On su, 02 joulu 2018, 74cmonty via FreeIPA-users wrote:
Hi, this is the output that looks good to me... but I'm not the expert.
It is not good, as I suspected.
[root@ipa-replica ~]# getcert list -f /var/kerberos/krb5kdc/kdc.crt Number of certificates and requests being tracked: 4. Request ID '20181202164246': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=ipa-replica.mydomain.de,O=MYDOMAIN.DE
You have wrong issuer here.
subject: CN=ipa-replica.mydomain.de,O=MYDOMAIN.DE expires: 2019-12-02 17:26:59 CET principal name: krbtgt/mydomain...@mydomain.de certificate template/profile: KDCs_PKINIT_Certs
And no EKUs and usage defined. Please follow my suggestion to move out the cert/key and try again 'ipa-pkinit-manage enable' -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org