realstarhealer wrote:

I am in charge for a freeipa server with ldap backend and
noticed some expired certificates recently. Most of them but 2 are
auto-renewing by certmonger as I checked. All of them are self signed.

"CN=ipa-ca-agent" and "CN=Object Signing Cert" are not subscribed by
certmonger, ipa-ca-agent expired some days ago and has not been renewed.
Second one expires soon. No consequences noticed so far.
Can you tell me what they both are for and - if needed - how I should
renew that separately? Preferable with certmonger. An Output how the
tracking config should look like would be nice.

The object signing cert can probably be ignored. This was used to sign a jar file used to automatically configure Firefox but that approach doesn't work any more.

The agent cert is used by IPA to communicate to dogtag so yeah, that's pretty important.

Since it is expired you'd need to go back in time to renew it. Restarting the certmonger process is the simplest method to force it to try to renew.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to