<div dir="ltr"><br><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><br></div><div dir="ltr"><b style="font-size:12.8px"><font size="2">Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br></font></b><div>614.427.2411</div><div><a href="mailto:mike.plemmons@crosschx.com" style="font-size:12.8px" target="_blank">mike.plemmons@crosschx.com</a><br></div><div style="font-size:12.8px"><a href="http://www.crosschx.com/" target="_blank">www.crosschx.com</a></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Michael Plemmons wrote:<br>
> I just realized that I sent the reply directly to Rob and not to the<br>
> list. My response is inline<br>
<br>
Ok, this is actually good news.<br>
<br>
I made a similar proposal in another case and I was completely wrong.<br>
Flo had the user do something and it totally fixed their auth error, I<br>
just can't remember what it was or find the e-mail thread. I'm pretty<br>
sure it was this calendar year though.<br>
<br>
rob<br>
<br></blockquote><div><br></div><div>Do you or Flo know what I could search for in the past emails to find the answer to the problem?</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
><br>
><br>
><br>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br>
> *<br>
> 614.427.2411<br>
> <a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@crosschx.com</a> <mailto:<a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@<wbr>crosschx.com</a>><br>
> <a href="http://www.crosschx.com" rel="noreferrer" target="_blank">www.crosschx.com</a> <<a href="http://www.crosschx.com/" rel="noreferrer" target="_blank">http://www.crosschx.com/</a>><br>
><br>
> On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons<br>
> <<a href="mailto:michael.plemmons@crosschx.com">michael.plemmons@crosschx.com</a> <mailto:<a href="mailto:michael.plemmons@crosschx.com">michael.plemmons@<wbr>crosschx.com</a>>><br>
> wrote:<br>
><br>
><br>
><br>
><br>
><br>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br>
> *<br>
> 614.427.2411<br>
> <a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@crosschx.com</a> <mailto:<a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@<wbr>crosschx.com</a>><br>
> <a href="http://www.crosschx.com" rel="noreferrer" target="_blank">www.crosschx.com</a> <<a href="http://www.crosschx.com/" rel="noreferrer" target="_blank">http://www.crosschx.com/</a>><br>
><br>
> On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote:<br>
><br>
> Michael Plemmons wrote:<br>
> > I realized that I was not very clear in my statement about<br>
> testing with<br>
> > ldapsearch. I had initially run it without logging in with a<br>
> DN. I was<br>
> > just running the local ldapsearch -x command. I then tested on<br>
> > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the<br>
> admin and<br>
> > "cn=Directory Manager" from ipa12.mgmt (broken server) and<br>
> ipa11.mgmt<br>
> > and both ldapsearch command succeeded.<br>
> ><br>
> > I ran the following from ipa12.mgmt and ipa11.mgmt as a non<br>
> root user.<br>
> > I also ran the command showing a line count for the output and<br>
> the line<br>
> > counts for each were the same when run from ipa12.mgmt and<br>
> ipa11.mgmt.<br>
> ><br>
> > ldapsearch -LLL -h <a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>>> -D "DN" -w PASSWORD -b<br>
> > "cn=users,cn=accounts,dc=mgmt,<wbr>dc=crosschx,dc=com" dn<br>
> ><br>
> > ldapsearch -LLL -h <a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>>> -D "cn=directory manager" -w<br>
> PASSWORD dn<br>
><br>
> The CA has its own suffix and replication agreements. Given the auth<br>
> error and recent (5 months) renewal of CA credentials I'd check<br>
> that the<br>
> CA agent authentication entries are correct.<br>
><br>
> Against each master with a CA run:<br>
><br>
> $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b<br>
> uid=ipara,ou=people,o=ipaca description<br>
><br>
> The format is 2;serial#,subject,issuer<br>
><br>
> Then on each run:<br>
><br>
> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial<br>
><br>
> The serial # should match that in the description everywhere.<br>
><br>
> rob<br>
><br>
><br>
><br>
> On the CA (IPA13.MGMT) I ran the ldapsearch command and see that the<br>
> serial number is 7. I then ran the certutil command on all three<br>
> servers and the serial number is 7 as well.<br>
><br>
><br>
> I also ran the ldapsearch command against the other two servers and<br>
> they also showed a serial number of 7.<br>
