Lucas Yamanishi wrote: > On 08/07/2014 01:25 PM, Rob Crittenden wrote: >> Lucas Yamanishi wrote: >>> Hello, I'm a bit of a pickle with the PKI system. I have three >>> replicas, but only one contains the CA. I realize how poor a decision >>> it was to do that. I plan to create more complete replicas, but right >>> now I can't even create a replica file, much less a full replica. >>> >>> The problem started when the CA subsystem certificates expired. I read >>> several threads explaining how to roll back time and renew them, but I >>> then discovered that the host and HTTP certificates for the server were >>> missing. I checked for backups, but we erroneously did not cover those >>> files. Because they are missing I was unable to rewnew any certificates. >>> >>> Is there a way to manually create host and service certificates? When I >>> search for this, the "manual" procedure listed in the documentation >>> requires `ipa cert-request` which does not work. I did try installing a >>> self-signed cert for HTTP with `ipa-server-certinstall`. That changed >>> the errors, but the commands still fail. The pki-ca services is running >>> OK, as far as I can tell. >>> >>> I also tried adding a CA instance to one of the other replicas with >>> `ipa-ca-install`, but it failed during the configuration phase. >> The subsystem certificate renewal should be independent of the web (and >> host) certificates. I'd focus on getting the CA back up, then we can see >> about getting a new web server certificate. >> >> Can you share the output of: getcert list >> >> You'll probably want to obfuscate the output as it contains the PIN to >> the private key database of the CA. >> >> rob > Here you go. I've also included `certutil -L` outputs. > > The *auditSigningCert* I tried resubmitting with the time rolled back. > The post-save command was also updated, because it wasn't done a year or > two back when it replaced our old CRL-signer. > > `getcert list`: > > ``` > Number of certificates and requests being tracked: 7.
[ snip ] What version of IPA is this? You need to modify a few more of these. Take a look at http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master When you roll back time are you restarting the pki-cad service? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
