This is a fresh OS and IPA install. I did not create testnick, it was from the 
install.

# certutil -V -u C -n ipa-ca-agent -d /tmp/tmp-aZzm2V
certutil: certificate is invalid: Issuer certificate is invalid.


# certutil -L -n ipa-ca-agent -d /tmp/tmp-aZzm2V
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=EXAMPLE.COM"
        Validity:
            Not Before: Mon May 21 16:54:20 2012
            Not After : Sun May 11 16:54:20 2014
        Subject: "CN=ipa-ca-agent,O=EXAMPLE.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    bb:83:f1:d1:b0:86:64:33:03:b5:52:b5:25:c1:c4:ef:
                    19:f4:ce:5f:5b:42:36:e4:3f:df:d8:72:5a:1f:e8:a1:
                    6d:45:8a:f1:b3:4a:93:f4:cd:e9:05:6a:29:b8:b2:93:
                    49:df:b2:73:74:3d:a8:1c:42:ec:0c:79:9f:9e:85:16:
                    92:f4:ef:5d:e0:c3:a8:a3:71:bb:20:17:e2:a4:3c:eb:
                    ad:7b:a8:42:b4:65:62:b9:01:07:30:8a:68:f8:f9:9f:
                    f9:73:1b:79:b0:a2:78:44:b6:29:70:d8:65:5d:5f:78:
                    40:a1:14:01:e5:9b:b0:f0:6e:89:c9:f2:7c:f1:0d:2b:
                    58:fd:5c:03:2a:b7:a0:79:db:6a:d2:0c:6c:5e:88:c9:
                    4b:f0:ba:e2:83:d3:bc:a2:39:68:cb:94:8f:0a:0a:e1:
                    2b:2c:c7:bd:89:41:67:df:6b:d2:4b:64:a4:fe:0a:a6:
                    74:8a:ef:50:5a:fa:b3:07:8c:e9:46:c0:f4:31:2e:69:
                    3a:22:78:8d:c6:71:73:d9:60:25:19:74:32:fd:ea:ad:
                    36:7e:32:17:40:a3:23:0c:d5:a1:b2:52:72:db:3f:f7:
                    df:b9:48:77:fa:51:bd:34:97:3d:e6:b1:88:bc:9a:62:
                    a1:cc:16:94:a2:bf:f7:de:75:d2:a1:7b:c4:b1:13:a1
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                ee:73:03:59:87:0c:51:8c:9b:36:aa:1d:74:8f:82:d0:
                33:25:c7:a5

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://ipa.dev.example.com:80/ca/ocsp";

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Client Authentication Certificate
                E-Mail Protection Certificate

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        b8:7f:79:4f:57:d2:43:65:63:a4:4c:81:59:a4:09:b4:
        4d:86:02:52:cf:d5:0f:bc:5a:2f:6e:f9:f5:e6:6b:bf:
        a5:b7:c3:50:50:bd:a4:80:59:1d:75:4d:8a:f0:72:a7:
        71:9d:85:7d:92:f4:98:ed:98:d7:f5:a8:60:b3:ce:b8:
        8e:97:92:5a:85:c8:82:a5:08:36:71:9b:81:e2:7f:f8:
        16:25:4e:0a:43:a5:14:c5:11:2c:99:e9:43:f6:91:e8:
        d8:f4:db:65:5d:56:33:3f:9f:17:02:31:35:8e:08:4a:
        3a:aa:08:98:31:bb:a7:76:22:53:9d:f5:44:70:b8:92:
        d6:0a:b7:d3:51:9b:90:51:0d:2d:f8:8f:1d:4d:cc:5c:
        1c:b4:ba:a5:c9:75:24:e1:ce:9b:66:f8:3d:e0:2f:d4:
        05:87:56:46:5a:9b:6c:12:07:b1:be:14:8f:07:75:48:
        5c:86:84:06:0c:bd:29:17:85:06:27:ae:6f:ee:c1:2b:
        8a:bc:37:5f:c8:9d:81:bf:30:0f:c8:71:7e:e8:60:2c:
        70:73:2d:84:1b:7d:38:31:63:41:e8:c3:ef:49:e1:3f:
        33:48:7d:51:f5:c4:23:93:95:1a:7f:03:e8:e3:e3:21:
        21:0a:54:b5:ab:81:a9:71:66:72:ad:d5:fe:6a:b5:37
    Fingerprint (MD5):
        33:DC:A2:A1:F4:86:9D:9B:F7:C3:6A:F6:94:85:76:35
    Fingerprint (SHA1):
        B6:7E:21:CA:EE:45:50:C2:9A:6D:FE:88:A3:8C:D6:F8:B5:B7:70:C9

    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            Use


# certutil -L -n testnick -d /tmp/tmp-aZzm2V
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=ipa.dev.example.com,O=2012-05-21 16:31:51"
        Validity:
            Not Before: Mon May 21 16:31:51 2012
            Not After : Tue May 21 16:31:51 2013
        Subject: "CN=ipa.dev.example.com,O=2012-05-21 16:31:51"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    b4:29:21:b3:8c:5c:a3:7c:17:8a:fe:3a:3a:9f:62:a6:
                    63:f1:7d:dc:b8:8c:10:a1:a1:ee:9d:40:a9:bf:69:d3:
                    ec:f7:50:de:55:e4:cc:a0:8a:2a:2e:7e:be:80:18:5b:
                    08:f1:13:62:77:1c:48:c6:fb:68:a0:df:83:79:98:15:
                    28:91:55:4e:f8:be:4e:af:03:e0:1a:4c:72:a0:7a:07:
                    1c:35:61:82:28:4f:96:2b:8e:d2:62:17:54:8b:11:b9:
                    10:c9:86:44:a7:38:21:df:2e:7f:a2:c7:c6:fb:a9:a2:
                    33:b1:11:9a:87:12:30:15:7a:c9:ab:42:60:27:c4:8b
                Exponent: 65537 (0x10001)
    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        1c:48:45:0c:69:be:c2:5d:f9:33:f8:1f:00:c3:d9:b7:
        1d:88:09:c4:94:72:51:5e:7e:bd:ac:67:fc:e8:15:c3:
        69:20:4e:70:42:5e:ae:a4:a4:cd:75:25:db:85:a6:ca:
        2d:da:08:65:ea:c3:74:f8:40:22:c5:d8:5f:4d:a4:29:
        5d:8e:c5:c1:cd:10:07:76:d6:06:79:1c:36:26:92:35:
        e5:cc:b7:31:36:04:bf:ec:3a:db:bc:c5:08:33:c0:81:
        a9:d2:c4:db:47:33:ee:61:5a:ea:e8:e1:5a:05:b2:cd:
        71:fb:0b:7e:db:cb:82:12:3b:3c:64:d6:84:31:d4:d6
    Fingerprint (MD5):
        5C:14:C2:F7:8A:D4:31:24:36:45:0B:F2:8D:44:67:E8
    Fingerprint (SHA1):
        A3:2B:89:82:93:69:D6:04:96:7D:5E:2F:E7:15:EE:BA:A2:E2:14:0C

    Certificate Trust Flags:
        SSL Flags:
            Terminal Record
            Trusted
        Email Flags:
        Object Signing Flags:



# certutil -L -n "System Engineering - Currenex, Inc." -d /tmp/tmp-aZzm2V
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:a8:3f:69:ea:e7:d0:f5:f4
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "E=sys...@currenex.com,OU=System Engineering,O="Currenex, Inc
            .",L=New York,ST=New York,C=US"
        Validity:
            Not Before: Mon Feb 16 16:26:52 2009
            Not After : Sat Feb 15 16:26:52 2014
        Subject: "E=sys...@currenex.com,OU=System Engineering,O="Currenex, In
            c.",L=New York,ST=New York,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    e3:59:f4:a8:c4:22:1b:e1:e0:79:8e:c8:16:a6:53:69:
                    c7:ae:32:7b:1b:a2:87:d3:8a:9c:7f:19:fd:e0:3d:9c:
                    bc:d4:90:7c:76:e4:a9:5a:cc:99:ee:7c:e1:78:c0:5f:
                    ad:96:af:d4:d2:80:9b:56:c4:fd:7b:79:80:ff:d0:28:
                    99:f0:2c:19:ca:4f:d8:a0:c3:9e:dc:c8:21:7d:49:43:
                    40:84:bb:48:bb:98:d7:15:09:5c:d1:e0:fe:8b:9e:bb:
                    f2:6f:67:c5:c4:2b:28:5d:15:24:5e:f5:ed:71:a5:e9:
                    63:40:2a:ed:19:81:3d:fd:5a:94:33:cf:0a:64:08:59:
                    43:4c:ec:b5:1f:24:6a:0b:87:49:ad:62:5c:49:7d:0e:
                    55:bd:68:28:76:5c:34:76:b4:cc:83:b0:fb:0d:c7:fd:
                    2b:e0:a4:01:99:47:90:79:b1:f0:f6:09:9b:51:1a:fb:
                    fb:82:6f:7f:49:b4:e2:38:76:c3:22:8d:e4:67:6b:44:
                    e3:6c:1f:1d:3f:75:c3:76:d9:a0:e8:b4:b0:4e:a2:72:
                    f3:e1:d9:e1:dd:94:d7:32:1f:6f:82:62:57:5c:4f:54:
                    2d:f4:c9:44:fd:03:25:ea:e9:be:49:df:27:07:37:f1:
                    f1:7d:ad:d1:c2:78:52:cf:09:e5:68:d2:b7:e4:33:6d
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Key ID
            Data:
                05:bc:41:6d:1d:54:65:aa:08:e1:90:2b:cc:4f:5b:29:
                09:a9:f0:a4

