Lucas Yamanishi wrote:
> On 08/07/2014 01:25 PM, Rob Crittenden wrote:
>> Lucas Yamanishi wrote:
>>> Hello, I'm a bit of a pickle with the PKI system.  I have three
>>> replicas, but only one contains the CA.  I realize how poor a decision
>>> it was to do that.  I plan to create more complete replicas, but right
>>> now I can't even create a replica file, much less a full replica.
>>>
>>> The problem started when the CA subsystem certificates expired.  I read
>>> several threads explaining how to roll back time and renew them, but I
>>> then discovered that the host and HTTP certificates for the server were
>>> missing.  I checked for backups, but we erroneously did not cover those
>>> files.  Because they are missing I was unable to rewnew any certificates.
>>>
>>> Is there a way to manually create host and service certificates?  When I
>>> search for this, the "manual" procedure listed in the documentation
>>> requires `ipa cert-request` which does not work.  I did try installing a
>>> self-signed cert for HTTP with `ipa-server-certinstall`.  That changed
>>> the errors, but the commands still fail.  The pki-ca services is running
>>> OK, as far as I can tell.
>>>
>>> I also tried adding a CA instance to one of the other replicas with
>>> `ipa-ca-install`, but it failed during the configuration phase.
>> The subsystem certificate renewal should be independent of the web (and
>> host) certificates. I'd focus on getting the CA back up, then we can see
>> about getting a new web server certificate.
>>
>> Can you share the output of: getcert list
>>
>> You'll probably want to obfuscate the output as it contains the PIN to
>> the private key database of the CA.
>>
>> rob
> Here you go.  I've also included `certutil -L` outputs.
> 
> The *auditSigningCert* I tried resubmitting with the time rolled back. 
> The post-save command was also updated, because it wasn't done a year or
> two back when it replaced our old CRL-signer.
> 
> `getcert list`:
> 
> ```
> Number of certificates and requests being tracked: 7.

[ snip ]

What version of IPA is this?

You need to modify a few more of these. Take a look at
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

When you roll back time are you restarting the pki-cad service?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to