On 10/16/2013 07:56 PM, Tómas Edwardsson wrote: > I'm having issues with expired certificates in /var/lib/pki-ca/alias which > I'm quite unsure on how to fix. The ones that have expired are: > > subsystemCert cert-pki-ca > Server-Cert cert-pki-ca
Please search this list for some recommendations. There have been some recently. They will give you some hints. The general path is to set the time into the past and then force the certificate rotation. The specific steps depend on the version of IPA you have. > > According to "getcert list" the following 2 requests are stuck > > > Request ID '20130415234030': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be > authenticated with known CA certificates. > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='502532376322' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=D.LAN > subject: CN=CA Subsystem,O=D.LAN > expires: 2013-07-10 14:24:34 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > > Request ID '20130415234032': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be > authenticated with known CA certificates. > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='502532376322' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=D.LAN > subject: CN=auth.d.lan,O=D.LAN > expires: 2013-07-10 14:24:33 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > Here is what I could find from some browsing with certutil: > > [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > subsystemCert cert-pki-ca u,u,u > ocspSigningCert cert-pki-ca u,u,u > caSigningCert cert-pki-ca CTu,Cu,Cu > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > > > > [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "subsystemCert > cert-pki-ca"|grep "Not After" > Not After : Wed Jul 10 14:24:34 2013 > [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "ocspSigningCert > cert-pki-ca"|grep "Not After" > Not After : Mon Jun 29 00:00:55 2015 > [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "caSigningCert > cert-pki-ca"|grep "Not After" > Not After : Sun Jul 21 14:24:32 2019 > [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "Server-Cert > cert-pki-ca"|grep "Not After" > Not After : Wed Jul 10 14:24:33 2013 > [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "auditSigningCert > cert-pki-ca"|grep "Not After" > Not After : Mon Jun 29 00:01:55 2015 > > > > How can I renew the affected certificates? > > --- > Tomas Edwardsson > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
