How to remove revoked CA certificate in IPA

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 9
  • IPA Server
  • IPA Replica

Issue

  • How to remove expired CA certificate from IPA

Resolution

  • Identify the old CA certificate which is revoked/expired
 # kinit admin
 # ldapsearch -LLL -Y GSSAPI -b "cn=IPA.DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=domain"
  • Create a ldif file to delete the revoked/expired CA certificate:
# cat remove_certificate.ldif 
dn: cn=IPA.DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=domain
changeType: modify
delete: caCertificate;binary
cACertificate;binary:: <<revoked certificate blob>>
  • Run the command to delete the certificate:
 # kinit admin
 # ldapmodify -Y GSSAPI -f remove_certificate.ldif

  • Remove the revoked/expired certificate from /etc/ipa/ca.crt file

  • Run # ipa-certupdate command on the IPA server, replica, and on clients

  • Confirm it by running the below commands:

 # ldapsearch -LLL -Y GSSAPI -b "cn=IPA.DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=domain"
 # openssl s_client -connect <Server-IP>:443 -showcerts

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments