Jeremy Tourville via FreeIPA-users wrote: >>>> Is this an externally-signed CA? > Yes >>>> What version of healthcheck do you have? > 0.12-1 > > I *think* from what I am seeing this cert is valid. Can you confirm? > > # getcert list -i "20230901185953" > Number of certificates and requests being tracked: 10. > Request ID '20230901185953': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 > Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IDM.EXAMPLE.ORG > subject: CN=EXAMPLE-CA,DC=example,DC=org > issued: 2023-04-05 12:54:46 CDT > expires: 2038-01-06 09:20:42 CST > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > profile: caCACert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb" > track: yes > auto-renew: yes
This is a sub CA. These are not validated by healthcheck. > If we both agree this cert is valid, how to I clear the warning message from > healthcheck? See the EXCLUDES section in ipahealthcheck.conf(5) rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue