Hi,
Which 'FreeIPA certificate' are you referring to? If you installed
FreeIPA CA-less, then the root certificate was used to sign LDAP and
HTTPd certificates and you can follow this page [1] to use a different
CA and replace LDAP and HTTPd certs.
If you installed IPA with an integrated CA, then the root certificate
was used to sign IPA CA certificate, and the other certificates used by
FreeIPA were signed by IPA CA. In this case you would have to replace
IPA CA with [2] and then renew LDAP and HTTPd certificates [3].
Flo
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/third-party-certs-http-ldap.html
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext
[3]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/replace-HTTP-LDAP-cert.html
On 03/10/2017 01:16 PM, Harald Dunkel wrote:
Hi folks,
I stumbled over this problem:
http://openbsd-archive.7691.n7.nabble.com/Certificate-Error-quot-format-error-in-certificate-s-notAfter-field-quot-td304262.html
The details don't really matter. The important point is that
the root certificate used to sign freeipa's certificate
appears to be unacceptable on openBSD and maybe others.
What would you suggest? Is there a guideline to migrate
freeipa to a new certificate authority?
Every helpful comment is highly appreciated
Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