><br>
><br>
><br>
><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br>
> > *<br>
> > 614.427.2411<br>
> > <a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@crosschx.com</a> <mailto:<a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@<wbr>crosschx.com</a>><br>
> <mailto:<a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@<wbr>crosschx.com</a><br>
> <mailto:<a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@<wbr>crosschx.com</a>>><br>
> > <a href="http://www.crosschx.com" rel="noreferrer" target="_blank">www.crosschx.com</a> <<a href="http://www.crosschx.com" rel="noreferrer" target="_blank">http://www.crosschx.com</a>><br>
> <<a href="http://www.crosschx.com/" rel="noreferrer" target="_blank">http://www.crosschx.com/</a>><br>
> ><br>
> > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons<br>
> > <<a href="mailto:michael.plemmons@crosschx.com">michael.plemmons@crosschx.com</a><br>
> <mailto:<a href="mailto:michael.plemmons@crosschx.com">michael.plemmons@<wbr>crosschx.com</a>><br>
> <mailto:<a href="mailto:michael.plemmons@crosschx.com">michael.plemmons@<wbr>crosschx.com</a><br>
> <mailto:<a href="mailto:michael.plemmons@crosschx.com">michael.plemmons@<wbr>crosschx.com</a>>>><br>
> > wrote:<br>
> ><br>
> > I have a three node IPA cluster.<br>
> ><br>
> > ipa11.mgmt - was a master over 6 months ago<br>
> > ipa13.mgmt - current master<br>
> > ipa12.mgmt<br>
> ><br>
> > ipa13 has agreements with ipa11 and ipa12. ipa11 and<br>
> ipa12 do not<br>
> > have agreements between each other.<br>
> ><br>
> > It appears that either ipa12.mgmt lost some level of its<br>
> replication<br>
> > agreement with ipa13. I saw some level because users /<br>
> hosts were<br>
> > replicated between all systems but we started seeing DNS<br>
> was not<br>
> > resolving properly from ipa12. I do not know when this<br>
> started.<br>
> ><br>
> > When looking at replication agreements on ipa12 I did not<br>
> see any<br>
> > agreement with ipa13.<br>
> ><br>
> > When I run ipa-replica-manage list all three hosts show<br>
> has master.<br>
> ><br>
> > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt<br>
> is a replica.<br>
> ><br>
> > When I run ipa-replica-manage ipa12.mgmt nothing returned.<br>
> ><br>
> > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt<br>
> > <a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>>><br>
> > <a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>>> on ipa12.mgmt<br>
> ><br>
> > I then ran the following<br>
> ><br>
> > ipa-replica-manage force-sync --from<br>
> <a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>>><br>
> ><br>
> > ipa-replica-manage re-initialize --from<br>
> <a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>>><br>
> ><br>
> > I was still seeing bad DNS returns when dig'ing against<br>
> ipa12.mgmt.<br>
> > I was able to create user and DNS records and see the<br>
> information<br>
> > replicated properly across all three nodes.<br>
> ><br>
> > I then ran ipactl stop on ipa12.mgmt and then ipactl start on<br>
> > ipa12.mgmt because I wanted to make sure everything was<br>
> running<br>
> > fresh after the changes above. While IPA was staring up (DNS<br>
> > started) we were able to see valid DNS queries returned but<br>
> > pki-tomcat would not start.<br>
> ><br>
> > I am not sure what I need to do in order to get this<br>
> working. I<br>
> > have included the output of certutil and getcert below<br>
> from all<br>
> > three servers as well as the debug output for pki.<br>
> ><br>
> ><br>
> > While the IPA system is coming up I am able to<br>
> successfully run<br>
> > ldapsearch -x as the root user and see results. I am also<br>
> able to<br>
> > login with the "cn=Directory Manager" account and see results.<br>
> ><br>
> ><br>
> > The debug log shows the following error.<br>
> ><br>
> ><br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]:<br>
> > ==============================<wbr>==============<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: ===== DEBUG<br>
> > SUBSYSTEM INITIALIZED =======<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]:<br>
> > ==============================<wbr>==============<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> restart at<br>
> > autoShutdown? false<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> > autoShutdown crumb file path?<br>
> > /var/lib/pki/pki-tomcat/logs/<wbr>autoShutdown.crumb<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> about to<br>
