Khurrum Maqb via FreeIPA-users wrote: > I am running ipa-server 4.6.6 with the same version clients. This IPA server > has been around since pre-v1 and has been upgraded till the current version > that is shipped with Centos7. > The IPA CA Cert was/is set to expire on Aug 10, 2020. > > On the server that is the IPA CA renewal master, I checked the output of > `getcert list` and the CA with the certificate "subject: CN=Certificate > Authority,O=DOMAIN.COM" and nickname nickname='caSigningCert cert-pki-ca' is > shown as renewed till 2040. All other certs that appear in that list are > updated without intervention to 2022. It's located at > `location='/etc/pki/pki-tomcat/alias'`. So far so good; > > BUT I noticed that /etc/ipa/ca.crt on the same server shows as still expiring > on August 10: > > # openssl x509 -inform pem -enddate -noout -in /etc/ipa/ca.crt > notAfter=Aug 10 21:29:31 2020 GMT > > So that means that the caSigningCert cert-pki-ca is set to automatically > renew for 20 years But the IPA CA Cert is not. > > Next, I saw that there are certs located in /etc/pki/pki-tomcat/alias, > /etc/ipa/nssdb/, /etc/httpd/alias/, and /etc/pki/nssdb/. > > My questions: > > * Is my self-signed IPA CA Cert supposed to be automatically renewed?
It can automatically renew, I don't know if it did or not in your case. The updated cert just isn't automatically pushed out to all the file locations it needs to be. Run ipa-certupdate on all IPA-enrolled machines, including servers, to update local files. > * Or is it required that I run `ipa-cacert-manage renew` on the IPA CA > renewal master, and then `ipa-certupdate` on all the other server replicas > and clients? Just the ipa-certupdate part since the renewal is already done. Run on all machines. > * Why do I appear to have duplicate DOMAIN IPA CA certs listed in > /etc/ipa/nssdb/, /etc/httpd/alias/? Is one location deprecated? They are separate NSS databases for separate purposes. dbm-based NSS databases should not be shared between multiple services hence each one has its own db (389 has one as well). rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
