Hi Rob, thanks much. Some of Flo's blogs about CA helps me to understand better now. Sure "ipa cacert-manage renew" and "ipa-certupdate" was run before, hopefully not harmful, "caSigningCert cert-pki-ca" was valid for 18 more years.
You're right, there is mix of old and renewed ones, three requres renewal: auditSigningCert, subsystemCert and ipaCert , all expired on 2018-08-14. Time I went back was 7 days earlier, 2018-08-07 Sorry, nothing to revert, please let me know what would you suggest now. The state of certs is: status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=CA Audit,O=DOMAIN.COM expires: 2018-08-14 20:49:38 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=OCSP Subsystem,O=DOMAIN.COM expires: 2020-10-11 20:15:53 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' subject: CN=CA Subsystem,O=DOMAIN.COM expires: 2018-08-14 20:49:36 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=Certificate Authority,O=DOMAIN.COM expires: 2038-10-22 18:15:48 UTC status: MONITORING certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' subject: CN=IPA RA,O=DOMAIN.COM expires: 2018-08-14 20:50:00 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' subject: CN=ca-ldap01.DOMAIN.com,O=DOMAIN.COM expires: 2020-07-07 01:47:45 UTC _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org