Hi, On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users < [email protected]> wrote:
> Bonjour, > > When I run the command, I get this message > > CA is not configured on this system > The ipa-cacert-manage command failed. > > > "replace our external CA to an Internal one", do you mean that IPA was installed CA-less (with HTTP and LDAP certificates provided by an external CA), or with an embedded CA signed by an external CA? In the first case, you need to install a CA on any of the IPA servers, using ipa-ca-install. This will create an IPA CA, then you need to download this new IPA CA certificate on all your IPA machines (server/replicas/clients) with ipa-certupdate. Please note that this does not replace the HTTP and LDAP server certificates. Also note that it is recommended to install the CA services on at least 2 servers (using ipa-ca-install on the other server). Full doc is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#CA-less-to-CA In the second case, you need to identify where the CA role is already installed (ipa config-show displays the list of servers with the CA role), and run the command provided by Rizwan on this node. Full doc is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#change-cert-chaining HTH, flo Thank you > > Regards, > > Frederic > > Frédéric AYRAULT > Administrateur Systèmes et Réseaux > Laboratoire d'Informatique de l'Ecole polytechnique > <http://www.lix.polytechnique.fr> > [email protected] > > Le 09/10/2023 à 09:11, Mohammad Rizwan Yusuf a écrit : > > Hello, > > What procedure did you follow to renew your CA from external to > self-signed. > > Please look at the this doc > https://www.freeipa.org/page/V4/CA_certificate_renewal#ca-certificate-management-utility > > > $ ipa-cacert-manage renew --self-signed > Above command should renew CA to self-signed > > > On Sun, Oct 8, 2023 at 5:40 PM Frederic Ayrault via FreeIPA-users < > [email protected]> wrote: > >> Bonjour, >> >> I need to replace our external CA to an Internal one. >> >> We tried several ways without success. One of them was to do a backup >> with ipa-backup or db2bak >> reinstall the serveur with an internal CA and restore the datas. But this >> also restore the external CA. >> >> Is there a way to backup or restore only the users, groups, roles, ... ? >> >> I am still running ipa 4.6.8 from Centos7 >> >> Thank you >> >> Regards, >> >> Frederic >> >> Frédéric AYRAULT >> Administrateur Systèmes et Réseaux >> Laboratoire d'Informatique de l'Ecole polytechnique >> <http://www.lix.polytechnique.fr> >> [email protected] >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > > > -- > > -- > > Regards > > Mohammad Rizwan > > He/Him/His > IM: rizwan > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
