Hi again, So, if re-keying is not supported, what is the process that is recommended for the cases where for instance the root keys are compromised? Is this limitation also valid in the case when the root CA is external?
Thanks, Nelson V. On Thu, 6 Feb 2025 at 12:41, Florence Blanc-Renaud <[email protected]> wrote: > Hi, > > On Thu, Feb 6, 2025 at 12:18 PM N. V. via FreeIPA-users < > [email protected]> wrote: > >> Hi, >> >> In our FreeIPA deployment we need to find a way to rekey the self-signed >> root CA and afterwards update the chain and the certificates all the way >> down. I have been unable to find detailed instructions in the official >> documentation or through my own research, so I am reaching out for guidance. >> >> Could someone please provide instructions or point me to any relevant >> resources on how to properly rekey the self-signed root CA in FreeIPA? Any >> advice, tips, or potential pitfalls to avoid during this process would be >> greatly appreciated. >> > > Unfortunately we don't have any solution yet for this type of request. > Please read more in *Bug 1873696* > <https://bugzilla.redhat.com/show_bug.cgi?id=1873696> - [RFE] Need an > option to replace the root CA key with another key with 3072 bits > > It would require to cross-sign the old CA with the new one but we never > managed to find time to investigate this possibility. > flo > >> Thank you in advance for your assistance! >> >> Nelson V. >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