            Name: Certificate Authority Key Identifier
            Key ID:
                05:bc:41:6d:1d:54:65:aa:08:e1:90:2b:cc:4f:5b:29:
                09:a9:f0:a4
            Issuer:
                Directory Name: "E=sys...@currenex.com,OU=System Engineering,
                    O="Currenex, Inc.",L=New York,ST=New York,C=US"
            Serial Number:
                00:a8:3f:69:ea:e7:d0:f5:f4

            Name: Certificate Basic Constraints
            Data: Is a CA with no maximum path length.

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        b9:f3:82:b5:0f:07:c5:a7:13:19:2d:00:c9:5c:08:67:
        b2:9e:30:de:34:b4:16:bb:bc:b2:8e:aa:ed:a3:56:77:
        5b:34:b1:b1:fc:68:bd:1a:d5:5c:64:53:81:ab:40:64:
        92:38:a3:ca:7f:d0:ef:3a:9a:38:14:8c:ad:54:a5:6a:
        27:9e:79:2b:37:30:28:1e:3e:6d:ba:18:fb:52:38:9f:
        ac:77:80:01:dd:e0:60:d1:0d:fb:2e:48:2b:67:1a:c4:
        5a:46:e7:ed:eb:e8:78:71:17:13:f8:10:0c:c1:ec:ec:
        7f:ab:a2:8b:48:85:de:cd:21:94:fc:fa:6f:b9:f1:a4:
        77:a8:27:89:2f:1a:99:c6:21:f4:61:d7:96:99:f4:73:
        46:01:f4:6e:7e:b9:ca:c6:b9:49:da:77:0c:63:98:aa:
        16:8a:37:ba:fb:c3:a2:e1:3f:f9:9e:11:eb:b5:4f:4f:
        07:fd:af:52:b3:90:7e:85:90:bd:c3:dd:3c:ca:d9:6c:
        9e:4a:e0:71:8b:3c:bd:76:5a:e0:25:79:cd:bf:ff:fd:
        f3:57:9f:8c:69:5f:9f:82:66:39:ef:94:6f:ea:97:15:
        b2:70:51:90:0e:e5:ee:1b:ce:05:20:48:89:74:9d:2c:
        9b:ae:9e:09:6b:81:03:af:c7:03:04:ad:e6:20:f8:0a
    Fingerprint (MD5):
        FD:BA:FD:94:AA:CA:A2:BF:5F:01:86:CA:C4:A1:8A:81
    Fingerprint (SHA1):
        44:3A:60:0F:2F:0F:8E:40:EA:E4:5A:8B:A3:C9:8E:02:25:90:1F:BD

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
        Object Signing Flags:
            Valid CA
            Trusted CA


