I know this is an old thread but I'm just posting this for someone who comes along the same issue like me...
In order to fix my problem I had to do the following to fix for example the 'ocspSigningCert cert-pki-ca' certificate renewing with wrong subjects: Find the Serial number for that certificate: #certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" | grep Serial Get the reqeustID: #ldapsearch -D "cn=Directory Manager" -W -s sub -b cn={SERIALNUMBER},ou=certificateRepository,ou=ca,o=ipaca "metaInfo" Get the request data: #ldapsearch -D "cn=Directory Manager" -W -s sub -b cn={REQUESTID},ou=ca,ou=requests,o=ipaca If the request data does not match the current certificate, we need to find one which should be used instead. #certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" | grep Subject #ldapsearch -D "cn=Directory Manager" -W -s sub -b ou=ca,ou=requests,o=ipaca "extdata-req--005fsubject--005fname--002ecn={SUBJECT}" If we have multiple results check the one which has the right attributes set comparing to a different system. Once you know which request to use change the requestid in the certificateRepository to the one selected. I used ldapadmin to connect to change but the ldapmodify should also work. Hope this helps someone in the future... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/QYTZMNXASGLFCFX54FA4KOPPIMPV376H/