> > look for cert for auto-shutdown support:auditSigningCert<br>
> cert-pki-ca<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> found<br>
> > cert:auditSigningCert cert-pki-ca<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> done init<br>
> > id=debug<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> > initialized debug<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> > initSubsystem id=log<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> ready to<br>
> > init id=log<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: Creating<br>
> ><br>
> RollingLogFile(/var/lib/pki/<wbr>pki-tomcat/logs/ca/<wbr>signedAudit/ca_audit)<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: Creating<br>
> > RollingLogFile(/var/lib/pki/<wbr>pki-tomcat/logs/ca/system)<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: Creating<br>
> > RollingLogFile(/var/lib/pki/<wbr>pki-tomcat/logs/ca/<wbr>transactions)<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> restart at<br>
> > autoShutdown? false<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> > autoShutdown crumb file path?<br>
> > /var/lib/pki/pki-tomcat/logs/<wbr>autoShutdown.crumb<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> about to<br>
> > look for cert for auto-shutdown support:auditSigningCert<br>
> cert-pki-ca<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> found<br>
> > cert:auditSigningCert cert-pki-ca<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> done init<br>
> > id=log<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> > initialized log<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> > initSubsystem id=jss<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> ready to<br>
> > init id=jss<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> restart at<br>
> > autoShutdown? false<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> > autoShutdown crumb file path?<br>
> > /var/lib/pki/pki-tomcat/logs/<wbr>autoShutdown.crumb<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> about to<br>
> > look for cert for auto-shutdown support:auditSigningCert<br>
> cert-pki-ca<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> found<br>
> > cert:auditSigningCert cert-pki-ca<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> done init<br>
> > id=jss<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> > initialized jss<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> > initSubsystem id=dbs<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: CMSEngine:<br>
> ready to<br>
> > init id=dbs<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]:<br>
> DBSubsystem: init()<br>
> > mEnableSerialMgmt=true<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: Creating<br>
> > LdapBoundConnFactor(<wbr>DBSubsystem)<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]:<br>
> LdapBoundConnFactory:<br>
> > init<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]:<br>
> > LdapBoundConnFactory:doCloning true<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]:<br>
> LdapAuthInfo: init()<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]:<br>
> LdapAuthInfo: init begins<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]:<br>
> LdapAuthInfo: init ends<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: init: before<br>
> > makeConnection errorIfDown is true<br>
> > [03/May/2017:21:22:01][<wbr>localhost-startStop-1]: makeConnection:<br>
> > errorIfDown true<br>
> > [03/May/2017:21:22:02][<wbr>localhost-startStop-1]:<br>
> > SSLClientCertificateSelectionC<wbr>B: Setting desired cert<br>
> nickname to:<br>
> > subsystemCert cert-pki-ca<br>
> > [03/May/2017:21:22:02][<wbr>localhost-startStop-1]:<br>
> LdapJssSSLSocket: set<br>
> > client auth cert nickname subsystemCert cert-pki-ca<br>
> > [03/May/2017:21:22:02][<wbr>localhost-startStop-1]:<br>
> > SSLClientCertificatSelectionCB<wbr>: Entering!<br>
> > [03/May/2017:21:22:02][<wbr>localhost-startStop-1]:<br>
> > SSLClientCertificateSelectionC<wbr>B: returning: null<br>
> > [03/May/2017:21:22:02][<wbr>localhost-startStop-1]: SSL<br>
> handshake happened<br>
> > Could not connect to LDAP server host<br>
> <a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>>> port 636 Error<br>
> > netscape.ldap.LDAPException: Authentication failed (48)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.ldapconn.<wbr>LdapBoundConnFactory.<wbr>makeConnection(<wbr>LdapBoundConnFactory.java:205)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.ldapconn.<wbr>LdapBoundConnFactory.init(<wbr>LdapBoundConnFactory.java:166)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.ldapconn.<wbr>LdapBoundConnFactory.init(<wbr>LdapBoundConnFactory.java:130)<br>