# certutil -L -n "Certificate Authority - Currenex, Inc." -d /tmp/tmp-aZzm2V
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 429 (0x1ad)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "E=sys...@currenex.com,OU=System Engineering,O="Currenex, Inc
            .",L=New York,ST=New York,C=US"
        Validity:
            Not Before: Mon May 21 16:47:14 2012
            Not After : Sat May 20 16:47:14 2017
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c6:ae:2b:75:f0:68:5c:90:a7:52:af:40:15:dc:b8:cb:
                    0e:92:89:65:e3:3e:4a:f2:db:11:18:5e:ea:6d:fc:66:
                    42:ca:10:35:cd:c7:c5:f3:5d:27:a9:bb:48:2f:89:c6:
                    13:cf:66:a0:6f:31:e2:19:a0:56:19:d6:93:c6:76:70:
                    06:28:5e:98:2e:8a:56:5a:c3:4c:46:26:61:57:7a:44:
                    af:ed:45:3c:3b:ca:04:7f:69:2d:a8:f8:67:6c:10:b3:
                    88:16:5f:dc:91:ac:ce:a1:47:3f:ac:02:47:02:12:ad:
                    8e:6b:11:78:92:d7:58:4f:78:e1:61:f6:ca:1d:96:8c:
                    96:16:ae:69:8d:bd:ec:7b:fd:e9:eb:b4:08:1d:a4:65:
                    52:3a:23:13:89:f8:78:3f:6d:73:32:f8:80:ae:04:20:
                    a6:19:fa:2d:54:0d:24:79:0c:fd:84:6f:3b:3e:88:7c:
                    3c:a4:5e:b2:74:67:05:f8:55:a7:6d:8d:01:2a:f0:e8:
                    ee:3d:52:11:30:8a:85:73:67:b8:a2:ed:99:cc:5e:64:
                    cb:e5:e8:9d:29:6d:a4:7e:4c:07:84:29:ae:29:7b:ea:
                    08:1c:19:9e:eb:e9:25:7c:f5:19:4c:f7:d3:09:da:6d:
                    9a:29:5f:6c:03:01:a9:29:44:f0:9f:a8:04:85:d4:1b
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Data: Is not a CA.

            Name: Certificate Comment
            Comment: "OpenSSL Generated Certificate"

            Name: Certificate Subject Key ID
            Data:
                ee:73:03:59:87:0c:51:8c:9b:36:aa:1d:74:8f:82:d0:
                33:25:c7:a5

            Name: Certificate Authority Key Identifier
            Key ID:
                05:bc:41:6d:1d:54:65:aa:08:e1:90:2b:cc:4f:5b:29:
                09:a9:f0:a4

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        93:de:bd:83:eb:06:e2:7c:79:f7:de:94:a8:5f:64:f9:
        40:cd:4e:b6:92:54:35:8f:fe:41:4f:8e:8a:92:a0:9f:
        e4:63:45:55:43:ac:49:ec:0b:f6:4f:c0:90:0a:89:8a:
        c8:07:23:eb:6b:f8:ca:c4:76:41:1a:06:1e:82:85:0f:
        df:93:34:ee:83:bb:9d:59:b8:45:3e:ee:9d:bb:47:30:
        dc:de:cd:f1:de:90:d1:00:88:53:9b:67:06:8e:cc:af:
        aa:9c:bd:7c:d5:72:b3:e3:28:65:09:e3:19:76:fe:0f:
        48:73:fb:9b:70:d6:7d:8b:0d:77:24:0d:95:6c:e0:19:
        cf:ea:6e:eb:1d:69:12:bf:8d:3a:b0:d6:fb:e6:f9:0e:
        0e:8f:26:5e:d7:aa:18:95:b9:47:bd:2d:a5:89:2a:7c:
        93:fc:66:0d:ee:c1:57:12:d0:d6:77:2a:60:69:53:66:
        a1:1c:64:b9:f0:bd:67:73:c4:4f:0a:f8:d5:e1:0e:9a:
        69:bf:3a:44:d6:27:65:2f:b7:ff:8c:6c:b0:87:cf:74:
        5d:1b:74:38:d6:d7:84:cc:6d:a4:14:c6:80:74:49:12:
        32:22:80:9f:c9:1d:94:98:4c:8c:bf:04:b9:4e:6b:4a:
        11:d5:42:3d:82:9c:e6:d2:18:5a:29:4c:30:88:5c:87
    Fingerprint (MD5):
        23:68:38:8D:44:60:3C:7C:63:7C:03:8C:7B:BE:5B:42
    Fingerprint (SHA1):
        56:2E:40:7E:A2:18:FD:AA:E5:F8:AC:15:FF:66:8A:08:C6:35:9C:A1

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
        Object Signing Flags:
            Valid CA
            Trusted CA


# certutil -L -d /var/lib/pki-ca/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u



# certutil -L -d /var/lib/pki-ca/alias -n 'caSigningCert cert-pki-ca'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=EXAMPLE.COM"
        Validity:
            Not Before: Mon May 21 20:07:27 2012
            Not After : Thu May 21 20:07:27 2020
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    cf:7c:42:14:8c:15:36:ea:05:60:7c:d5:18:72:41:45:
                    60:b2:7c:7b:12:a4:60:30:aa:c9:a5:3f:87:65:cb:1a:
                    8a:fa:a7:ed:26:37:46:62:a3:16:df:47:fe:97:bb:9d:
                    5b:f0:86:19:b3:cb:9d:7f:57:6a:ea:8c:e9:a3:b2:ad:
                    c7:b9:44:bf:7a:25:fd:c1:df:34:a3:42:52:3f:b9:a2:
                    9c:d3:51:5a:b5:ba:cc:e3:06:7f:b6:71:61:be:1e:20:
                    f1:2d:3c:d3:f0:f8:72:8b:ef:54:08:1a:74:59:90:d8:
                    a5:ec:8e:04:8b:5f:d9:b9:7d:1c:df:7b:84:a6:d4:5c:
                    7f:e6:37:a8:98:a3:28:b4:48:42:5a:d4:6d:0f:97:60:
                    3a:01:3e:62:93:62:40:96:45:42:e2:71:c3:3e:5e:38:
                    16:d8:72:d0:f0:17:86:72:14:6e:1a:fe:85:b6:ec:8e:
                    bb:83:93:19:d6:6f:32:4b:e2:4c:25:10:65:2a:1c:c2:
                    84:76:29:fc:4a:0b:75:c3:c1:1b:bf:e4:a3:50:3d:9b:
                    2b:a1:50:b0:02:d7:5b:33:fd:3b:36:38:4f:07:c0:10:
                    27:6d:15:6b:66:c1:18:29:e4:ae:a4:c7:8f:de:af:ba:
                    17:a4:89:ed:de:51:5b:95:f0:90:9a:41:e4:f4:6a:ef
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                30:21:7c:f6:14:0a:5b:59:2a:fc:ce:60:b4:e9:32:fe:
                b1:08:df:db

            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Certificate Signing
                    CRL Signing

            Name: Certificate Subject Key ID
            Data:
                30:21:7c:f6:14:0a:5b:59:2a:fc:ce:60:b4:e9:32:fe:
                b1:08:df:db

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://ipa.dev.example.com:80/ca/ocsp";

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        6f:10:16:00:5c:e4:10:ef:f9:ab:f1:68:57:89:0d:55:
        26:a6:51:66:b5:1e:3b:8f:6c:ef:f9:fe:93:2f:0f:38:
        6a:e9:3e:a9:2d:e2:36:cf:ad:77:de:f8:3e:24:d8:45:
        d3:35:b2:43:56:d1:d1:e4:ee:67:fe:0e:60:22:77:6d:
        15:f1:cc:0e:fd:73:19:98:3c:2c:06:fe:70:e1:16:4f:
        46:46:eb:40:ba:e3:32:7d:41:8a:f5:86:89:c2:ea:bc:
        4e:f1:3e:e4:c1:b4:b6:bf:9d:e2:4a:93:d0:93:b7:4f:
        aa:3e:7f:ce:ab:42:07:73:c2:ac:5f:d8:7e:dc:38:81:
        4d:fd:89:17:d9:d9:33:01:6e:dc:90:79:db:6e:5e:b2:
        be:35:0d:6f:0d:ad:f7:48:0c:08:ea:12:ca:55:f1:c4:
        1b:97:6c:ec:74:08:64:e7:b0:b3:10:fe:52:7f:63:3b:
        f0:78:4a:fb:3d:25:73:2f:4a:c2:b5:3b:f8:0d:80:59:
        8a:19:8b:f5:ac:0c:d0:42:25:af:aa:33:96:5b:00:93:
        27:8f:8d:56:b2:47:f4:12:1c:76:88:16:42:db:ec:74:
        a3:aa:1e:55:10:a2:fb:af:9b:9c:7d:47:a3:f4:0f:67:
        2d:7f:12:6f:81:02:44:2e:a3:31:09:01:c4:8b:96:d6
    Fingerprint (MD5):
        8D:F2:FF:21:19:96:E7:51:8F:3F:7A:F5:80:6E:48:4A
    Fingerprint (SHA1):
        59:68:E2:3F:E6:88:ED:AC:8A:3E:0D:39:E7:6F:5C:20:91:47:FB:A9

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
            User
        Object Signing Flags:
            Valid CA
            Trusted CA
            User


# rpm -q pki-ca
pki-ca-9.0.3-21.el6_2.noarch


-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, May 22, 2012 11:26 PM
To: Tong Chow
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] freeipa 2.1.3-9 install with external CA failed

tc...@eexchange.com wrote:
> First of all, thanks for the help!
>
> The /tmp/tmp-aZzm2V did not get remove. I am able to run the command per your 
> suggestion. I do see the our CA cert and IPA CA cert. The /root/ca.crt is our 
> root (private) ca cert (is not a chain). I have tested with a browser too and 
> it could not verify the cert too.
>
> [r...@ipa.dev.eexchange.com ~]# certutil -L -d /tmp/tmp-aZzm2V
>
> Certificate Nickname                                         Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> ipa-ca-agent                                                 u,u,u
> testnick                                                     P,,
> System Engineering - Currenex, Inc.                          CT,C,C
> Certificate Authority - Currenex, Inc.                       CT,C,C

Ok, trust looks fine. I guess you added testnick?

Lets see if we have all we need by validating the agent cert:

# certutil -V -u C -n ipa-ca-agent -d /tmp/tmp-aZzm2V

Can you also provide this for each cert:

certutil -L -n <nickname> -d /tmp/tmp-aZzm2V

Oh, I guess we might examine the server's certificate database too.

The CA has its own cert db in in /var/lib/pki-ca/alias. Can you list the certs 
there?

# certutil -L -d /var/lib/pki-ca/alias

This will show the CA as it sees itself:

certutil -L -d /var/lib/pki-ca/alias -n 'caSigningCert cert-pki-ca'

Finally, what is the package version of pki-ca?

