Description of problem: Trying to use Firefox 3.5 and importing the IPA CA the following error is thrown: This is not a certificate authority certificate, so it can't be imported into the certificate authority list.
certutil needs the -2 option as well and it needs the following answers: Is this a CA certificate [y/N]? y Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
Created attachment 357653 [details] Add the CA constraint to the self-signed CA we generate
I'm working on a tool that can be run to replace an existing IPA CA. I've run into a couple of snags that need to be worked around before the tool is complete. Deployment could also be problematic. All browser clients will need to trust the new CA and new server certs issued on the initial IPA server and all replicas. The exact steps for this are still being worked out.
master: 38ae093c7bc1f90c4fe5edf4540efba57e86d8a3 ipa-1-2: 5bdeaf74fc6fcfe402322d21046176d5a8d66be3 Still working on replacement tool. Rich Megginson had a great idea, just re-issue the CA cert using the same keypair. The CA cert still needs to go out everywhere but certs don't need to be re-issued for all services.
ipa-1.2.2-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ipa-1.2.2-1.fc10
ipa-1.2.2-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ipa-1.2.2-1.fc11
ipa-1.2.2-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
ipa-1.2.2-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.