> > at<br>
> com.netscape.cmscore.dbs.<wbr>DBSubsystem.init(DBSubsystem.<wbr>java:654)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.apps.<wbr>CMSEngine.initSubsystem(<wbr>CMSEngine.java:1169)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.apps.<wbr>CMSEngine.initSubsystems(<wbr>CMSEngine.java:1075)<br>
> > at<br>
> com.netscape.cmscore.apps.<wbr>CMSEngine.init(CMSEngine.java:<wbr>571)<br>
> > at com.netscape.certsrv.apps.CMS.<wbr>init(CMS.java:187)<br>
> > at com.netscape.certsrv.apps.CMS.<wbr>start(CMS.java:1616)<br>
> > at<br>
> ><br>
> com.netscape.cms.servlet.base.<wbr>CMSStartServlet.init(<wbr>CMSStartServlet.java:114)<br>
> > at<br>
> javax.servlet.GenericServlet.<wbr>init(GenericServlet.java:158)<br>
> > at sun.reflect.<wbr>NativeMethodAccessorImpl.<wbr>invoke0(Native<br>
> Method)<br>
> > at<br>
> ><br>
> sun.reflect.<wbr>NativeMethodAccessorImpl.<wbr>invoke(<wbr>NativeMethodAccessorImpl.java:<wbr>62)<br>
> > at<br>
> ><br>
> sun.reflect.<wbr>DelegatingMethodAccessorImpl.<wbr>invoke(<wbr>DelegatingMethodAccessorImpl.<wbr>java:43)<br>
> > at java.lang.reflect.Method.<wbr>invoke(Method.java:498)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.<wbr>SecurityUtil$1.run(<wbr>SecurityUtil.java:288)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.<wbr>SecurityUtil$1.run(<wbr>SecurityUtil.java:285)<br>
> > at java.security.<wbr>AccessController.doPrivileged(<wbr>Native<br>
> Method)<br>
> > at <a href="http://javax.security.auth.Subject.do" rel="noreferrer" target="_blank">javax.security.auth.Subject.do</a><br>
> <<a href="http://javax.security.auth.Subject.do" rel="noreferrer" target="_blank">http://javax.security.auth.<wbr>Subject.do</a>>AsPrivileged(<wbr>Subject.java:549)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.<wbr>SecurityUtil.execute(<wbr>SecurityUtil.java:320)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.<wbr>SecurityUtil.doAsPrivilege(<wbr>SecurityUtil.java:175)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.<wbr>SecurityUtil.doAsPrivilege(<wbr>SecurityUtil.java:124)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardWrapper.initServlet(<wbr>StandardWrapper.java:1270)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardWrapper.loadServlet(<wbr>StandardWrapper.java:1195)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardWrapper.load(<wbr>StandardWrapper.java:1085)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardContext.loadOnStartup(<wbr>StandardContext.java:5318)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardContext.startInternal(<wbr>StandardContext.java:5610)<br>
> > at<br>
> ><br>
> org.apache.catalina.util.<wbr>LifecycleBase.start(<wbr>LifecycleBase.java:147)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>ContainerBase.<wbr>addChildInternal(<wbr>ContainerBase.java:899)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>ContainerBase.access$000(<wbr>ContainerBase.java:133)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>ContainerBase$<wbr>PrivilegedAddChild.run(<wbr>ContainerBase.java:156)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>ContainerBase$<wbr>PrivilegedAddChild.run(<wbr>ContainerBase.java:145)<br>
> > at java.security.<wbr>AccessController.doPrivileged(<wbr>Native<br>
> Method)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>ContainerBase.addChild(<wbr>ContainerBase.java:873)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardHost.addChild(<wbr>StandardHost.java:652)<br>
> > at<br>
> ><br>
> org.apache.catalina.startup.<wbr>HostConfig.deployDescriptor(<wbr>HostConfig.java:679)<br>
> > at<br>
> ><br>
> org.apache.catalina.startup.<wbr>HostConfig$DeployDescriptor.<wbr>run(HostConfig.java:1966)<br>
> > at<br>
> ><br>
> java.util.concurrent.<wbr>Executors$RunnableAdapter.<wbr>call(Executors.java:511)<br>
> > at java.util.concurrent.<wbr>FutureTask.run(FutureTask.<wbr>java:266)<br>
> > at<br>
> ><br>
> java.util.concurrent.<wbr>ThreadPoolExecutor.runWorker(<wbr>ThreadPoolExecutor.java:1142)<br>
> > at<br>
> ><br>
> java.util.concurrent.<wbr>ThreadPoolExecutor$Worker.run(<wbr>ThreadPoolExecutor.java:617)<br>
> > at java.lang.Thread.run(Thread.<wbr>java:745)<br>
> > Internal Database Error encountered: Could not connect to LDAP<br>
