<div dir="ltr">I have done more searching in my logs and I see the following errors.<div><br></div><div>This is in the localhost log file /var/lib/pki/pki-tomcat/<wbr>logs</div><div><br></div><div><div>May 15, 2017 3:08:08 PM org.apache.catalina.core.<wbr>ApplicationContext log</div><div>SEVERE: StandardWrapper.Throwable</div><div>java.lang.NullPointerException</div><div><br></div><div>May 15, 2017 3:08:08 PM org.apache.catalina.core.<wbr>StandardContext loadOnStartup</div><div>SEVERE: Servlet [castart] in web application [/ca] threw load() exception</div><div>java.lang.NullPointerException</div><div><br></div><div>May 15, 2017 3:08:09 PM org.apache.catalina.core.<wbr>StandardHostValve invoke</div><div>SEVERE: Exception Processing /ca/admin/ca/getStatus</div><div><a href="http://javax.ws.rs">javax.ws.rs</a>.<wbr>ServiceUnavailableException: Subsystem unavailable</div></div><div><br></div><div><br></div><div>Looking at the debug log it says Authentication failed for port 636.</div><div><br></div><div><div>[15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init()</div><div>[15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init begins</div><div>[15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init ends</div><div>[15/May/2017:17:39:25][localhost-startStop-1]: init: before makeConnection errorIfDown is true</div><div>[15/May/2017:17:39:25][localhost-startStop-1]: makeConnection: errorIfDown true</div><div>[15/May/2017:17:39:25][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca</div><div>[15/May/2017:17:39:25][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca</div><div>[15/May/2017:17:39:25][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering!</div><div>[15/May/2017:17:39:25][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null</div><div>[15/May/2017:17:39:25][localhost-startStop-1]: SSL handshake happened</div><div>Could not connect to LDAP server host <a href="http://ipa12.mgmt.crosschx.com">ipa12.mgmt.crosschx.com</a> port 636 Error netscape.ldap.LDAPException: Authentication failed (48)</div><div> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)</div></div><div><br></div><div><br></div><div>I looked at the validity of the cert it mentions and it is fine.</div><div><br></div><div><div>(root)>getcert status -v -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'</div><div>State MONITORING, stuck: no.</div></div><div><br></div><div><br></div><div>I then looked at the ldap errors around the time of this failure and I am seeing this log entry.</div><div><br></div><div><br></div><div><div>[15/May/2017:17:38:42.063080758 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/<a href="mailto:ipa12.mgmt.crosschx.com@MGMT.CROSSCHX.COM">ipa12.mgmt.crosschx.com@MGMT.CROSSCHX.COM</a>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)</div></div><div><br></div><div>When I perform a klist against that keytab nothing appears out of the ordinary compared to working IPA servers.</div><div><br></div><div>I am not sure what to look at next.</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><br></div><div dir="ltr"><b style="font-size:12.8px"><font size="2">Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br></font></b><div>614.427.2411</div><div><a href="mailto:mike.plemmons@crosschx.com" style="font-size:12.8px" target="_blank">mike.plemmons@crosschx.com</a><br></div><div style="font-size:12.8px"><a href="http://www.crosschx.com/" target="_blank">www.crosschx.com</a></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Wed, May 10, 2017 at 3:35 PM, Michael Plemmons <span dir="ltr"><<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@crosschx.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The PKI service came up successfully but only when it uses BasicAuth rather than SSL auth. I am not sure about what I need to do in order to get the auth working over SSL again.<div><br></div><div>None of the certs are expired when I run getcert list and ipa-getcert list.</div><div><br></div><div>Since the failure is with attempts to login to LDAP over 636. I have been attempting to auth to LDAP via port 636 and the ldapsearch is not completing. When looking at packet captures, I see some the TCP handshake and what appears to be the start of a SSL process and then everything hangs.</div><div><br></div><div>What is the proper method to test performing a ldapsearch over 636? Also, the CS.cfg shows it wants to auth as cn=Directory Manager. I can successfully auth with cn=Directory Manager over 389 but I think I am not performing ldapsearch over 636 correctly.</div><div class="gmail_extra"><br clear="all"><div><div class="m_-765289375935881056m_8399766940143028104gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><br></div><div dir="ltr"><b style="font-size:12.8px"><font size="2">Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br></font></b><div>614.427.2411</div><div><a href="mailto:mike.plemmons@crosschx.com" style="font-size:12.8px" target="_blank">mike.plemmons@crosschx.com</a><br></div><div style="font-size:12.8px"><a href="http://www.crosschx.com/" target="_blank">www.crosschx.com</a></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, May 5, 2017 at 3:33 PM, Michael Plemmons <span dir="ltr"><<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@crosschx.com</a><wbr>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I think I found the email thread. Asking for help with crashed freeIPA istance. That email pointed to this link, <a href="https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html" target="_blank">https://www.redhat.com/a<wbr>rchives/freeipa-users/2017-Jan<wbr>uary/msg00215.html</a>. That link talked about changing the CS.cfg file to use port 389 for PKI to auth to LDAP. I made the necessary changes and PKI came up successfully.