Sometimes people who need to renew service certificates use ipa-cacert-manage renew (the wrong command) and either don't solve the problem or get into a deeper mess.
ipa-cacert-manage renew
Enhance ipa-cacert-manage renew to inspect the current CA certificate and if it has, say, more than 75% of its validity period still to go, to point this out, explain that if they only need to renew EE certs to not proceed, and solicit confirmation that that really do want to renew the CA certificate.
freeipa-devel discussion: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/thread/GUDF2CNIVDB52X4LCXXFCQIJ4RKQ46N6/
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @pvoborni: - Issue tagged with: easyfix
Metadata Update from @pvoborni: - Issue untagged with: easyfix
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Login to comment on this ticket.