I have been trying to renew FreeIPA certificate for the last three
days and I am running out of luck. I can't for example use the GUI
interface and the ipa cli tools are also failing since the certificate
expired on 27th last month.  I have followed the instructions below
but may be missing a step.

Below is what I have done.  I seem to have renewed some certificate

[root@ipa1-yyz-int 10.30.2014]# cat #!/bin/bash

for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert
cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
     echo $nickname
     certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after

[root@ipa1-yyz-int 10.30.2014]# ./
auditSigningCert cert-pki-ca
            Not After : Thu Apr 23 22:18:47 2015 ocspSigningCert cert-pki-ca
            Not After : Fri Oct 14 22:17:47 2016 subsystemCert cert-pki-ca
            Not After : Fri Oct 14 22:17:47 2016 Server-Cert cert-pki-ca
            Not After : Fri Oct 14 22:17:48 2016

I think I have done the steps above correctly but dont understand this section

[root@ipa1-yyz-int 10.30.2014]# certutil -L -d /etc/httpd/alias -n ipaCert
        Version: 3 (0x2)
        Serial Number: 7 (0x7)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=EXAMPLE.LOC"
            Not Before: Tue Nov 06 21:35:53 2012
            Not After : Mon Oct 27 21:35:53 2014

As you can see below, this certificate was not renewed, and therefore
I couldnt change the serial # through ldap tools.  Which step would I
have missed, or rather what should I re-run?

Would be grateful for a second eye looking at it and advice what I
could be missing.

I know I am using old software and did setup a replica successfully on
Friday but it also have certificate issues.  I plan to move all the
certificate role to the free-IPA 3 once I get the certificate issues
sorted and decommission Free-IPA 2.2


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to