On su, 02 joulu 2018, 74cmonty via FreeIPA-users wrote:
Hi,
this is the output that looks good to me... but I'm not the expert.
It is not good, as I suspected.
[root@ipa-replica ~]# getcert list -f /var/kerberos/krb5kdc/kdc.crt
Number of certificates and requests being tracked: 4.
Request ID '20181202164246':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=ipa-replica.mydomain.de,O=MYDOMAIN.DE
You have wrong issuer here.
subject: CN=ipa-replica.mydomain.de,O=MYDOMAIN.DE
expires: 2019-12-02 17:26:59 CET
principal name: krbtgt/mydomain...@mydomain.de
certificate template/profile: KDCs_PKINIT_Certs
And no EKUs and usage defined.
Please follow my suggestion to move out the cert/key and try again
'ipa-pkinit-manage enable'
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