</div><div class="gmail_extra"><br clear="all"><div><div class="m_-765289375935881056m_8399766940143028104m_582664644711419783gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><br></div><div dir="ltr"><b style="font-size:12.8px"><font size="2">Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br></font></b><div>614.427.2411</div><div><a href="mailto:mike.plemmons@crosschx.com" style="font-size:12.8px" target="_blank">mike.plemmons@crosschx.com</a><br></div><div style="font-size:12.8px"><a href="http://www.crosschx.com/" target="_blank">www.crosschx.com</a></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons <span dir="ltr"><<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@crosschx.com</a><wbr>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br clear="all"><div><div class="m_-765289375935881056m_8399766940143028104m_582664644711419783m_4438589908806384366gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><br></div><div dir="ltr"><b style="font-size:12.8px"><font size="2">Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br></font></b><div>614.427.2411</div><div><a href="mailto:mike.plemmons@crosschx.com" style="font-size:12.8px" target="_blank">mike.plemmons@crosschx.com</a><br></div><div style="font-size:12.8px"><a href="http://www.crosschx.com/" target="_blank">www.crosschx.com</a></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Michael Plemmons wrote:<br>
> I just realized that I sent the reply directly to Rob and not to the<br>
> list. My response is inline<br>
<br>
Ok, this is actually good news.<br>
<br>
I made a similar proposal in another case and I was completely wrong.<br>
Flo had the user do something and it totally fixed their auth error, I<br>
just can't remember what it was or find the e-mail thread. I'm pretty<br>
sure it was this calendar year though.<br>
<br>
rob<br>
<br></blockquote><div><br></div><div>Do you or Flo know what I could search for in the past emails to find the answer to the problem?</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
><br>
><br>
><br>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br>
> *<br>
> 614.427.2411<br>
> <a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crosschx.com</a> <mailto:<a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crosschx<wbr>.com</a>><br>
> <a href="http://www.crosschx.com" rel="noreferrer" target="_blank">www.crosschx.com</a> <<a href="http://www.crosschx.com/" rel="noreferrer" target="_blank">http://www.crosschx.com/</a>><br>
><br>
> On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons<br>
> <<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@crosschx.com</a> <mailto:<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@cross<wbr>chx.com</a>>><br>
> wrote:<br>
><br>
><br>
><br>
><br>
><br>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br>
> *<br>
> 614.427.2411<br>
> <a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crosschx.com</a> <mailto:<a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crosschx<wbr>.com</a>><br>
> <a href="http://www.crosschx.com" rel="noreferrer" target="_blank">www.crosschx.com</a> <<a href="http://www.crosschx.com/" rel="noreferrer" target="_blank">http://www.crosschx.com/</a>><br>
><br>
> On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
><br>
> Michael Plemmons wrote:<br>
> > I realized that I was not very clear in my statement about<br>
> testing with<br>
> > ldapsearch. I had initially run it without logging in with a<br>
> DN. I was<br>
> > just running the local ldapsearch -x command. I then tested on<br>
> > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the<br>
> admin and<br>
> > "cn=Directory Manager" from ipa12.mgmt (broken server) and<br>
> ipa11.mgmt<br>
> > and both ldapsearch command succeeded.<br>
> ><br>
> > I ran the following from ipa12.mgmt and ipa11.mgmt as a non<br>
> root user.<br>
> > I also ran the command showing a line count for the output and<br>
> the line<br>
> > counts for each were the same when run from ipa12.mgmt and<br>
> ipa11.mgmt.<br>
> ><br>
> > ldapsearch -LLL -h <a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.co<wbr>m</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a>>> -D "DN" -w PASSWORD -b<br>
> > "cn=users,cn=accounts,dc=mgmt,<wbr>dc=crosschx,dc=com" dn<br>
> ><br>
> > ldapsearch -LLL -h <a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.co<wbr>m</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a>>> -D "cn=directory manager" -w<br>
> PASSWORD dn<br>
><br>
> The CA has its own suffix and replication agreements. Given the auth<br>
> error and recent (5 months) renewal of CA credentials I'd check<br>
> that the<br>
