Sanju A wrote:
Dear Rob,

Please find the entire result.

Ok, the good news is that renewal already took place and it looks like everything is a-ok certificate-wise.

First, make sure the CA is up:

# ipactl status

If the CA is down, start it with service pki-cad start.

If the CA is up, the next thing to check are the trust flags:

# certutil -L -d /var/lib/pki-ca/alias

The auditSigningCert should be u,u,Pu

If it isn't, fix it with:

# certutil -M -t u,u,Pu -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca'

You'll need to restart the CA after changing the trust:

# service pki-cad restart

If the trust is ok and the CA was already up we'd need to see your CA logs to try to determine what is going on.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to