ipa-server-certinstall is used to replace the cert and key of LDAP, HTTP, or KDC with an external certificate. By default these service have a certificate issued by Dogtag. When a user replaces the internally issued certificate with an externally issued certificate, the ipa-server-certinstall command replaces the files / updates the NSSDB. However it does not update the LDAP entry for the service or revoke the internal certificate. ipa service-show and the WebUI still show the old certificate, which can lead to some confusion.
ipa-server-certinstall
ipa service-show
ipa-server-certinstall -w ...
ipa service-show HTTP/$(hostname)
The command shows the old certificate, not the new certificate. The old certificate is not revoked.
ipa-server-4.10.1-7.el9_2.x86_64
The behavior can be observed in the public demo instance. https://ipa.demo1.freeipa.org/ipa/ui/#/e/service/details/HTTP%2Fipa.demo1.freeipa.org%40DEMO1.FREEIPA.ORG shows the internal certificate, not the external cert from Let's Encrypt.
Metadata Update from @rcritten: - Issue assigned to rcritten
Note: if one saves the original IPA cert and key, then replaces them, then wants to re-install them it's fine (we won't prevent it), but the certificates will be revoked so there could be consequences if OCSP/CRL is enforced. To repair this one would run getcert resubmit on the old certs to obtain new ones (assuming OCSP/CRL is not enforced).
Metadata Update from @ftrivino: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6920
Login to comment on this ticket.