> CA agent authentication entries are correct.<br>
><br>
> Against each master with a CA run:<br>
><br>
> $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b<br>
> uid=ipara,ou=people,o=ipaca description<br>
><br>
> The format is 2;serial#,subject,issuer<br>
><br>
> Then on each run:<br>
><br>
> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial<br>
><br>
> The serial # should match that in the description everywhere.<br>
><br>
> rob<br>
><br>
><br>
><br>
> On the CA (IPA13.MGMT) I ran the ldapsearch command and see that the<br>
> serial number is 7. I then ran the certutil command on all three<br>
> servers and the serial number is 7 as well.<br>
><br>
><br>
> I also ran the ldapsearch command against the other two servers and<br>
> they also showed a serial number of 7.<br>
><br>
><br>
><br>
><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br>
> > *<br>
> > 614.427.2411<br>
> > <a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crosschx.com</a> <mailto:<a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crosschx<wbr>.com</a>><br>
> <mailto:<a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crossch<wbr>x.com</a><br>
> <mailto:<a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crossch<wbr>x.com</a>>><br>
> > <a href="http://www.crosschx.com" rel="noreferrer" target="_blank">www.crosschx.com</a> <<a href="http://www.crosschx.com" rel="noreferrer" target="_blank">http://www.crosschx.com</a>><br>
> <<a href="http://www.crosschx.com/" rel="noreferrer" target="_blank">http://www.crosschx.com/</a>><br>
> ><br>
> > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons<br>
> > <<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@crosschx.com</a><br>
> <mailto:<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@cros<wbr>schx.com</a>><br>
> <mailto:<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@cros<wbr>schx.com</a><br>
> <mailto:<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@cros<wbr>schx.com</a>>>><br>
> > wrote:<br>
> ><br>
> > I have a three node IPA cluster.<br>
> ><br>
> > ipa11.mgmt - was a master over 6 months ago<br>
> > ipa13.mgmt - current master<br>
> > ipa12.mgmt<br>
> ><br>
> > ipa13 has agreements with ipa11 and ipa12. ipa11 and<br>
> ipa12 do not<br>
> > have agreements between each other.<br>
> ><br>
> > It appears that either ipa12.mgmt lost some level of its<br>
> replication<br>
> > agreement with ipa13. I saw some level because users /<br>
> hosts were<br>
> > replicated between all systems but we started seeing DNS<br>
> was not<br>
> > resolving properly from ipa12. I do not know when this<br>
> started.<br>
> ><br>
> > When looking at replication agreements on ipa12 I did not<br>
> see any<br>
> > agreement with ipa13.<br>
> ><br>
> > When I run ipa-replica-manage list all three hosts show<br>
> has master.<br>
> ><br>
> > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt<br>
> is a replica.<br>
> ><br>
> > When I run ipa-replica-manage ipa12.mgmt nothing returned.<br>
> ><br>
> > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt<br>
> > <a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.co<wbr>m</a>><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.co<wbr>m</a>>><br>
> > <a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.co<wbr>m</a>><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a>>> on ipa12.mgmt<br>
> ><br>
> > I then ran the following<br>
> ><br>
> > ipa-replica-manage force-sync --from<br>
> <a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a>>><br>
> ><br>
> > ipa-replica-manage re-initialize --from<br>
> <a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a>>><br>
> ><br>
> > I was still seeing bad DNS returns when dig'ing against<br>
> ipa12.mgmt.<br>
> > I was able to create user and DNS records and see the<br>
> information<br>
> > replicated properly across all three nodes.<br>
> ><br>
> > I then ran ipactl stop on ipa12.mgmt and then ipactl start on<br>
> > ipa12.mgmt because I wanted to make sure everything was<br>
> running<br>
> > fresh after the changes above. While IPA was staring up (DNS<br>
> > started) we were able to see valid DNS queries returned but<br>
> > pki-tomcat would not start.<br>
> ><br>
> > I am not sure what I need to do in order to get this<br>
> working. I<br>
> > have included the output of certutil and getcert below<br>
> from all<br>
> > three servers as well as the debug output for pki.<br>
> ><br>
> ><br>
> > While the IPA system is coming up I am able to<br>
> successfully run<br>
> > ldapsearch -x as the root user and see results. I am also<br>
> able to<br>
> > login with the "cn=Directory Manager" account and see results.<br>
> ><br>
> ><br>
> > The debug log shows the following error.<br>
> ><br>
> ><br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]:<br>
> > =============================<wbr>===============<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: ===== DEBUG<br>
> > SUBSYSTEM INITIALIZED =======<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]:<br>
> > =============================<wbr>===============<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> restart at<br>
> > autoShutdown? false<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> > autoShutdown crumb file path?<br>
