Thank you, Florence, that makes sense. So the key point is to use the same private key to get the new external signed CA.
Many thanks! Kathy. On Mon, Jul 7, 2025 at 8:37 AM Florence Blanc-Renaud <[email protected]> wrote: > Hi, > > On Sun 6 Jul 2025 at 23:46, Kathy Zhu via FreeIPA-users < > [email protected]> wrote: > >> Hello team, >> >> From my reading, it is possible to migrate IPA from a self signed root CA >> to an external signed one, after the migration, I know: >> >> 1. all IPA clients should "ipa-certupdate" to get the new CA >> >> I do not know: >> >> 1. what will happen to the SSL certificates issued with the old self >> signed root CA? >> >> The new CA is signed externally but is still based on the same private > key. Certificates issued by the old CA are still valid and can still be > used. > > >> 1. >> 2. what will happen to the subCA issued with the old self signed root >> CA? >> >> Same answer, subcas signed by the old CA are still valid. > flo > >> >> 1. >> >> Could someone share the answers? Thanks. >> >> Kathy. >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
