Thomas Sailer wrote:
I have a few certificates that fail to be updated, for example the ldap
and http certificates. If I read the error message from getcert list
(see below) correctly, then the contents of the pinfiles are incorrect.
How do I fix this?


Does this work?

# ipa cert-show 1

I'm geussing it doesn't.

The nickname ipaCert in /etc/httpd/alias is the RA agent cert used to authenticate to dogtag when doing certificate operations. I suspect that its value hasn't been updated in the dogtag LDAP database.

A quick way to tell is:

# certutil -L -d /etc/httpd/alias -n ipaCert | grep -i serial

# ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca description

This is assuming you've got a 2-instance installation where there is a separate 389-ds instance for IPA and the CA. If you have a newer install then the port isn't necessary.

If the serial number from certutil doesn't match the second colon-separated value then that explains it.

You can see how to update this value at


Freeipa-users mailing list

Reply via email to