To sum up, our problem was we did not install new CA crt on all replicas, which should be probably done using "ipa-certupdate", but we missed that in the documentation.
Regarding the certificates encoding, we noticed that after the upgrade v3 -> v4 IPA issues certificates in UTF8STRING and as long as our CA crt was still PRINTABLESTRING, it created miss-matched certificates. This could be fixed by the CA crt renew. J. 2017-01-04 16:46 GMT+01:00 Jan Orel <jano...@gmail.com>: > Hello, > > recently we renewed our CA crt. Later we noticed the new CA certificate > uses different encoding in Issuer and Subject: > > subject= > organizationName = UTF8STRING:INTGDC.COM > commonName = UTF8STRING:Certificate Authority > issuer= > organizationName = PRINTABLESTRING:INTGDC.COM > commonName = PRINTABLESTRING:Certificate Authority > > The former CA certificate is PRINTABLESTRING in both fields, as well as > all the older certs. > > Since the renewal we have issues with trusting newly issued certificates, > which also have different encoding in subject and issuer. > > What should be the default (correct) encoding for the certificates? > > According to the: http://www.freeipa.org/page/Troubleshooting seems it > should be UTF8 > > but from the certmonger: https://git.fedorahosted.org/cgit/ > certmonger.git/commit/?id=e6ecd5d8df3413a9717c57ee7fb8702ece23afd6 > > seems PRINTABLESTRING is used. > > How to fix? Do we need to re-new the CA certificate once again? > > Thank you > Jan Orel > > We run: > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > certmonger-0.78.4-1.el7.x86_64 > nuxwdog-1.0.3-4.el7_2.x86_64 >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project