When IPA's CA certificate is close to expiry date, renewing it doesn't push forward the expiry date

Solution Verified - Updated 17 Dec 2025

Environment

RHEL 8+
FreeIPA/RH IDM with CA
caSigningCert cert-pki-ca close to it's expiry date - or already expired and date reverted to the last day before expiry.

Issue

If your IPA's signing CA certificate is close to it's expiry date, renewing it results with a certificate that has the same expiry date as the previous one, and essentially doesn't solve the expiring issue.

Resolution

1. Allow PKI to issue certificate past CA time

Add to the /etc/pki/pki-tomcat/ca/CS.cfg following line:

ca.enablePastCATime_caCert=true

2. Fix `caCACert` profile to allow bypassing `CAnotafter`

IPA doesn't allow direct work with PKI's internal certificate profiles, and we cannot guarantee that other certificates are not expired, so we will have to go around it.

Export the profile LDAP entry via

# ldapsearch -x -D "cn=Directory Manager" -W -b "cn=caCACert,ou=certificateProfiles,ou=ca,o=ipaca" "objectClass=*"  > caCACert.ldif

Then export base64-encoded profile into a text file:

# awk '/^certProfileConfig::/ {sub(/^certProfileConfig::[[:space:]]*/, ""); line=$0; next} /^ / {line=line substr($0,2)} END {print line}' caCACert.ldif | base64 -d > caCACert.cfg

Edit the resulting config file caCACert.cfg to contain this policy set:

policyset.caCertSet.2.default.params.bypassCAnotafter=true

Add the policy set as a next line after

policyset.caCertSet.2.default.params.startTime=0

Save the changes and encode it back via:

# base64 -w 0 caCACert.cfg > caCACert.b64

Modify the LDAP entry with the new configuration:

# ldapmodify -D "cn=Directory Manager" -W << EOF
dn: cn=caCACert,ou=certificateProfiles,ou=ca,o=ipaca
changetype: modify
replace: certProfileConfig
certProfileConfig:: $(cat caCACert.b64)
EOF

3. Issue new CA certificate

Restart IPA:

# systemctl restart ipa

Then renew the CA certificate via:

# ipa-cacert-manage renew --self-signed
# ipa-certupdate

Last, restart certmonger:

# systemctl restart certmonger

and look for your renewed certificate in output of

# getcert list

Root Cause

Normally, PKI won't allow issuing certificates with a validity exceeding CA's certificate validity.

This is done due to security reasons, but results in a situation, when CA's issuing certificate validity can't effectively be moved forward in time - as every certificate we can issue with current issuing certificate can't exceed the validity period of the said issuing certificate, including it's own renewal certificate.

Normally, we don't need to renew issuing certificates so often due to it's long validity period (20 years by default), but if your issuing CA is externally signed, it can have usual 2-year validity period and can expire easily - especially since IPA can't normally auto-renew it.

In this case, this means that if CA certificate is expired, then all the service certificates are expired, too, and the only way to fix things is to go back in time when the certificates were still valid, switch to self-signed CA and get the service certificates to get renewed in order to cover the gap between the date they expired and the present, and only then install the new externally-signed CA.

SBR

Identity Management

Product(s)

Red Hat Identity Management

Components

dogtag
ipa

Category

Supportability

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.