> > /var/lib/pki/pki-tomcat/logs/<wbr>autoShutdown.crumb<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> about to<br>
> > look for cert for auto-shutdown support:auditSigningCert<br>
> cert-pki-ca<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> found<br>
> > cert:auditSigningCert cert-pki-ca<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> done init<br>
> > id=debug<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> > initialized debug<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> > initSubsystem id=log<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> ready to<br>
> > init id=log<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: Creating<br>
> ><br>
> RollingLogFile(/var/lib/pki/pk<wbr>i-tomcat/logs/ca/signedAudit/c<wbr>a_audit)<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: Creating<br>
> > RollingLogFile(/var/lib/pki/p<wbr>ki-tomcat/logs/ca/system)<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: Creating<br>
> > RollingLogFile(/var/lib/pki/p<wbr>ki-tomcat/logs/ca/transactions<wbr>)<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> restart at<br>
> > autoShutdown? false<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> > autoShutdown crumb file path?<br>
> > /var/lib/pki/pki-tomcat/logs/<wbr>autoShutdown.crumb<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> about to<br>
> > look for cert for auto-shutdown support:auditSigningCert<br>
> cert-pki-ca<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> found<br>
> > cert:auditSigningCert cert-pki-ca<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> done init<br>
> > id=log<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> > initialized log<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> > initSubsystem id=jss<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> ready to<br>
> > init id=jss<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> restart at<br>
> > autoShutdown? false<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> > autoShutdown crumb file path?<br>
> > /var/lib/pki/pki-tomcat/logs/<wbr>autoShutdown.crumb<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> about to<br>
> > look for cert for auto-shutdown support:auditSigningCert<br>
> cert-pki-ca<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> found<br>
> > cert:auditSigningCert cert-pki-ca<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> done init<br>
> > id=jss<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> > initialized jss<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> > initSubsystem id=dbs<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: CMSEngine:<br>
> ready to<br>
> > init id=dbs<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]:<br>
> DBSubsystem: init()<br>
> > mEnableSerialMgmt=true<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: Creating<br>
> > LdapBoundConnFactor(DBSubsyst<wbr>em)<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]:<br>
> LdapBoundConnFactory:<br>
> > init<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]:<br>
> > LdapBoundConnFactory:doClonin<wbr>g true<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]:<br>
> LdapAuthInfo: init()<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]:<br>
> LdapAuthInfo: init begins<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]:<br>
> LdapAuthInfo: init ends<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: init: before<br>
> > makeConnection errorIfDown is true<br>
> > [03/May/2017:21:22:01][localh<wbr>ost-startStop-1]: makeConnection:<br>
> > errorIfDown true<br>
> > [03/May/2017:21:22:02][localh<wbr>ost-startStop-1]:<br>
> > SSLClientCertificateSelection<wbr>CB: Setting desired cert<br>
> nickname to:<br>
> > subsystemCert cert-pki-ca<br>
> > [03/May/2017:21:22:02][localh<wbr>ost-startStop-1]:<br>
> LdapJssSSLSocket: set<br>
> > client auth cert nickname subsystemCert cert-pki-ca<br>
> > [03/May/2017:21:22:02][localh<wbr>ost-startStop-1]:<br>
> > SSLClientCertificatSelectionC<wbr>B: Entering!<br>
> > [03/May/2017:21:22:02][localh<wbr>ost-startStop-1]:<br>
> > SSLClientCertificateSelection<wbr>CB: returning: null<br>
> > [03/May/2017:21:22:02][localh<wbr>ost-startStop-1]: SSL<br>
> handshake happened<br>
> > Could not connect to LDAP server host<br>
> <a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a>>> port 636 Error<br>
> > netscape.ldap.LDAPException: Authentication failed (48)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.ldapconn.<wbr>LdapBoundConnFactory.makeConne<wbr>ction(LdapBoundConnFactory.jav<wbr>a:205)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.ldapconn.<wbr>LdapBoundConnFactory.init(Ldap<wbr>BoundConnFactory.java:166)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.ldapconn.<wbr>LdapBoundConnFactory.init(Ldap<wbr>BoundConnFactory.java:130)<br>
> > at<br>
> com.netscape.cmscore.dbs.DBSu<wbr>bsystem.init(DBSubsystem.java:<wbr>654)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.apps.CMSE<wbr>ngine.initSubsystem(CMSEngine.<wbr>java:1169)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.apps.CMSE<wbr>ngine.initSubsystems(CMSEngine<wbr>.java:1075)<br>
> > at<br>
