Hi, On Mon, Dec 12, 2022 at 10:20 AM junhou he via FreeIPA-users < [email protected]> wrote:
> Hi , > getcert list > Number of certificates and requests being tracked: 7. > Request ID '20221116023302': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK > subject: CN=IPA RA,O=WINGON.HK > issued: 2022-11-16 10:33:02 HKT > expires: 2024-11-05 10:33:02 HKT > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20221116023307': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK > subject: CN=CA Audit,O=WINGON.HK > issued: 2022-11-16 10:31:47 HKT > expires: 2024-11-05 10:31:47 HKT > key usage: digitalSignature,nonRepudiation > profile: caSignedLogCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221116023309': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK > subject: CN=OCSP Subsystem,O=WINGON.HK > issued: 2022-11-16 10:31:46 HKT > expires: 2024-11-05 10:31:46 HKT > eku: id-kp-OCSPSigning > profile: caOCSPCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221116023310': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK > subject: CN=CA Subsystem,O=WINGON.HK > issued: 2022-11-16 10:31:46 HKT > expires: 2024-11-05 10:31:46 HKT > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221116023311': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK > subject: CN=Certificate Authority,O=WINGON.HK > issued: 2022-11-16 10:31:44 HKT > expires: 2042-11-16 10:31:44 HKT > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > profile: caCACert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221116023312': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK > subject: CN=wocfreeipa.wingon.hk,O=WINGON.HK > issued: 2022-11-16 10:31:46 HKT > expires: 2024-11-05 10:31:46 HKT > dns: wocfreeipa.wingon.hk > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > profile: caServerCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221116023354': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=WINGON.HK > subject: CN=wocfreeipa.wingon.hk,O=WINGON.HK > issued: 2022-11-16 10:33:55 HKT > expires: 2024-11-16 10:33:55 HKT > dns: wocfreeipa.wingon.hk > principal name: krbtgt/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > So far, looks good. All the tracked certs are still valid. One question, though: there is no tracking for httpd and ldap server certificates, does it mean that they were replaced with externally-signed server certificates using ipa-server-certinstall? > ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b > uid=ipara,ou=people,o=ipaca description usercertificate* > dn: uid=ipara,ou=people,o=ipaca > description: 2;7;CN=Certificate Authority,O=WINGON.HK;CN=IPA RA,O= > WINGON.HK > > Is there a usercertificate attribute in this entry? (maybe a copy-paste issue but there is a * in your command, it should not be there). The value stored in this usercertificate attribute should be identical to the content of /var/lib/ipa/ra-agent.pem. > openssl x509 -nameopt RFC2253 -noout -subject -serial -issuer -in > /var/lib/ipa/ra-agent.pem > subject=CN=IPA RA,O=WINGON.HK > serial=07 > issuer=CN=Certificate Authority,O=WINGON.HK > > The RA certificate and the info stored in LDAP are consistent, no issue seen so far. > [root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n ipaCert > certutil: Could not find cert: ipaCert > : PR_FILE_NOT_FOUND_ERROR: File not found > This error can be ignored, with your version the cert is stored in the pem file /var/lib/ipa/ra-agent.pem. [root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-ca CTu,Cu,Cu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > Server-Cert cert-pki-ca u,u,u > OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, > Inc.,C=US C,, > CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US C,, > NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate > Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US C,, > > I executed the above command as you suggested, unfortunately ipaCert* > cannot be found > Yes, this error can be ignored, you must have IPA >= 4.5. What is the content of /var/log/pki/pki-tomcat/ca/debug? flo > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