> > server host <a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>>><br>
> > port 636 Error netscape.ldap.LDAPException: Authentication<br>
> failed (48)<br>
> > at<br>
> com.netscape.cmscore.dbs.<wbr>DBSubsystem.init(DBSubsystem.<wbr>java:676)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.apps.<wbr>CMSEngine.initSubsystem(<wbr>CMSEngine.java:1169)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.apps.<wbr>CMSEngine.initSubsystems(<wbr>CMSEngine.java:1075)<br>
> > at<br>
> com.netscape.cmscore.apps.<wbr>CMSEngine.init(CMSEngine.java:<wbr>571)<br>
> > at com.netscape.certsrv.apps.CMS.<wbr>init(CMS.java:187)<br>
> > at com.netscape.certsrv.apps.CMS.<wbr>start(CMS.java:1616)<br>
> > at<br>
> ><br>
> com.netscape.cms.servlet.base.<wbr>CMSStartServlet.init(<wbr>CMSStartServlet.java:114)<br>
> > at<br>
> javax.servlet.GenericServlet.<wbr>init(GenericServlet.java:158)<br>
> > at sun.reflect.<wbr>NativeMethodAccessorImpl.<wbr>invoke0(Native<br>
> Method)<br>
> > at<br>
> ><br>
> sun.reflect.<wbr>NativeMethodAccessorImpl.<wbr>invoke(<wbr>NativeMethodAccessorImpl.java:<wbr>62)<br>
> > at<br>
> ><br>
> sun.reflect.<wbr>DelegatingMethodAccessorImpl.<wbr>invoke(<wbr>DelegatingMethodAccessorImpl.<wbr>java:43)<br>
> > at java.lang.reflect.Method.<wbr>invoke(Method.java:498)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.<wbr>SecurityUtil$1.run(<wbr>SecurityUtil.java:288)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.<wbr>SecurityUtil$1.run(<wbr>SecurityUtil.java:285)<br>
> > at java.security.<wbr>AccessController.doPrivileged(<wbr>Native<br>
> Method)<br>
> > at <a href="http://javax.security.auth.Subject.do" rel="noreferrer" target="_blank">javax.security.auth.Subject.do</a><br>
> <<a href="http://javax.security.auth.Subject.do" rel="noreferrer" target="_blank">http://javax.security.auth.<wbr>Subject.do</a>>AsPrivileged(<wbr>Subject.java:549)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.<wbr>SecurityUtil.execute(<wbr>SecurityUtil.java:320)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.<wbr>SecurityUtil.doAsPrivilege(<wbr>SecurityUtil.java:175)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.<wbr>SecurityUtil.doAsPrivilege(<wbr>SecurityUtil.java:124)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardWrapper.initServlet(<wbr>StandardWrapper.java:1270)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardWrapper.loadServlet(<wbr>StandardWrapper.java:1195)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardWrapper.load(<wbr>StandardWrapper.java:1085)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardContext.loadOnStartup(<wbr>StandardContext.java:5318)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardContext.startInternal(<wbr>StandardContext.java:5610)<br>
> > at<br>
> ><br>
> org.apache.catalina.util.<wbr>LifecycleBase.start(<wbr>LifecycleBase.java:147)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>ContainerBase.<wbr>addChildInternal(<wbr>ContainerBase.java:899)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>ContainerBase.access$000(<wbr>ContainerBase.java:133)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>ContainerBase$<wbr>PrivilegedAddChild.run(<wbr>ContainerBase.java:156)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>ContainerBase$<wbr>PrivilegedAddChild.run(<wbr>ContainerBase.java:145)<br>
> > at java.security.<wbr>AccessController.doPrivileged(<wbr>Native<br>
> Method)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>ContainerBase.addChild(<wbr>ContainerBase.java:873)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.<wbr>StandardHost.addChild(<wbr>StandardHost.java:652)<br>
> > at<br>
> ><br>
> org.apache.catalina.startup.<wbr>HostConfig.deployDescriptor(<wbr>HostConfig.java:679)<br>
> > at<br>
> ><br>
> org.apache.catalina.startup.<wbr>HostConfig$DeployDescriptor.<wbr>run(HostConfig.java:1966)<br>
> > at<br>
> ><br>
> java.util.concurrent.<wbr>Executors$RunnableAdapter.<wbr>call(Executors.java:511)<br>
> > at java.util.concurrent.<wbr>FutureTask.run(FutureTask.<wbr>java:266)<br>
> > at<br>
> ><br>
> java.util.concurrent.<wbr>ThreadPoolExecutor.runWorker(<wbr>ThreadPoolExecutor.java:1142)<br>
> > at<br>
> ><br>
> java.util.concurrent.<wbr>ThreadPoolExecutor$Worker.run(<wbr>ThreadPoolExecutor.java:617)<br>
> > at java.lang.Thread.run(Thread.<wbr>java:745)<br>
> > [03/May/2017:21:22:02][<wbr>localhost-startStop-1]:<br>
> CMSEngine.shutdown()<br>
> ><br>
> ><br>
> > =============================<br>
> ><br>
> ><br>
> > IPA11.MGMT<br>
