26.4. Changing the Certificate Chain
You can modify the certificate chain by renewing the CA certificate using the ipa-cacert-manage renew.
- Self-signed CA certificate
externally-signed CA certificate - Add the
--external-ca
option to ipa-cacert-manage renew. This renews the self-signed CA certificate as an externally-signed CA certificate.For details on running the command with this option, see Section 26.2.2, “Renewing CA Certificates Manually”. - Externally-signed CA certificate
self-signed CA certificate - Add the
--self-signed
option to ipa-cacert-manage renew. This renew the externally-signed CA certificate as a self-signed CA certificate.