<html dir="ltr"><head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr" style="text-align:left; direction:ltr;"><div>ZD,</div><div><br></div><div>Open the .crt file and delete the newline, header and footer. Now, update the CS.cfg with this value.</div><div><br></div><div>Reference: <a href="https://www.dogtagpki.org/wiki/System_Certificate_Renewal#PKI_10.3_or_earlier_2">https://www.dogtagpki.org/wiki/System_Certificate_Renewal#PKI_10.3_or_earlier_2</a></div><div><br></div><div>Regards,</div><div>Dinesh</div><div><br></div><div>On Sun, 2018-12-02 at 02:09 +0000, Z D wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"> <div id="divtagdefaultwrapper" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, "EmojiFont", "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;" dir="ltr"> <p style="margin-top:0;margin-bottom:0">Thanks Dinesh, <span><br> </span></p> <p style="margin-top:0;margin-bottom:0"><span>I misread that argument for ca-cert-request-review is serial number, but as you said it has to be request ID. Indeed, I made progress, and <span>can retrieve renewed Cert: </span></span></p> <p style="margin-top:0;margin-bottom:0"><span><br> </span></p> <p style="margin-top:0;margin-bottom:0"><span></span></p> <div>[root@ca-ldap04 tmp]# pki ca-cert-show 0x8fff0090 --output ipacert.crt<br> ------------------------<br> Certificate "0x8fff0090"<br> ------------------------<br> Serial Number: 0x8fff0090<br> Issuer: CN=Certificate Authority,O=DOMAIN.COM<br> Subject: CN=IPA RA,O=DOMIAN.COM<br> Status: VALID<br> Not Before: Fri Aug 10 01:08:19 PDT 2018<br> Not After: Thu Jul 30 01:08:19 PDT 2020</div> <br> <p></p> <p style="margin-top:0;margin-bottom:0"><span></span>I also stopped PKI server, removed old cert from NSS database, and installed new one. This is all for ipaCert. But before I start renewing other ones (audit, ocsp, subsystem), I have to ask next<br> </p> <p style="margin-top:0;margin-bottom:0"><br> </p> <p style="margin-top:0;margin-bottom:0">[1] how to properly convert cert (.crt file) into one line? <br> </p> <p style="margin-top:0;margin-bottom:0"><br> </p> <p style="margin-top:0;margin-bottom:0">I believe I need this in order to update below lines in CS.cfg file. <br> </p> <p style="margin-top:0;margin-bottom:0"></p> <div>ca.audit_signing.cert=...<br> ca.ocsp_signing.cert=...<br> ca.subsystem.cert=...</div> <br> <p></p> Thanks a lot for your support. Zarko<br> <br> <div style="color: rgb(0, 0, 0);"> <hr style="display:inline-block;width:98%" tabindex="-1"> <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@redhat.com><br> <b>Sent:</b> Tuesday, November 27, 2018 9:56 AM<br> <b>To:</b> Z D; John Magne; pki-users@redhat.com<br> <b>Subject:</b> Re: [Pki-users] expired pki-server 10.3.3 certificates</font> <div> </div> </div> <div style="text-align:left; direction:ltr"> <div>ZD,</div> <div><br> </div> <div>From [6], your request ID is 89990160. But, you are passing request ID as 7</div> <div><br> </div> <div>Regards,</div> <div>Dinesh</div> <div><br> </div> <div>On Thu, 2018-11-22 at 06:17 +0000, Z D wrote:</div> <blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"> <div>[6] Submit cert request, it's pending <br> </div> <div><br> # pki ca-cert-request-submit caManualRenewal.xml<br> -----------------------------<br> Submitted certificate request<br> -----------------------------<br> Request ID: 89990160<br> Type: renewal<br> Request Status: pending<br> Operation Result: success<br> <br> <br> [7] This fails with message "<span>BadRequestException: Request Not In Pending State</span>", as per [6] it should be in pending state<br> </div> <div><br> # pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve</div> </blockquote> </div> </div> </div> </blockquote></body></html>