Hello, I discovered today that our IPA CA has been issuing certs with duplicate serials, causing issues in several ways when dealing with hosts that have such a cert in place. (Complaints about duplicate serials) Removing the offending cert from the host results in de same type of error These all seem to have been issued from the server that in the past was reinstalled with the same hostname.
ipa host-show app ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. IPA cert-find indeed shows 2 issued certs with the same serial (several actually) (anonymized) Serial number (hex): 0xFFF0007 Serial number: 268369927 Status: VALID Subject: CN=app.example.org,O=EXAMPLE.ORG Serial number (hex): 0xFFF0007 Serial number: 268369927 Status: VALID Subject: CN=ipa.example.org,O=EXAMPLE.ORG The ipa client won't let me revoke or otherwise kill these certs with the same error. What to do? Met vriendelijke groet, Wouter Hummelink Cloud Engineer [Description: Beschrijving: Beschrijving: cid:image003.gif@01CC7CE9.FCFEC140] KPN IT Solutions Platform Organisation Cloud Services Mail: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com> Telefoon: +31 (0)6 1288 2447 [cid:image002.png@01D0DA65.706AE4B0] P Save Paper - Do you really need to print this e-mail? ********************************************************************************************************************************************************* KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, Handelsregister 52959597 Amsterdam The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. Thank you. *********************************************************************************************************************************************************
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project