Re: [Freeipa-users] Expired Certs on 3.0.0 IPA host

[Rob Crittenden]

John Williams wrote:
> I'm looking at the following link for recovering expired certificates on
> FreeeIPA 3.0.0:
> 
> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>  
> 
> Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a
> subsystemCert I do not find one.  I see the other three:
> 
> auditSigningCert cert-pki-ca =>  updated
> ocspSigningCert cert-pki-ca => updated
> Server-Cert cert-pki-ca  => no cert here
> subsystemCert cert-pki-ca => updated 
> 
> Has anyone ever run across this?  Any suggestions or hints would be
> appreciated.  If I role the clock back on my system I can login to IPA,
> but if the time is updated, I cannot login.
> 
> Please help. 

Why do you need this value? For the record it is ca.sslserver.cert.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Expired Certs on 3.0.0 IPA host

[John Williams]

I'm looking at the following link for recovering expired certificates on 
FreeeIPA 3.0.0:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
  
Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a subsystemCert I do 
not find one.  I see the other three:
auditSigningCert cert-pki-ca =>  updatedocspSigningCert cert-pki-ca => 
updatedServer-Cert cert-pki-ca  => no cert heresubsystemCert cert-pki-ca => 
updated 
Has anyone ever run across this?  Any suggestions or hints would be 
appreciated.  If I role the clock back on my system I can login to IPA, but if 
the time is updated, I cannot login.
Please help. 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project