> com.netscape.cmscore.apps.CMS<wbr>Engine.init(CMSEngine.java:571<wbr>)<br>
> > at com.netscape.certsrv.apps.CMS.<wbr>init(CMS.java:187)<br>
> > at com.netscape.certsrv.apps.CMS.<wbr>start(CMS.java:1616)<br>
> > at<br>
> ><br>
> com.netscape.cms.servlet.base.<wbr>CMSStartServlet.init(CMSStartS<wbr>ervlet.java:114)<br>
> > at<br>
> javax.servlet.GenericServlet.<wbr>init(GenericServlet.java:158)<br>
> > at sun.reflect.NativeMethodAccess<wbr>orImpl.invoke0(Native<br>
> Method)<br>
> > at<br>
> ><br>
> sun.reflect.NativeMethodAccess<wbr>orImpl.invoke(NativeMethodAcce<wbr>ssorImpl.java:62)<br>
> > at<br>
> ><br>
> sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)<br>
> > at java.lang.reflect.Method.invok<wbr>e(Method.java:498)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:288)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:285)<br>
> > at java.security.AccessController<wbr>.doPrivileged(Native<br>
> Method)<br>
> > at <a href="http://javax.security.auth.Subject.do" rel="noreferrer" target="_blank">javax.security.auth.Subject.do</a><br>
> <<a href="http://javax.security.auth.Subject.do" rel="noreferrer" target="_blank">http://javax.security.auth.S<wbr>ubject.do</a>>AsPrivileged(Subject<wbr>.java:549)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.S<wbr>ecurityUtil.execute(SecurityUt<wbr>il.java:320)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:175)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:124)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardWrapper.initServlet(Standar<wbr>dWrapper.java:1270)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardWrapper.loadServlet(Standar<wbr>dWrapper.java:1195)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardWrapper.load(StandardWrappe<wbr>r.java:1085)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardContext.loadOnStartup(Stand<wbr>ardContext.java:5318)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardContext.startInternal(Stand<wbr>ardContext.java:5610)<br>
> > at<br>
> ><br>
> org.apache.catalina.util.Lifec<wbr>ycleBase.start(LifecycleBase.j<wbr>ava:147)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Conta<wbr>inerBase.addChildInternal(Cont<wbr>ainerBase.java:899)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Conta<wbr>inerBase.access$000(ContainerB<wbr>ase.java:133)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:156)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:145)<br>
> > at java.security.AccessController<wbr>.doPrivileged(Native<br>
> Method)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Conta<wbr>inerBase.addChild(ContainerBas<wbr>e.java:873)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardHost.addChild(StandardHost.<wbr>java:652)<br>
> > at<br>
> ><br>
> org.apache.catalina.startup.Ho<wbr>stConfig.deployDescriptor(Host<wbr>Config.java:679)<br>
> > at<br>
> ><br>
> org.apache.catalina.startup.Ho<wbr>stConfig$DeployDescriptor.run(<wbr>HostConfig.java:1966)<br>
> > at<br>
> ><br>
> java.util.concurrent.Executors<wbr>$RunnableAdapter.call(Executor<wbr>s.java:511)<br>
> > at java.util.concurrent.FutureTas<wbr>k.run(FutureTask.java:266)<br>
> > at<br>
> ><br>
> java.util.concurrent.ThreadPoo<wbr>lExecutor.runWorker(ThreadPool<wbr>Executor.java:1142)<br>
> > at<br>
> ><br>
> java.util.concurrent.ThreadPoo<wbr>lExecutor$Worker.run(ThreadPoo<wbr>lExecutor.java:617)<br>
> > at java.lang.Thread.run(Thread.ja<wbr>va:745)<br>
> > Internal Database Error encountered: Could not connect to LDAP<br>
> > server host <a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a>> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.co<wbr>m</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a>>><br>
> > port 636 Error netscape.ldap.LDAPException: Authentication<br>
> failed (48)<br>
> > at<br>
> com.netscape.cmscore.dbs.DBSu<wbr>bsystem.init(DBSubsystem.java:<wbr>676)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.apps.CMSE<wbr>ngine.initSubsystem(CMSEngine.<wbr>java:1169)<br>
> > at<br>
> ><br>
> com.netscape.cmscore.apps.CMSE<wbr>ngine.initSubsystems(CMSEngine<wbr>.java:1075)<br>
> > at<br>
> com.netscape.cmscore.apps.CMS<wbr>Engine.init(CMSEngine.java:571<wbr>)<br>
> > at com.netscape.certsrv.apps.CMS.<wbr>init(CMS.java:187)<br>
> > at com.netscape.certsrv.apps.CMS.<wbr>start(CMS.java:1616)<br>
> > at<br>
> ><br>
> com.netscape.cms.servlet.base.<wbr>CMSStartServlet.init(CMSStartS<wbr>ervlet.java:114)<br>
> > at<br>
> javax.servlet.GenericServlet.<wbr>init(GenericServlet.java:158)<br>
> > at sun.reflect.NativeMethodAccess<wbr>orImpl.invoke0(Native<br>
> Method)<br>
> > at<br>
> ><br>
> sun.reflect.NativeMethodAccess<wbr>orImpl.invoke(NativeMethodAcce<wbr>ssorImpl.java:62)<br>
> > at<br>
> ><br>
> sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)<br>
> > at java.lang.reflect.Method.invok<wbr>e(Method.java:498)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:288)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:285)<br>
> > at java.security.AccessController<wbr>.doPrivileged(Native<br>
> Method)<br>
> > at <a href="http://javax.security.auth.Subject.do" rel="noreferrer" target="_blank">javax.security.auth.Subject.do</a><br>
