I have an existing website that I use for all sorts of things. I was a bit more of a sucker when I bought the domain so I also bought a wildcard SSL cert for my domain instead of using LetsEncrypt. I use the home subdomain to link back to my home network where I’m in the process of setting up a FreeIPA domain. In order to make sure the SSSD works properly, I read that I need to LDAPS, and for that I’ll need some certs. I know FreeIPA generates its own certs, but these are self signed. I’d like to have my certs actually be trusted as theres a reason this is on an actual domain. However when i try to add my certs with

sudo ipa-cacert-manage -t 'C,,' CERT_BUNDLE

I get an issue with one of the certs (I know which one) for using an insecure algorithm. And (expectedly) I can’t add the other certs as this is part of the CA chain. So I read to try renewing with the external-ca option, and now I have a CSR from FreeIPA but I’m unsure if I can sign it with my SSL cert. Any guidance or help is vert much appreciated. I may have buggered my install in trying to figure this out, but I suppose we’ll find out.

Update: It looks like I wasn’t doing anything wrong; the root CA cert is SHA1 signed which seems to be my issue. I’m setting up everything with lets encrypt going forward and won’t be buying a cert again unless i genuinely have a reason to.