I discovered today that our IPA CA has been issuing certs with duplicate 
serials, causing issues in several ways when dealing with hosts that have such 
a cert in place. (Complaints about duplicate serials)
Removing the offending cert from the host results in de same type of error
These all seem to have been issued from the server that in the past was 
reinstalled with the same hostname.

ipa host-show app
ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You 
are attempting to import a cert with the same issuer/serial as an existing 
cert, but that is not the same cert.

IPA cert-find indeed shows 2 issued certs with the same serial (several 

Serial number (hex): 0xFFF0007
  Serial number: 268369927
  Status: VALID
  Subject: CN=app.example.org,O=EXAMPLE.ORG

  Serial number (hex): 0xFFF0007
  Serial number: 268369927
  Status: VALID
  Subject: CN=ipa.example.org,O=EXAMPLE.ORG

The ipa client won't let me revoke or otherwise kill these certs with the same 
What to do?

Met vriendelijke groet,

Wouter Hummelink
Cloud Engineer
[Description: Beschrijving: Beschrijving: cid:image003.gif@01CC7CE9.FCFEC140]
KPN IT Solutions
Platform Organisation Cloud Services
Mail: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>
Telefoon: +31 (0)6 1288 2447
P Save Paper - Do you really need to print this e-mail?
KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, 
Handelsregister 52959597 Amsterdam
The information transmitted is intended only for use by the addressee and may 
contain confidential and/or privileged material.
Any review, re-transmission, dissemination or other use of it, or the taking of 
any action in reliance upon this information by persons
and/or entities other than the intended recipient is prohibited. If you 
received this in error, please inform the sender and/or addressee immediately
and delete the material. Thank you.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to