> <<a href="http://javax.security.auth.Subject.do" rel="noreferrer" target="_blank">http://javax.security.auth.S<wbr>ubject.do</a>>AsPrivileged(Subject<wbr>.java:549)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.S<wbr>ecurityUtil.execute(SecurityUt<wbr>il.java:320)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:175)<br>
> > at<br>
> ><br>
> org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:124)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardWrapper.initServlet(Standar<wbr>dWrapper.java:1270)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardWrapper.loadServlet(Standar<wbr>dWrapper.java:1195)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardWrapper.load(StandardWrappe<wbr>r.java:1085)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardContext.loadOnStartup(Stand<wbr>ardContext.java:5318)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardContext.startInternal(Stand<wbr>ardContext.java:5610)<br>
> > at<br>
> ><br>
> org.apache.catalina.util.Lifec<wbr>ycleBase.start(LifecycleBase.j<wbr>ava:147)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Conta<wbr>inerBase.addChildInternal(Cont<wbr>ainerBase.java:899)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Conta<wbr>inerBase.access$000(ContainerB<wbr>ase.java:133)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:156)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:145)<br>
> > at java.security.AccessController<wbr>.doPrivileged(Native<br>
> Method)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Conta<wbr>inerBase.addChild(ContainerBas<wbr>e.java:873)<br>
> > at<br>
> ><br>
> org.apache.catalina.core.Stand<wbr>ardHost.addChild(StandardHost.<wbr>java:652)<br>
> > at<br>
> ><br>
> org.apache.catalina.startup.Ho<wbr>stConfig.deployDescriptor(Host<wbr>Config.java:679)<br>
> > at<br>
> ><br>
> org.apache.catalina.startup.Ho<wbr>stConfig$DeployDescriptor.run(<wbr>HostConfig.java:1966)<br>
> > at<br>
> ><br>
> java.util.concurrent.Executors<wbr>$RunnableAdapter.call(Executor<wbr>s.java:511)<br>
> > at java.util.concurrent.FutureTas<wbr>k.run(FutureTask.java:266)<br>
> > at<br>
> ><br>
> java.util.concurrent.ThreadPoo<wbr>lExecutor.runWorker(ThreadPool<wbr>Executor.java:1142)<br>
> > at<br>
> ><br>
> java.util.concurrent.ThreadPoo<wbr>lExecutor$Worker.run(ThreadPoo<wbr>lExecutor.java:617)<br>
> > at java.lang.Thread.run(Thread.ja<wbr>va:745)<br>
> > [03/May/2017:21:22:02][localh<wbr>ost-startStop-1]:<br>
> CMSEngine.shutdown()<br>
> ><br>
> ><br>
> > =============================<br>
> ><br>
> ><br>
> > IPA11.MGMT<br>
> ><br>
> > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCH<wbr>X-COM/<br>
> > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI<br>
> Server-Cert<br>
> > u,u,u <a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> IPA CA CT,C,C<br>
> > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/<br>
> Certificate<br>
> > Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert<br>
> > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu<br>
> > ocspSigningCert cert-pki-ca u,u,u subsystemCert<br>
> cert-pki-ca u,u,u<br>
> > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil -L -d<br>
> > /etc/dirsrv/slapd-MGMT-CROSSC<wbr>HX-COM/ Certificate Nickname<br>
> Trust<br>
> > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u<br>
> <a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> IPA CA CT,C,C (root)>certutil -L -d<br>
> > /var/lib/pki/pki-tomcat/alias<wbr>/ Certificate Nickname Trust<br>
> Attributes<br>
> > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu<br>
> > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert<br>
> cert-pki-ca<br>
> > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert<br>
> cert-pki-ca u,u,u<br>
> > IPA12.MGMT (root)>certutil -L -d<br>
> > /etc/dirsrv/slapd-MGMT-CROSSC<wbr>HX-COM/ Certificate Nickname<br>
> Trust<br>
> > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u<br>
> <a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> IPA CA C,, (root)>certutil -L -d<br>
> > /var/lib/pki/pki-tomcat/alias<wbr>/ Certificate Nickname Trust<br>
> Attributes<br>
> > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu<br>
> > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert<br>
> cert-pki-ca<br>
> > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert<br>
> cert-pki-ca u,u,u<br>
> > =============================<wbr>==================== IPA11.MGMT<br>
> > (root)>getcert list Number of certificates and requests being<br>
> > tracked: 8. Request ID '20161229155314': status:<br>
> MONITORING stuck:<br>
> > no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S<br>
> > Certificate<br>
> > DB',pinfile='/etc/dirsrv/slap<wbr>d-MGMT-CROSSCHX-COM/pwdfile.tx<wbr>t'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa11.mgmt.crosschx.com</a> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.c<wbr>om</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 15:52:43<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>start_dirsrv<br>
> > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID<br>
> > '20161229155652': status: MONITORING stuck: no key pair<br>
> storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:00:29 UTC key usage:<br>
> digitalSignature,nonRepudiati<wbr>on<br>
> > pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert<br>
