On Fri, Mar 10, 2017 at 01:16:42PM +0100, Harald Dunkel wrote: > Hi folks, > > I stumbled over this problem: > > http://openbsd-archive.7691.n7.nabble.com/Certificate-Error-quot-format-error-in-certificate-s-notAfter-field-quot-td304262.html > > The details don't really matter. The important point is that > the root certificate used to sign freeipa's certificate > appears to be unacceptable on openBSD and maybe others. > > What would you suggest? Is there a guideline to migrate > freeipa to a new certificate authority? > > > Every helpful comment is highly appreciated > Harri > The issue in that thread was resolved. It was caused by invalid encoding of the notAfter field. I think OpenBSD uses LibreSSL in their base system - and I guess it adheres more strictly to RFC 5280 than other implementations.
As for migrating to a new CA (or merely installing a newer certificate for the original CA, with correct encoding), you can do it via ipa-cacert-mangage(1). Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