thanks

rob

> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Tuesday, May 22, 2012 9:40 AM
> To: Tong Chow
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] freeipa 2.1.3-9 install with external CA
> failed
>
> tc...@eexchange.com wrote:
>> Hi,
>>
>> I am trying to install freeipa 2.1.3-9 with external CA and it failed.
>>
>> Any help is appreciated and thanks in advance!
>>
>>
>> [r...@ipa.dev.example.com ~]# ipa-server-install
>> --external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt
>>
>> The log file for this installation can be found in
>> /var/log/ipaserver-install.log Directory Manager password:
>>
>> ==================================================
>> ============================
>> This program will set up the IPA Server.
>>
>> This includes:
>> * Configure a stand-alone CA (dogtag) for certificate management
>> * Create and configure an instance of Directory Server
>> * Create and configure a Kerberos Key Distribution Center (KDC)
>> * Configure Apache (httpd)
>>
>> Excluded by options:
>> * Configure the Network Time Daemon (ntpd)
>>
>> To accept the default shown in brackets, press the Enter key.
>>
>> The IPA Master Server will be configured with
>> Hostname: ipa.dev.example.com
>> IP address: x.x.x.x
>> Domain name: example.com
>>
>> Configuring certificate server: Estimated time 3 minutes 30 seconds
>> [1/16]: creating certificate server user
>> [2/16]: configuring certificate server instance
>> [3/16]: disabling nonces
>> [4/16]: creating CA agent PKCS#12 file in /root
>> [5/16]: creating RA agent certificate database
>> [6/16]: importing CA chain to RA certificate database
>> [7/16]: fixing RA database permissions
>> [8/16]: setting up signing cert profile
>> [9/16]: set up CRL publishing
>> [10/16]: set certificate subject base
>> [11/16]: configuring certificate server to start on boot
>> [12/16]: restarting certificate server
>> [13/16]: requesting RA certificate from CA
>> [14/16]: issuing RA agent certificate *Unexpected error - see
>> ipaserver-install.log for details:
>> Command '/usr/bin/sslget -n ipa-ca-agent -p XXXXXXXX -d
>> /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6 
>> ipa.dev.example.com:9443'
>> returned non-zero exit status 4*
>>
>> *[r...@ipa.dev.example.com ~]# /usr/bin/sslget -n ipa-ca-agent -p
>> XXXXXXXX -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6
>> ipa.dev.example.com:9443 -v
>> GET /ca/agent/ca/profileReview?requestId=6 HTTP/1.0*
>>
>> port: 9443
>> addr='ipa.dev.example.com'
>> family='2'
>> Subject: CN=ipa.dev.example.com,O=example.com
>> Issuer : CN=Certificate Authority,O=example.com Called
>> mygetclientauthdata - nickname = ipa-ca-agent mygetclientauthdata -
>> cert = 9716d0 mygetclientauthdata - privkey = 9b6f10 *exit after
>> PR_Write bigBuf with error -12271:*
>
> This error means: SSL client cannot verify your certificate
>
> Does /tmp/tmp-aZzm2V exist after the failure? I'd have thought it would be 
> cleaned up. If so it holds the temporary NSS cert db we use during the 
> installation and may tell us why there are trust problems.
>
> A place to start is to list the certs in there:
> # certutil -L -d /tmp/tmp-aZzm2V
>
> I see in the log below our adding trust to a couple of certs. I assume that 
> the entire CA chain is included in /root/ca.crt?
>
> rob
>
>>
>> */va/log/ipaserver-install.log information*
>>
>> 2012-05-21 16:54:58,852 DEBUG duration: 1 seconds
>> 2012-05-21 16:54:58,852 DEBUG [14/16]: issuing RA agent certificate
>> 2012-05-21 16:54:58,866 DEBUG args=/usr/bin/certutil -d
>> /tmp/tmp-aZzm2V -f XXXXXXXX -M -t CT,C,C -n System Engineering - Currenex, 
>> Inc.
>> 2012-05-21 16:54:58,867 DEBUG stdout=
>> 2012-05-21 16:54:58,867 DEBUG stderr=
>> 2012-05-21 16:54:58,873 DEBUG args=/usr/bin/certutil -d
>> /tmp/tmp-aZzm2V -f XXXXXXXX -M -t CT,C,C -n Certificate Authority - 
>> Currenex, Inc.
>> 2012-05-21 16:54:58,874 DEBUG stdout=
>> 2012-05-21 16:54:58,874 DEBUG stderr=
>> 2012-05-21 16:54:58,909 DEBUG args=/usr/bin/sslget -n ipa-ca-agent -p
>> XXXXXXXX -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6
>> ipa.dev.eexchange.com:9443
>> 2012-05-21 16:54:58,909 DEBUG stdout=
>> 2012-05-21 16:54:58,909 DEBUG stderr=
>> 2012-05-21 16:54:59,067 DEBUG Command '/usr/bin/sslget -n
>> ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-aZzm2V -r
>> /ca/agent/ca/profileReview?requestId=6
>> ipa.dev.eexchange.com:9443' returned non-zero exit status 4 File
>> "/usr/sbin/ipa-server-install", line 1151, in<module>
>> sys.exit(main())
>>
>> File "/usr/sbin/ipa-server-install", line 975, in main
>> subject_base=options.subject)
>>
>> File
>> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
>> line 537, in configure_instance
>> self.start_creation("Configuring certificate server", 210)
>>
>> File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
>> line 248, in start_creation
>> method()
>>
>> File
>> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
>> line 755, in __issue_ra_cert
>> (stdout, stderr, returncode) = ipautil.run(args,
>> nolog=(self.admin_password,))
>>
>> File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line
>> 273, in run raise CalledProcessError(p.returncode, args)
>>
>> Description: Edit/Delete Message
>> <http://forums.fedoraforum.org/editpost.php?do=editpost&p=1577747>
>>
>>
>> ---------------------------------------------------------------------
>> -
>> -- The information contained in this e-mail (including any
>> attachments) is intended solely for the use of the intended
>> recipient(s), may be used solely for the purpose for which it was
>> sent, may contain confidential, proprietary, or personally
>> identifiable information, and/or may be subject to the
>> attorney-client or attorney work product privilege or other
>> applicable confidentiality protections. If you are not an intended
>> recipient please notify the author by replying to this e-mail and delete 
>> this e-mail immediately.
>> Any unauthorized copying, disclosure, retention, distribution or
>> other use of this email, its contents or its attachments is strictly
>> prohibited.
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> The information contained in this e-mail (including any attachments) is 
> intended solely for the use of the intended recipient(s), may be used solely 
> for the purpose for which it was sent, may contain confidential, proprietary, 
> or personally identifiable information, and/or may be subject to the 
> attorney-client or attorney work product privilege or other applicable 
> confidentiality protections. If you are not an intended recipient please 
> notify the author by replying to this e-mail and delete this e-mail 
> immediately. Any unauthorized copying, disclosure, retention, distribution or 
> other use of this email, its contents or its attachments is strictly 
> prohibited.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to