On 01/12/2017 05:40 PM, Jeff Goddard wrote:
Thanks Flo,
My system is still in a bad state as I got this as a result of the command:
[root@id-management-1 ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Resubmitting certmonger request '20170101055025' timed out, please check
the request manually
The ipa-cacert-manage command failed.
The relevant output from getcert list was:
Request ID '20170101055025':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
<http://INTERNAL.EMERLYN.COM>
subject: CN=localhost
expires: 2037-01-01 06:28:46 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
I took the step of stopping tracking on that cert which was a mistake
and now I'm having a hard time with the syntax of adding it back.
Hi Jeff,
You would need the following to start-tracking the cert:
1. get the internal PIN
# grep 'internal=' /etc/pki/pki-tomcat/password.conf
2. monitor the cert
# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent -B
/usr/libexec/ipa/certmonger/stop_pkicad -C
'/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"'
HTH,
Flo.
Jeff
On Thu, Jan 12, 2017 at 10:46 AM, Florence Blanc-Renaud <[email protected]
<mailto:[email protected]>> wrote:
On 01/12/2017 02:57 PM, Jeff Goddard wrote:
I've had issues with expired certificates. In the course of
troubleshooting I've somehow set the cas to external. Is there a
way I
can switch back?
[root@id-management-1 conf]# getcert list-cas
CA 'SelfSign':
is-default: no
ca-type: INTERNAL:SELF
next-serial-number: 01
CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-server-guard
/usr/libexec/certmonger/ipa-submit
CA 'certmaster':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-server-guard
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/local-submit
CA 'dogtag-ipa-ca-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location:
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -vv
Thanks,
Jeff
Hi Jeff,
the following documentation explains how to change the certificate
chain from externally-signed to self-signed:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html>
HTH,
Flo.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
