When the admin runs ipa-cacert-manage install, he should also run ipa-certupdate on master/replicas/clients in order to update the certificates databases.
The man page should mention this requirement, and also clarify that "install" command does not replace IPA CA but rather installs an additional trusted CA.
Current man page:
install - Install a CA certificate This command can be used to install the certificate contained in CERTFILE as a new CA certificate to IPA.
Proposal:
install - Install a CA certificate This command can be used to install the certificate contained in CERTFILE as an additional CA certificate to IPA. Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases.
master:
Metadata Update from @frenaud: - Issue assigned to frenaud - Issue set to the milestone: FreeIPA 4.5
Login to comment on this ticket.