Hello,
our FreeIPA was running with correct certificates for 2 years (subject
"CN=ipa.hq.company,O=HQ.COMPANY"). Unfortunately, the new certificates
(ocspSigningCert, auditSigningCert) were recreated with simple
"CN=localhost" (automatically), i.e. the original value
"CN=ipa.hq.company,O=HQ.COMPANY" was ignored by certmonger.
If you have some knowledge of the FreeIPA internals - can you point me
to the right direction, so that I could debug and/or fix this rotation
bug, please?
Thank you,
LG
certmonger-0.79.13-3.el8.x86_64
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
# getcert list
Request ID '20200324213127':
status: MONITORING
stuck: no
:
CA: IPA
issuer: CN=Certificate Authority,O=HQ.COMPANY
subject: CN=ipa.hq.company,O=HQ.COMPANY
expires: 2022-03-25 22:31:28 CET
principal name: krbtgt/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20210120221127':
status: MONITORING
stuck: no
:
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=HQ.COMPANY
subject: CN=localhost
expires: 2024-02-04 22:29:37 CET
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210120221129':
status: MONITORING
stuck: no
:
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=HQ.COMPANY
subject: CN=localhost
expires: 2024-02-04 22:28:36 CET
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
<snip>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure