[Freeipa-users] Problems with expired certificates

Thu, 17 Oct 2013 14:40:55 -0700 

I'm having issues with expired certificates in /var/lib/pki-ca/alias which I'm 
quite unsure on how to fix. The ones that have expired are:

  subsystemCert cert-pki-ca
  Server-Cert cert-pki-ca

According to "getcert list" the following 2 requests are stuck


  Request ID '20130415234030':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to 
https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be 
authenticated with known CA certificates.
        stuck: yes
        key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=D.LAN
        subject: CN=CA Subsystem,O=D.LAN
        expires: 2013-07-10 14:24:34 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes

  Request ID '20130415234032':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to 
https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be 
authenticated with known CA certificates.
        stuck: yes
        key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=D.LAN
        subject: CN=auth.d.lan,O=D.LAN
        expires: 2013-07-10 14:24:33 UTC
        eku: id-kp-serverAuth
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes


Here is what I could find from some browsing with certutil:

  [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L
  Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

  subsystemCert cert-pki-ca                                    u,u,u
  ocspSigningCert cert-pki-ca                                  u,u,u
  caSigningCert cert-pki-ca                                    CTu,Cu,Cu
  Server-Cert cert-pki-ca                                      u,u,u
  auditSigningCert cert-pki-ca                                 u,u,Pu



  [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "subsystemCert 
cert-pki-ca"|grep "Not After"
            Not After : Wed Jul 10 14:24:34 2013
  [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "ocspSigningCert 
cert-pki-ca"|grep "Not After"
            Not After : Mon Jun 29 00:00:55 2015
  [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "caSigningCert 
cert-pki-ca"|grep "Not After"
            Not After : Sun Jul 21 14:24:32 2019
  [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "Server-Cert 
cert-pki-ca"|grep "Not After"
            Not After : Wed Jul 10 14:24:33 2013
  [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "auditSigningCert 
cert-pki-ca"|grep "Not After"
            Not After : Mon Jun 29 00:01:55 2015



How can I renew the affected certificates?

--- 
Tomas Edwardsson

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to