On 01/12/2017 05:40 PM, Jeff Goddard wrote:
Thanks Flo,

My system is still in a bad state as I got this as a result of the command:

[root@id-management-1 ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Resubmitting certmonger request '20170101055025' timed out, please check
the request manually
The ipa-cacert-manage command failed.

The relevant output from getcert list was:
Request ID '20170101055025':
        status: NEED_CSR_GEN_TOKEN
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
<http://INTERNAL.EMERLYN.COM>
        subject: CN=localhost
        expires: 2037-01-01 06:28:46 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

I took the step of stopping tracking on that cert which was a mistake
and now I'm having a hard time with the syntax of adding it back.

Hi Jeff,

You would need the following to start-tracking the cert:
1. get the internal PIN
# grep 'internal=' /etc/pki/pki-tomcat/password.conf

2. monitor the cert
# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"'

HTH,
Flo.
Jeff







On Thu, Jan 12, 2017 at 10:46 AM, Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>> wrote:

    On 01/12/2017 02:57 PM, Jeff Goddard wrote:

        I've had issues with expired certificates. In the course of
        troubleshooting I've somehow set the cas to external. Is there a
        way I
        can switch back?

        [root@id-management-1 conf]# getcert list-cas
        CA 'SelfSign':
                is-default: no
                ca-type: INTERNAL:SELF
                next-serial-number: 01
        CA 'IPA':
                is-default: no
                ca-type: EXTERNAL
                helper-location: /usr/libexec/certmonger/ipa-server-guard
        /usr/libexec/certmonger/ipa-submit
        CA 'certmaster':
                is-default: no
                ca-type: EXTERNAL
                helper-location: /usr/libexec/certmonger/certmaster-submit
        CA 'dogtag-ipa-renew-agent':
                is-default: no
                ca-type: EXTERNAL
                helper-location: /usr/libexec/certmonger/ipa-server-guard
        /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
        CA 'local':
                is-default: no
                ca-type: EXTERNAL
                helper-location: /usr/libexec/certmonger/local-submit
        CA 'dogtag-ipa-ca-renew-agent':
                is-default: no
                ca-type: EXTERNAL
                helper-location:
        /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -vv

        Thanks,

        Jeff



    Hi Jeff,

    the following documentation explains how to change the certificate
    chain from externally-signed to self-signed:
    
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html
    
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html>

    HTH,
    Flo.






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to