> From: Fraser Tweedale via FreeIPA-users <freeipa- > On Mon, Jan 30, 2023 at 11:27:47AM +0000, Schrock, Chad - 0336 - MITLL via > FreeIPA-users wrote:
> > I remember a discussion on here about converting an IdM root CA in to > > an intermediate CA, but for the life of me I can't find the discussion > > or any related documentation. (Was I hallucinating?) > > * Is what I'm talking about even possible? > > * If it is possible, is there some documentation somewhere where I > can > > read up on the process and potential risks? > > * If it isn't possible, short of creating a new domain[1] and moving > > all of the clients to it, what might work here? > > > It is possible and supported. See docs: > https://access.redhat.com/documentation/en- > us/red_hat_enterprise_linux/8/html- > single/managing_certificates_in_idm/index#renew-with-externally-signed- > CA_ipa-ca-renewal > > See also ipa-cacert-manage man page. Command is: > > ipa-cacert-manage renew --external-ca > > But you may need extra args if the external issuer is AD-CS. > Hi Fraser, Thank you so much for your reply, that's exactly what I needed and somehow completely missed. Thank you again, Chad -- Chad Schrock, he/him Supporting MIT Lincoln Laboratory, Lexington, MA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