> "auditSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229155654':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:26 UTC key usage:<br>
> > digitalSignature,nonRepudiati<wbr>on,keyCertSign,cRLSign eku:<br>
> > id-kp-OCSPSigning pre-save command:<br>
> > /usr/libexec/ipa/certmonger/s<wbr>top_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ca_cert "ocspSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229155655':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:28 UTC key usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/s<wbr>top_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ca_cert "subsystemCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229155657':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2036-11-22 13:00:25<br>
> UTC key<br>
> > usage: digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign<br>
> pre-save<br>
> > command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ca_cert "caSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229155659':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB' CA: dogtag-ipa-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa11.mgmt.crosschx.com</a> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.c<wbr>om</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-19 15:56:20<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth,id-kp-emailProtection<br>
> > pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert<br>
> "Server-Cert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229155921':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa11.mgmt.crosschx.com</a> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa11.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa11.mgmt.crosschx.c<wbr>om</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 15:52:46<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>start_httpd track: yes<br>
> > auto-renew: yes Request ID '20161229160009': status:<br>
> MONITORING<br>
> > stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS<br>
> > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:01:34 UTC key usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ra_cert_pre post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ra_cert track: yes<br>
> auto-renew: yes<br>
> > =============================<wbr>===== IPA13.MGMT<br>
> (root)>getcert list<br>
> > Number of certificates and requests being tracked: 8.<br>
> Request ID<br>
> > '20161229143449': status: MONITORING stuck: no key pair<br>
> storage:<br>
> ><br>
> type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S<br>
> > Certificate<br>
> > DB',pinfile='/etc/dirsrv/slap<wbr>d-MGMT-CROSSCHX-COM/pwdfile.tx<wbr>t'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 14:34:20<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>start_dirsrv<br>
> > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID<br>
> > '20161229143826': status: MONITORING stuck: no key pair<br>
> storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:00:29 UTC key usage:<br>
> digitalSignature,nonRepudiati<wbr>on<br>
> > pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert<br>
> "auditSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229143828':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:26 UTC key usage:<br>
> > digitalSignature,nonRepudiati<wbr>on,keyCertSign,cRLSign eku:<br>
> > id-kp-OCSPSigning pre-save command:<br>
> > /usr/libexec/ipa/certmonger/s<wbr>top_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ca_cert "ocspSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229143831':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:28 UTC key usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/s<wbr>top_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ca_cert "subsystemCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229143833':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2036-11-22 13:00:25<br>
> UTC key<br>
> > usage: digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign<br>
> pre-save<br>
> > command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ca_cert "caSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229143835':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB' CA: dogtag-ipa-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-19 14:37:54<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth,id-kp-emailProtection<br>
> > pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert<br>
> "Server-Cert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229144057':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa13.mgmt.crosschx.com</a> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa13.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa13.mgmt.crosschx.c<wbr>om</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 14:34:23<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>start_httpd track: yes<br>
> > auto-renew: yes Request ID '20161229144146': status:<br>
> MONITORING<br>
> > stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS<br>
> > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:01:34 UTC key usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ra_cert_pre post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ra_cert track: yes<br>
