I am in charge for a freeipa 188.8.131.52.el7 server with ldap backend and
noticed some expired certificates recently. Most of them but 2 are
auto-renewing by certmonger as I checked. All of them are self signed.
"CN=ipa-ca-agent" and "CN=Object Signing Cert" are not subscribed by
certmonger, ipa-ca-agent expired some days ago and has not been renewed.
Second one expires soon. No consequences noticed so far.
Can you tell me what they both are for and - if needed - how I should
renew that separately? Preferable with certmonger. An Output how the
tracking config should look like would be nice.
The object signing cert can probably be ignored. This was used to sign a
jar file used to automatically configure Firefox but that approach
doesn't work any more.
The agent cert is used by IPA to communicate to dogtag so yeah, that's
Since it is expired you'd need to go back in time to renew it.
Restarting the certmonger process is the simplest method to force it to
try to renew.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project