On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

>
> It's hard to say, it may in fact not be a problem.
>
> It is really a matter of what service the certificate(s) are related to.
> I'd look at the serial numbers and then correlate those to the issued
> certificates.
>
> I'd also do a service-find on the hostname to see if any services have
> certificates issued and with what serial numbers.
>

I agree, it could be that. But just for testing I have created a vm, joined
it to the domain and resubmitted the certificate.

Now there are two valid host certificates with the same subject:


 $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
----------------------
2 certificates matched
----------------------
  Serial number (hex): 0x3FFE0002
  Serial number: 1073610754
  Status: VALID
  Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL

  Serial number (hex): 0x3FFE0003
  Serial number: 1073610755
  Status: VALID
  Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
----------------------------
Number of entries returned 2
----------------------------


So it certmonger in this centos 6.8 32bit host is renewing but not having
the old certificate revoked.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to