Natxo Asenjo wrote:

On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <
<>> wrote:

    It's hard to say, it may in fact not be a problem.

    It is really a matter of what service the certificate(s) are related
    to. I'd look at the serial numbers and then correlate those to the
    issued certificates.

    I'd also do a service-find on the hostname to see if any services
    have certificates issued and with what serial numbers.

I agree, it could be that. But just for testing I have created a vm,
joined it to the domain and resubmitted the certificate.

Now there are two valid host certificates with the same subject:

  $ ipa cert-find
2 certificates matched
   Serial number (hex): 0x3FFE0002
   Serial number: 1073610754
   Status: VALID

   Serial number (hex): 0x3FFE0003
   Serial number: 1073610755
   Status: VALID
Number of entries returned 2

So it certmonger in this centos 6.8 32bit host is renewing but not
having the old certificate revoked.

I'd check the Apache log to find the cert_request call to see if you can see if there are any issues raised. It should be doing a cert_revoke at the same time.

Can you should how this certificate is being tracked?


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to