> ><br>
> > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-<wbr>CROSSCHX-COM/<br>
> > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI<br>
> Server-Cert<br>
> > u,u,u <a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> IPA CA CT,C,C<br>
> > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/<br>
> Certificate<br>
> > Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert<br>
> > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu<br>
> > ocspSigningCert cert-pki-ca u,u,u subsystemCert<br>
> cert-pki-ca u,u,u<br>
> > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil -L -d<br>
> > /etc/dirsrv/slapd-MGMT-<wbr>CROSSCHX-COM/ Certificate Nickname<br>
> Trust<br>
> > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u<br>
> <a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> IPA CA CT,C,C (root)>certutil -L -d<br>
> > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust<br>
> Attributes<br>
> > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu<br>
> > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert<br>
> cert-pki-ca<br>
> > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert<br>
> cert-pki-ca u,u,u<br>
> > IPA12.MGMT (root)>certutil -L -d<br>
> > /etc/dirsrv/slapd-MGMT-<wbr>CROSSCHX-COM/ Certificate Nickname<br>
> Trust<br>
> > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u<br>
> <a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> IPA CA C,, (root)>certutil -L -d<br>
> > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust<br>
> Attributes<br>
> > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu<br>
> > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert<br>
> cert-pki-ca<br>
> > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert<br>
> cert-pki-ca u,u,u<br>
> > ==============================<wbr>=================== IPA11.MGMT<br>
> > (root)>getcert list Number of certificates and requests being<br>
> > tracked: 8. Request ID '20161229155314': status:<br>
> MONITORING stuck:<br>
> > no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>dirsrv/slapd-MGMT-CROSSCHX-<wbr>COM',nickname='Server-Cert',<wbr>token='NSS<br>
> > Certificate<br>
> > DB',pinfile='/etc/dirsrv/<wbr>slapd-MGMT-CROSSCHX-COM/<wbr>pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>dirsrv/slapd-MGMT-CROSSCHX-<wbr>COM',nickname='Server-Cert',<wbr>token='NSS<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa11.mgmt.crosschx.com</a> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.<wbr>com</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 15:52:43<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>restart_dirsrv<br>
> > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID<br>
> > '20161229155652': status: MONITORING stuck: no key pair<br>
> storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>auditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>auditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:00:29 UTC key usage:<br>
> digitalSignature,<wbr>nonRepudiation<br>
> > pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
> "auditSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229155654':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>ocspSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>ocspSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:26 UTC key usage:<br>
> > digitalSignature,<wbr>nonRepudiation,keyCertSign,<wbr>cRLSign eku:<br>
> > id-kp-OCSPSigning pre-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>stop_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert "ocspSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229155655':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>subsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>subsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:28 UTC key usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>stop_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert "subsystemCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229155657':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2036-11-22 13:00:25<br>
> UTC key<br>
> > usage: digitalSignature,<wbr>nonRepudiation,keyCertSign,<wbr>cRLSign<br>
> pre-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert "caSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229155659':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>Server-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>Server-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB' CA: dogtag-ipa-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa11.mgmt.crosschx.com</a> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.<wbr>com</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-19 15:56:20<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth,id-kp-<wbr>emailProtection<br>
> > pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
> "Server-Cert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229155921':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa11.mgmt.crosschx.com</a> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.<wbr>com</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 15:52:46<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>restart_httpd track: yes<br>
> > auto-renew: yes Request ID '20161229160009': status:<br>
> MONITORING<br>
> > stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS<br>
> > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:01:34 UTC key usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ra_cert_pre post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ra_cert track: yes<br>
> auto-renew: yes<br>
> > ==============================<wbr>==== IPA13.MGMT<br>
> (root)>getcert list<br>
> > Number of certificates and requests being tracked: 8.<br>
> Request ID<br>
> > '20161229143449': status: MONITORING stuck: no key pair<br>
> storage:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>dirsrv/slapd-MGMT-CROSSCHX-<wbr>COM',nickname='Server-Cert',<wbr>token='NSS<br>
> > Certificate<br>
> > DB',pinfile='/etc/dirsrv/<wbr>slapd-MGMT-CROSSCHX-COM/<wbr>pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>dirsrv/slapd-MGMT-CROSSCHX-<wbr>COM',nickname='Server-Cert',<wbr>token='NSS<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 14:34:20<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>restart_dirsrv<br>
> > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID<br>
> > '20161229143826': status: MONITORING stuck: no key pair<br>
> storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>auditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>auditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:00:29 UTC key usage:<br>
> digitalSignature,<wbr>nonRepudiation<br>
> > pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
> "auditSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229143828':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>ocspSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>ocspSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:26 UTC key usage:<br>
> > digitalSignature,<wbr>nonRepudiation,keyCertSign,<wbr>cRLSign eku:<br>
> > id-kp-OCSPSigning pre-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>stop_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert "ocspSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229143831':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>subsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>subsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:28 UTC key usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>stop_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert "subsystemCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229143833':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2036-11-22 13:00:25<br>
> UTC key<br>
> > usage: digitalSignature,<wbr>nonRepudiation,keyCertSign,<wbr>cRLSign<br>
> pre-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert "caSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229143835':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>Server-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>Server-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB' CA: dogtag-ipa-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-19 14:37:54<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth,id-kp-<wbr>emailProtection<br>
> > pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
> "Server-Cert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229144057':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.<wbr>com</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 14:34:23<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>restart_httpd track: yes<br>
> > auto-renew: yes Request ID '20161229144146': status:<br>
> MONITORING<br>
> > stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS<br>
> > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:01:34 UTC key usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ra_cert_pre post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ra_cert track: yes<br>
