Afternoon I have been trying to renew FreeIPA certificate for the last three days and I am running out of luck. I can't for example use the GUI interface and the ipa cli tools are also failing since the certificate expired on 27th last month. I have followed the instructions below but may be missing a step.
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal Below is what I have done. I seem to have renewed some certificate successfully. [root@ipa1-yyz-int 10.30.2014]# cat certificate_status.sh #!/bin/bash for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca" do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after done [root@ipa1-yyz-int 10.30.2014]# ./certificate_status.sh auditSigningCert cert-pki-ca Not After : Thu Apr 23 22:18:47 2015 ocspSigningCert cert-pki-ca Not After : Fri Oct 14 22:17:47 2016 subsystemCert cert-pki-ca Not After : Fri Oct 14 22:17:47 2016 Server-Cert cert-pki-ca Not After : Fri Oct 14 22:17:48 2016 I think I have done the steps above correctly but dont understand this section [root@ipa1-yyz-int 10.30.2014]# certutil -L -d /etc/httpd/alias -n ipaCert Certificate: Data: Version: 3 (0x2) Serial Number: 7 (0x7) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=EXAMPLE.LOC" Validity: Not Before: Tue Nov 06 21:35:53 2012 Not After : Mon Oct 27 21:35:53 2014 As you can see below, this certificate was not renewed, and therefore I couldnt change the serial # through ldap tools. Which step would I have missed, or rather what should I re-run? Would be grateful for a second eye looking at it and advice what I could be missing. I know I am using old software and did setup a replica successfully on Friday but it also have certificate issues. I plan to move all the certificate role to the free-IPA 3 once I get the certificate issues sorted and decommission Free-IPA 2.2 William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project