Got it! A ‘ipa-getcert resubmit -I $Serial’ did it. It’s now showing in the
certutil as trusted. Now to see if it will ipa-server-upgrade correctly.
Thanks!
Thanks,
Greg Harris
On Nov 22, 2022, at 4:26 PM, Greg Harris
mailto:ghar...@teamexpansion.org>> wrote:
I just discovered that
I just discovered that ipa-certupdate is removing the 'Server-Cert cert-pki-ca’
from 'certutil -L -d /etc/pki/pki-tomcat/alias/‘ when the trust flags aren’t
correct. However, the new cert is still in 'getcert list’ as monitoring.
I did a 'ipa-getcert request -d /etc/pki/pki-tomcat/alias -n
It’s 4.6.8-5.el7.centos.12.
Yes, it’s strange that it would disappear. I believe that it renewed the
certificate, but may not have updated correctly. The first thing I found was
that the certificate wasn’t there. I was able to restore the .crt from the
CS.cfg file, but that of course
Greg Harris wrote:
> ARRRGGG!!! ’Server-Cert cert-pki-ca’ is missing again. Trying to
> recover it from the /etc/pki/pki-tomcat/alias directory via pk12util is
> not giving me the key, so that I can re-import it and get it trusted.
> The certutil -L command is showing a trust of ‘,,’,
ARRRGGG!!! ’Server-Cert cert-pki-ca’ is missing again. Trying to recover
it from the /etc/pki/pki-tomcat/alias directory via pk12util is not giving me
the key, so that I can re-import it and get it trusted. The certutil -L
command is showing a trust of ‘,,’, rather than ‘u,u,u’ because
Thanks Rob. Will do. I believe we can mark this as Solved then. Appreciate
the help and effort you and Flo put into keeping FreeIPA a solid resource.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email
GH via FreeIPA-users wrote:
> Had to copy the ASCII into the CS.cfg on the "secondary" manually. Now
> everything shows that it's happy from my untrained eye. Is there a way to
> test that the CS.cfg will now copy over correctly or that certs will be
> replicated correctly? Appreciate all of
Had to copy the ASCII into the CS.cfg on the "secondary" manually. Now
everything shows that it's happy from my untrained eye. Is there a way to test
that the CS.cfg will now copy over correctly or that certs will be replicated
correctly? Appreciate all of the help so far to get me to this
Okay, so I found this:
To export cert+key from a NSSDB to a p12file: pk12util -d
/etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -o file.p12
To import cert.key from a p12 file to a NSSDB: pk12util -d
/etc/pki/pki-tomcat/alias -i file.p12
From Flo's post at:
Because 'Server-Cert cert-pki-ca' is part of '/etc/pki/pki-tomcat/alias' and
should be unique, it needs to be regenerated on this machine. Whether that
regeneration is by pulling it from the backup of cert8.db or a new creation,
I'm not exactly sure. Obviously, I'm also not versed well enough
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
GH via FreeIPA-users wrote:
> The best I could tell was an upgrade back in Dec. 2019/Jan. 2020. It seems
> like it was a move from NSS to SSL for a number of pieces? Anyways, I'd had
> Ipsilon configured on the same server, and that move didn't make things happy
> as there was a port overlap.
The best I could tell was an upgrade back in Dec. 2019/Jan. 2020. It seems
like it was a move from NSS to SSL for a number of pieces? Anyways, I'd had
Ipsilon configured on the same server, and that move didn't make things happy
as there was a port overlap. (Unsupported configuration, I
GH via FreeIPA-users wrote:
> Okay, took a gamble and copied the old passwd.txt file back in on
> "secondary". No change. Then copied the old key3.db file back in and ... it
> started! Haven't copied secmod.db back into place. Should I? I guess I
> should have only copied the cert8.db file
Okay, took a gamble and copied the old passwd.txt file back in on "secondary".
No change. Then copied the old key3.db file back in and ... it started!
Haven't copied secmod.db back into place. Should I? I guess I should have
only copied the cert8.db file over?
Well, I've managed to goof something up. Copied the ASCII from the latest one,
from "primary", to the CS.cfg file on both servers, copied the
/etc/pki/pki-tomcat/alias directory from the "primary" to the "secondary" and
restarted pki-tomcat on both servers. That all said it worked. However,
Hi,
Certmonger can provide information related to the certificates it's
tracking (stored in a file or in an NSS database). In your case, the
certificate nickname is "transportCert cert-pki-kra", and to know where
it's stored you can run the following command:
# getcert list -n 'transportCert
17 matches
Mail list logo
