<div dir="ltr"> <div class="gmail_extra"> <div class="gmail_quote">On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Natxo Asenjo wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote: Natxo Asenjo wrote: On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>> wrote: It's hard to say, it may in fact not be a problem. It is really a matter of what service the certificate(s) are related to. I'd look at the serial numbers and then correlate those to the issued certificates. I'd also do a service-find on the hostname to see if any services have certificates issued and with what serial numbers. I agree, it could be that. But just for testing I have created a vm, joined it to the domain and resubmitted the certificate. Now there are two valid host certificates with the same subject: $ ipa cert-find --subject=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>> ---------------------- 2 certificates matched ---------------------- Serial number (hex): 0x3FFE0002 Serial number: 1073610754 Status: VALID Subject: CN=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>>,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> Serial number (hex): 0x3FFE0003 Serial number: 1073610755 Status: VALID Subject: CN=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>>,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> ---------------------------- Number of entries returned 2 ---------------------------- So it certmonger in this centos 6.8 32bit host is renewing but not having the old certificate revoked. I'd check the Apache log to find the cert_request call to see if you can see if there are any issues raised. It should be doing a cert_revoke at the same time. Can you should how this certificate is being tracked? sure: $ sudo getcert list Number of certificates and requests being tracked: 1. Request ID '20160929100945': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - <a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - <a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> subject: CN=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> expires: 2018-09-30 10:13:17 UTC principal name: host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a> <mailto:<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes now, let's resubmit: $ sudo ipa-getcert resubmit -i 20160929100945 Resubmitting "20160929100945" to "IPA". [jose.admin@throwaway ~]$ sudo getcert list Number of certificates and requests being tracked: 1. Request ID '20160929100945': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - <a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - <a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> subject: CN=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> expires: 2018-09-30 20:41:28 UTC principal name: host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a> <mailto:<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes so it has been successfully renewed. In the access_log of the kdc I see this: 172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST <a href="https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient" rel="noreferrer" target="_blank">https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient</a> HTTP/1.1" 200 1913 172.20.6.81 - host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a> <mailto:<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a>> [29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929 and in the error_log: [Thu Sep 29 22:41:28.<a href="tel:626669%202016" value="+16266692016" target="_blank">626669 2016</a>] [:error] [pid 4617] ipa: INFO: [xmlserver] host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a> <mailto:<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a>>: cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5YjyMZy4x8kw! </blockquote> DQYJKoZIhv cNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=', <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> principal=u'host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a> <mailto:<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a>>', add=True, version=u'2.51'): SUCCESS and now I have 3 valid certificates: $ ipa cert-find --subject=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>> ---------------------- 3 certificates matched ---------------------- Serial number (hex): 0xFF9000D Serial number: 267976717 Status: VALID Subject: CN=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> Serial number (hex): 0x3FFE0002 Serial number: 1073610754 Status: VALID Subject: CN=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> Serial number (hex): 0x3FFE0003 Serial number: 1073610755 Status: VALID Subject: CN=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a> <<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszorg.nl</a>>,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a> <<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>> ---------------------------- Number of entries returned 3 ---------------------------- </blockquote> Ok, let me start by saying that this is not a bug in either certmonger or dogtag. IPA is supposed to do the revocation in the cert_request command. The steps IPA _should_ be taking are: 1. Figure out if we are doing a certificate for a host or a service. 2. See if the requester is allowed to manage this entry 3. Look at the entry to see if it has a usercertificate attribute. If so revoke that serial number, then clear the usercertificate value in the host or service entry (via service_mod or host_mod) 4. Request a new certificate 5. Update IPA with the new value Does a certificate appear in ipa host-show <a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a>, and which certificate serial number? </blockquote></div> $ ipa host-show throwaway Host name: <a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a> Certificate: MIIE0DCCA7igAwIBAgIED/kADTANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MjA0MTI4WhcNMTgwOTMwMjA0MTI4WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQB6KplOoHG5d2+3c5J/TSE/qxWkfObqPdpzYSMg5ma+PKL7ofuEgtozfoZfH/GXKIKtUpPZCJL2NQQKauagdIwto7PX184FcohCjJxHD30RRbc6q2rm3PE7Q1vDzSxW1ZCFELmpvK0XN4YX1tz6iaPgo2B7wuyhbZpT4Vd2itT1rOQ6cAnAB7BFhVNj5XDPDoMaHabtWRJVLlIOMeGyrZDUMxmoPys5g1c1SZM1ld+8+zdgqIVEsdTo9qThqPraTUi8GTjP4QvuQkLbnlFO6KQe5RqfbVXA0gKVWDtepY7h+cBQxMa/eHROFtnhW/w1+FdKHDPvOdj8aTF1tSIU2RYP, MIIE0DCCA7igAwIBAgIEP/4AAjANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAwOTUwWhcNMTgwOTMwMTAwOTUwWjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCvTRaJrl3J7Ky4VkFVfkwIGoaxocXrllYSjXZzhzHV0zJtlVeQGmHwulyrEbEzaRuMqbXe7c8WseOgU/K+UwByGiZoyxUmHgBmu2mv8Cln48UbESEAm0py4hRMmE7UzIhsHzTAKjUfyQXujB21S+FYwd97QymGRgn7kJ2TtH99zslQO0kMC//LmctUxIfTOOcrBgOojIEpcbzTeWNcyuN5+MHr6H2DNUYQZpvnDBv7XVphrk7ACrh4ETeYW5E1fFl84CdSxWehhWILF6t2WdA4RSjvtg3zvMPL+uVU8w1aru33dMuCKqvMG3iaRrDjVZ4k9/36lpf4/r1PwKYxusvg, MIIE0DCCA7igAwIBAgIEP/4AAzANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAxMzE3WhcNMTgwOTMwMTAxMzE3WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCh6lySZa1AyUyP8AuaLUDj6X0Lt/tGS+ZIw/O248FVMJDwvLvkFUxOjTAK1mip0AHxkib+QtKqFgN9lbidnxeKFYNN2komTfLgFV+G+8kBIInxWbU1OsuYw4J6xCu5IE+F7jfdHX1yw6HSgDixYgKHe9mw+8HTbUR1a/ntZ90pmai8I7daem9bMrPHGSSChjcbjif6YNZ8ibmilqq0vw8CEwQopXFToO/mHfbXNDw6gJY5rKu19fWPi3VRQdQxKKtwY/gXg39q4FWBymDaMwjErC7G4AnGeeTYp4iFYZkfcjYvdxGXGF0CpLgunvcMMQ0rTYx5w1MrLbbnqjq1qBZO Principal name: host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a> Password: False Keytab: True Managed by: <a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a> Subject: CN=<a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a> Serial Number: 267976717 Serial Number (hex): 0xFF9000D Issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a> Not Before: Thu Sep 29 20:41:28 2016 UTC Not After: Sun Sep 30 20:41:28 2018 UTC Fingerprint (MD5): 52:a1:06:a1:39:27:bc:ed:dd:45:f5:36:32:11:99:c1 Fingerprint (SHA1): 81:d4:01:5a:26:83:9c:c4:fb:76:fb:c3:29:cd:32:c1:8a:4c:eb:45 SSH public key fingerprint: 61:66:4D:D7:E6:83:B3:31:BB:50:C3:28:11:79:FD:42 (ssh-rsa), 71:80:40:26:50:64:CD:FE:9A:FB:8D:DA:55:56:18:95 (ssh-dss) </div><div class="gmail_extra">so it shows the three certificates but the serial is 267976717 </div><div class="gmail_extra"><div class="gmail_signature">-- Groeten, natxo</div> </div></div>