1
Our certificate structure look like this:
Self-sign root certificate (valid but lost private key) > FreeIPA CA
certificate (expired) > client VM certificate (expired).
Everything is on a local network and none of our server seems to use NTP for
clock synchronization (might be useful if we want to make our certificates
valid by going back in time???).
Recently our FreeIPA CA certificate expire and we are unable to renew it
because we lost our private key of our root certificate.
We tried to create a new root certificate with openssl and the help of the
following documentation:
https://docs.microsoft.com/en-us/azure/application-gateway/self-signed-certificates
https://www.poftut.com/create-self-signed-root-certificate-openssl/
We then tried to renew the FreeIPA CA certificate with the ipa-cacert-manage
renew command wich generate a csr that we sign with our newly created root
certificate. The command was found here:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Unfortunately FreeIPA give an error that we have a public key info mismatch (I
can add the verbose command if needed).
After some research we conclude that FreeIPA doesn't want to have is root
certificate changed so we find this article that look similar to our problem.
https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-replacing-lost-ca.html
Since every command seems to use https to get Kerberos credentials and that our
certificate is invalid we can't execute command like ipa server-find, ipa
ca-find, etc.
This is where we are now.
We are currently trying to setup a new FreeIPA VM with a client VM so we can
run test on it before doing so on our production environment.
Thank you for your time and your help!
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
