[Freeipa-users] Re: Clarification on CA Cert renewal requested

Thu, 06 Aug 2020 10:18:21 -0700 

On 8/6/20 6:35 PM, Khurrum Maqb via FreeIPA-users wrote:

Run ipa-certupdate on all IPA-enrolled machines, including servers, to
update local files.


Thanks. I ran ipa-certupdate on a client and I see that it completed 
successfully.

The output of `certutil -L -d /etc/ipa/nssdb/` shows a second `DOMAIN IPA CA` 
now with the new certificate with the new expiration date. It still has the old 
cert as well which is expected.

However, `/etc/ipa/ca.crt` changed in file size AND the filesystem modified data changed 
to the time where ipa-certupdate was ran today. but the output of `openssl x509 -inform 
pem -enddate -noout -in /etc/ipa/ca.crt` is still "notAfter=Aug 10 21:29:31 2020 
GMT"

`openssl x509` has a limitation when used with a PEM file that contains 
multiple certificates: it displays the information for the first cert only.

If you want to see all the certs, you can use instead:

openssl crl2pkcs7 -nocrl -certfile /etc/ipa/ca.crt | openssl pkcs7 
-print_certs -text -noout


HTH,
flo


-rw-r--r--.   1 root root 12351 Aug  6 12:20 ca.crt
-rw-r--r--.   1 root root  4145 Aug  6 12:20 ca.crt.original

When I ran `ipa-certupdate -v` it showed a "File not found" for `IPA CA` but 
then it found `DOMAIN IPA CA` so that's probably not relevant.

So far it looks like everything updates but ca.crt does not show the updated 
cert.

Is this something that can be changed so that ca.crt is also showing the 
correct certificate?

K
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]






















					Reply via email to