[Freeipa-users] Re: subsystemCert appears out of date

[Florence Blanc-Renaud via FreeIPA-users]

On 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:

Hi All,

My subsystem cert appears to have gone out of date, and I’m unable to get it to update. This has become an issue on my production environment, and my current work around has been to take the system date back by a month. I’ve tried the cert renew tool, but this doesn’t seem to have updated this cert.

Is anyone able to point me in the right direction to be able to update this specific certificate as I’ve been unable to find anything online.

[auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'

Certificate:

     Data:

         Version: 3 (0x2)

         Serial Number: 42 (0x2a)

         Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption

         Issuer: "CN=Certificate Authority,O=INT.I-NEDA.COM"

         Validity:

             Not Before: Sun Nov 04 08:04:35 2018

Not After : Sat Oct 24 07:04:35 2020

         Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM"

         Subject Public Key Info:

             Public Key Algorithm: PKCS #1 RSA Encryption

             RSA Public Key:

                 Modulus:

                     
c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6:

                     
5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0:

                     
f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b:

                     
bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24:

                     
e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5:

                     
0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90:

                     
14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14:

                     
00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a:

                     
1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65:

                     
53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24:

                     
52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57:

                     
e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91:

                     
a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43:

                     
04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6:

                     
cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6:

                     
63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7

                 Exponent: 65537 (0x10001)

         Signed Extensions:

             Name: Certificate Authority Key Identifier

             Key ID:

                 f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6:

                 d5:08:c0:3a

             Name: Authority Information Access

             Method: PKIX Online Certificate Status Protocol

             Location:

                 URI: "http://ipa-ca.int.i-neda.com/ca/ocsp";

             Name: Certificate Key Usage

             Critical: True

             Usages: Digital Signature

                     Non-Repudiation

                     Key Encipherment

                     Data Encipherment

             Name: Extended Key Usage

                 TLS Web Server Authentication Certificate

                 TLS Web Client Authentication Certificate

     Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption

     Signature:

         5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e:

         22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82:

         4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59:

         77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de:

         e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b:

         9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e:

         cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f:

         32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35:

         0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60:

         59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9:

         ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02:

         64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0:

         68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b:

         7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8:

         c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26:

         eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51

     Fingerprint (SHA-256):

4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1:15:13:92:D3:7A:3D:F8:54:44

     Fingerprint (SHA1):

         03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6

     Mozilla-CA-Policy: false (attribute missing)

     Certificate Trust Flags:

         SSL Flags:

             User

         Email Flags:

             User

         Object Signing Flags:

             User

Thanks for the help,

Marc.


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Hi Marc,

we need more information in order to help you:
- do you have multiple master/replicas with the CA role:
# kinit admin; ipa server-role-find --role "CA server"

- which server is the renewal master:
# kinit admin ; ipa config-show | grep "renewal"

- which version is installed:
# rpm -qa | grep ipa-server

- Is the subsystemCert cert-pki-ca the only expired certificate:
# getcert list

flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org