Travis West via FreeIPA-users wrote: > Okay, I've sort of fixed the tracking, but there is still an issue I can't > seem to solve. Here is the tracking now for the Audit, OCSP, and Subsystem > certificates > > Number of certificates and requests being tracked: 9. > Request ID '20190322032029': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA.****.NET > subject: O=IPA.****.NET,CN="CA Audit " > expires: 2034-03-31 14:24:53 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > [root@ipa1-sea2 ~]# getcert list -i 20190322032030 > Number of certificates and requests being tracked: 9. > Request ID '20190322032030': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA.****.NET > subject: O=IPA.****.NET,CN="OCSP Subsystem " > expires: 2034-03-31 14:15:41 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > [root@ipa1-sea2 ~]# getcert list -i 20190322032031 > Number of certificates and requests being tracked: 9. > Request ID '20190322032031': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA.****.NET > subject: O=IPA.****.NET,CN="CA Subsystem " > expires: 2034-03-31 14:40:33 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > > In each of these the Subject line has the CN and O backwards. If I look at > the certificates themselves, they have it listed correctly > > # openssl pkcs12 -info -in audit.p12 > MAC Iteration 2048 > MAC verified OK > PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 > Certificate bag > Bag Attributes > localKeyID: A8 74 8A 94 58 C0 9E 28 3F 55 B9 F7 AC 9D 78 33 8E D3 C6 E3 > friendlyName: auditSigningCert cert-pki-ca > subject=/CN=CA Audit /O=IPA.****.NET > issuer=/O=IPA.****.NET/CN=Certificate Authority > > So I'm confused as to how the 'getcert' output has the items in Subject > reversed.
The OpenSSL and NSS libraries merely display the data differently. It's fine. But you still have an issue with the certificates. You have a trailing space after at least the audit, subsystem and OCSP certs. I think you tried to quote only that when generating the subject rather than the entire thing. So O=IPA.****.NET,"CN=CA Audit " rather than "O=IPA.****.NET,CN=CA Audit" Once the certificates are valid you can try running ipa-server-upgrade. It should repair bad tracking. But with the strange subjects I'm not sure what will happen. What I do know is that "CA Audit " != "CA Audit" in a subject. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
