I'm having issues with expired certificates in /var/lib/pki-ca/alias which I'm quite unsure on how to fix. The ones that have expired are:
subsystemCert cert-pki-ca Server-Cert cert-pki-ca According to "getcert list" the following 2 requests are stuck Request ID '20130415234030': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='502532376322' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=D.LAN subject: CN=CA Subsystem,O=D.LAN expires: 2013-07-10 14:24:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130415234032': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='502532376322' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=D.LAN subject: CN=auth.d.lan,O=D.LAN expires: 2013-07-10 14:24:33 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Here is what I could find from some browsing with certutil: [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "subsystemCert cert-pki-ca"|grep "Not After" Not After : Wed Jul 10 14:24:34 2013 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "ocspSigningCert cert-pki-ca"|grep "Not After" Not After : Mon Jun 29 00:00:55 2015 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "caSigningCert cert-pki-ca"|grep "Not After" Not After : Sun Jul 21 14:24:32 2019 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "Server-Cert cert-pki-ca"|grep "Not After" Not After : Wed Jul 10 14:24:33 2013 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "auditSigningCert cert-pki-ca"|grep "Not After" Not After : Mon Jun 29 00:01:55 2015 How can I renew the affected certificates? --- Tomas Edwardsson _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users