Hi,
On Wed, Mar 9, 2022 at 10:12 PM Eric Boisvert via FreeIPA-users < [email protected]> wrote: > Good afternoon Rob, > > TL;DR We cant renew FreeIPA certificate because we lost our Root > certificate private key and replacing it doesn't work > > We are currently using: > - CentOS Linux release 7.3.1611 (Core) > - FreeIPA 4.4.0-14.el7.centos.1.1 > > Our certificate structure look like this: > Self-sign root certificate (valid but lost private key) > FreeIPA CA > certificate (expired) > client VM certificate (expired). > > Everything is on a local network and none of our server seems to use NTP > for clock synchronization (might be useful if we want to make our > certificates valid by going back in time???). > > > Recently our FreeIPA CA certificate expire and we are unable to renew it > because we lost our private key of our root certificate. > > We tried to create a new root certificate with openssl and the help of the > following documentation: > > https://docs.microsoft.com/en-us/azure/application-gateway/self-signed-certificates > https://www.poftut.com/create-self-signed-root-certificate-openssl/ > > We then tried to renew the FreeIPA CA certificate with the > ipa-cacert-manage renew command wich generate a csr that we sign with our > newly created root certificate. The command was found here: > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > Unfortunately FreeIPA give an error that we have a public key info > mismatch (I can add the verbose command if needed). > I guess that you re-used the same root CA name, and that's why FreeIPA complains. If you create a new root CA with a different subject name, add this new CA cert and then do ipa-cacert-manage renew I believe it should work. flo > > After some research we conclude that FreeIPA doesn't want to have is root > certificate changed so we find this article that look similar to our > problem. > > https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-replacing-lost-ca.html > > Since every command seems to use https to get Kerberos credentials and > that our certificate is invalid we can't execute command like ipa > server-find, ipa ca-find, etc. > > This is where we are now. > > We are currently trying to setup a new FreeIPA VM with a client VM so we > can run test on it before doing so on our production environment. > > Thank you for your time and your help! > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