> auto-renew: yes<br>
> > =========================== IPA12.MGMT (root)>getcert list<br>
> Number of<br>
> > certificates and requests being tracked: 8. Request ID<br>
> > '20161229151518': status: MONITORING stuck: no key pair<br>
> storage:<br>
> ><br>
> type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S<br>
> > Certificate<br>
> > DB',pinfile='/etc/dirsrv/slap<wbr>d-MGMT-CROSSCHX-COM/pwdfile.tx<wbr>t'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 15:14:51<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>start_dirsrv<br>
> > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID<br>
> > '20161229151850': status: MONITORING stuck: no key pair<br>
> storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:00:29 UTC key usage:<br>
> digitalSignature,nonRepudiati<wbr>on<br>
> > pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert<br>
> "auditSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229151852':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:26 UTC key usage:<br>
> > digitalSignature,nonRepudiati<wbr>on,keyCertSign,cRLSign eku:<br>
> > id-kp-OCSPSigning pre-save command:<br>
> > /usr/libexec/ipa/certmonger/s<wbr>top_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ca_cert "ocspSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229151854':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > expires: 2018-11-12 13:00:28 UTC key usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/s<wbr>top_pkicad post-save command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ca_cert "subsystemCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229151856':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB' CA:<br>
> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2036-11-22 13:00:25<br>
> UTC key<br>
> > usage: digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign<br>
> pre-save<br>
> > command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ca_cert "caSigningCert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229151858':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB',pin set certificate:<br>
> ><br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert<br>
> cert-pki-ca',token='NSS<br>
> > Certificate DB' CA: dogtag-ipa-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-19 15:18:16<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth,id-kp-emailProtection<br>
> > pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert<br>
> "Server-Cert<br>
> > cert-pki-ca" track: yes auto-renew: yes Request ID<br>
> '20161229152115':<br>
> > status: MONITORING stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
> > Certificate DB' CA: IPA issuer: CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">ipa12.mgmt.crosschx.com</a> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.co<wbr>m</a>><br>
> > <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a><br>
> <<a href="http://ipa12.mgmt.crosschx.com" rel="noreferrer" target="_blank">http://ipa12.mgmt.crosschx.c<wbr>om</a>>>,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> > <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires: 2018-12-30 15:14:54<br>
> UTC key<br>
> > usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> post-save<br>
> > command: /usr/libexec/ipa/certmonger/re<wbr>start_httpd track: yes<br>
> > auto-renew: yes Request ID '20161229152204': status:<br>
> MONITORING<br>
> > stuck: no key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> ><br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS<br>
> > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:<br>
> CN=Certificate<br>
> > Authority,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> subject:<br>
> > CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">MGMT.CROSSCHX.COM</a> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>><br>
> <<a href="http://MGMT.CROSSCHX.COM" rel="noreferrer" target="_blank">http://MGMT.CROSSCHX.COM</a>> expires:<br>
> > 2018-11-12 13:01:34 UTC key usage:<br>
> ><br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> > eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ra_cert_pre post-save<br>
> command:<br>
> > /usr/libexec/ipa/certmonger/r<wbr>enew_ra_cert track: yes<br>
> auto-renew: yes<br>
> ><br>
> ><br>
> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br>
> > *<br>
> > 614.427.2411<br>
> > <a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crosschx.com</a><br>
> <mailto:<a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crossch<wbr>x.com</a>><br>
> <mailto:<a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crossch<wbr>x.com</a><br>
> <mailto:<a href="mailto:mike.plemmons@crosschx.com" target="_blank">mike.plemmons@crossch<wbr>x.com</a>>><br>
> > <a href="http://www.crosschx.com" rel="noreferrer" target="_blank">www.crosschx.com</a> <<a href="http://www.crosschx.com" rel="noreferrer" target="_blank">http://www.crosschx.com</a>><br>
> <<a href="http://www.crosschx.com/" rel="noreferrer" target="_blank">http://www.crosschx.com/</a>><br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
><br>
><br>
><br>
><br>
<br>
</blockquote></div><br></div></div>
</blockquote></div><br></div>
</blockquote></div><br></div></div>
</blockquote></div><br></div>