Hi Rob,

On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote:
> Harald Dunkel via FreeIPA-users wrote:
>> See attachment.
>>
>> Please note the "invalid certificate". Du you remember the thread
>> on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
>> after root certificate change via ipa-cacert-manage" and the
>> output of "ipa-certupdate -v" I had posted?
>>
>
> The ipa-certupdate error was a red herring. IPA was just looking for all
> possible CA certs it could know about.
>
OK.

> It does look like the trust is wrong on your CA cert in the tomcat NSS
> database.
>
> # certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> [ snip ]
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
>
> If yours isn't that

Sorry, but I don't understand. My what isn't what?

> you can try modifying it with:
>
> # certutil -M -d /var/lib/pki/pki-tomcat/ca/alias -n "caSigningCert
> cert-pki-ca" -t CTu,Cu,Cu
>
Here is what I see on the broken ipa server:


[root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-ca                                      u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  ,,


The CN=example Root CA,... certificate is unwanted. It did not expire,
but it uses an invalid format for its expiration date. I ran ipa-cacert-manage
to replace it with the CN=root-CA,... certificate a few months ago.


The certificate database on another ipa server (not broken yet, as it
seems) looks different:


[root@ipa2 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
subsystemCert cert-pki-ca                                    u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  C,,
ocspSigningCert cert-pki-ca                                  u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u


I would highly appreciate any advice how to cleanup this mess.

How comes that the unwanted "example Root CA" is still in the databases at
all? Due to the broken format I have to get rid of it asap.


Regards
Harri

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to