Bhavin Vaidya via FreeIPA-users wrote:
Hello,


I'm having various problem on our FreeIPA setup, like can not establish
new replica server or add a client anymore. Initially we had certificate
issue, then we upgraded the Master FreeIPA server (CentOS 7.0.146) to
FreeIPA v4.4.0) few months back.


On master server it shows up 4 entries for IPA CA certificate. Is this
normal?


[root@ds01 ~]# certutil -d /etc/pki/nssdb -L

Certificate Nickname                                         Trust
Attributes

        SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA                                           CT,C,C
EXAMPLE.COM IPA CA                                           CT,C,C
EXAMPLE.COM IPA CA                                           CT,C,C
EXAMPLE.COM IPA CA                                           CT,C,C

The question is: are these all different certificates (and why)? I assume someone ran ipa-cacert-manage renew a bunch of times.

Multiple entries in itself shouldn't be a problem.

I assume this is related to your client install issues. You may be able to get away with having just the latest CA cert stored in LDAP to avoid this.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to