I just tested again on clean installation with this packages: ipa-server-4.11.0-1.el9.x86_64 ipa-server-dns-4.11.0-1.el9.noarch idm-pki-ca-11.4.2-1.el9.noarch
And I think I am ready to write steps to reproduce the error: 1. Initiate FreeIPA installation by executing command like this: ipa-server-install --setup-dns --no-forwarders --subject-base='OU = Test, O = TEST.LOCAL, L = SanFrancisco, ST = SanFrancisco C = US' --external-ca --no-ntp --ca-subject='C = US, ST = SanFrancisco , L = SanFrancisco , O = TEST.LOCAL, OU = IT DEPT, CN = EXTERNALROOTCA' 2. Sign the ipa.csr with this extensions at EXTERNALROOTCA with openssl: [ v3_intermediate_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign 3. Finish installation, import certs like this: "ipa-server-install --external-cert-file=<PATH TO SIGNED IPA CERT> --external-cert-file=<PATH TO CA CERT>" 4. Then add a host, create a service, ask for service certificate: ipa-getcert request -K <SERVICE FULL NAME> -d /etc/pki/nssdb/ -n <SERVICE FULL NAME> The certificate was successfully created and "ipa-getcert list" shows everything is ok Then try to revoke certificate, and you got an error -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
