ddas: jcholast the external ca and current CA cert seems to be valid
jcholast: no
jcholast: also why do you want to run ipa-cacert-manage at all?
ddas: jcholast since some of the certificate became invalid from 2-Feb-2017. 
ddas: jcholast  expires: 2017-02-02 22:51:09 UTC 
jcholast: ipa-cacert-manage manages the CA certificate and nothing else
jcholast: you use it only if you need to renew the CA certificate
jcholast: i.e. caSigningCert cert-pki-ca
jcholast: it has no effect on other certificates
ddas: jcholast so I only need to use "getcert resubmit -i <id>" approach??
jcholast: yes 
jcholast: this seems to be a common misconception
jcholast: I wonder what can we do to make it clear
ddas: jcholast ok got it. I was of the same impression that it look into other certificates too. 
ddas: jcholast I think updating the man page will help with exactly functionality. 
jcholast: could you be more specific? what would you like to see changed in the man page so that it's obvious to you what the command does?
ddas: jcholast regarding the man page. If a note can be added mentioning that the command is used only to update " caSigningCert cert-pki-ca" and for other certificates use "getcert resumit" command will help clear doubts. 
ddas: jcholast recently we have seens 2-3 cases of sub system certs not renewing in IPA 4.x so there is no clear step how to proceed on that unlike in IPA 3.x where we had KCS.  
jcholast: ok, I'm going to file a ticket, thanks