> auto-renew: yes<br>
> > =========================== IPA12.MGMT (root)>getcert list<br>
> Number of<br>
> > certificates and requests being tracked: 8. Request ID<br>
> > '20161229151518': status: MONITORING stuck: no key pair<br>
> storage:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>dirsrv/slapd-MGMT-CROSSCHX-<wbr>COM',nickname='Server-Cert',<wbr>token='NSS<br>
> > Certificate<br>
> > DB',pinfile='/etc/dirsrv/<wbr>slapd-MGMT-CROSSCHX-COM/<wbr>pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>dirsrv/slapd-MGMT-CROSSCHX-<wbr>COM',nickname='Server-Cert',<wbr>token='NSS<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 15:14:51<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>restart_dirsrv<br>
> > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID<br>
> > '20161229151850': status: MONITORING stuck: no key pair<br>
> storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>auditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>auditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:00:29 UTC key usage:<br>
> digitalSignature,<wbr>nonRepudiation<br>
> > pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
> "auditSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229151852':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>ocspSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>ocspSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:26 UTC key usage:<br>
> > digitalSignature,<wbr>nonRepudiation,keyCertSign,<wbr>cRLSign eku:<br>
> > id-kp-OCSPSigning pre-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>stop_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert "ocspSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229151854':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>subsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>subsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:28 UTC key usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>stop_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert "subsystemCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229151856':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2036-11-22 13:00:25<br>
> UTC key<br>
> > usage: digitalSignature,<wbr>nonRepudiation,keyCertSign,<wbr>cRLSign<br>
> pre-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert "caSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229151858':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>Server-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>Server-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB' CA: dogtag-ipa-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-19 15:18:16<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth,id-kp-<wbr>emailProtection<br>
> > pre-save command: /usr/libexec/ipa/certmonger/<wbr>stop_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>renew_ca_cert<br>
> "Server-Cert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229152115':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.<wbr>com</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 15:14:54<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/<wbr>restart_httpd track: yes<br>
> > auto-renew: yes Request ID '20161229152204': status:<br>
> MONITORING<br>
> > stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS<br>
> > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:01:34 UTC key usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ra_cert_pre post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/<wbr>renew_ra_cert track: yes<br>
> auto-renew: yes<br>
> ><br>
> ><br>
> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br>
> > *<br>
> > 614.427.2411<br>
> > <a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@crosschx.com</a><br>
> <mailto:<a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@<wbr>crosschx.com</a>><br>
> <mailto:<a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@<wbr>crosschx.com</a><br>
> <mailto:<a href="mailto:mike.plemmons@crosschx.com">mike.plemmons@<wbr>crosschx.com</a>>><br>
> > <a href="http://www.crosschx.com" rel="noreferrer" target="_blank">www.crosschx.com</a> <<a href="http://www.crosschx.com" rel="noreferrer" target="_blank">http://www.crosschx.com</a>><br>
> <<a href="http://www.crosschx.com/" rel="noreferrer" target="_blank">http://www.crosschx.com/</a>><br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
><br>
><br>
><br>
><br>
<br>
</blockquote></div><br></div></div>