[Freeipa-users] Problems with expired certificates
Tómas Edwardsson
tommi at tommi.org
Wed Oct 16 23:56:57 UTC 2013
I'm having issues with expired certificates in /var/lib/pki-ca/alias which I'm quite unsure on how to fix. The ones that have expired are:
subsystemCert cert-pki-ca
Server-Cert cert-pki-ca
According to "getcert list" the following 2 requests are stuck
Request ID '20130415234030':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.
stuck: yes
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=D.LAN
subject: CN=CA Subsystem,O=D.LAN
expires: 2013-07-10 14:24:34 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130415234032':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.
stuck: yes
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=D.LAN
subject: CN=auth.d.lan,O=D.LAN
expires: 2013-07-10 14:24:33 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Here is what I could find from some browsing with certutil:
[root at auth ~]# certutil -d /var/lib/pki-ca/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
[root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "subsystemCert cert-pki-ca"|grep "Not After"
Not After : Wed Jul 10 14:24:34 2013
[root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "ocspSigningCert cert-pki-ca"|grep "Not After"
Not After : Mon Jun 29 00:00:55 2015
[root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "caSigningCert cert-pki-ca"|grep "Not After"
Not After : Sun Jul 21 14:24:32 2019
[root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "Server-Cert cert-pki-ca"|grep "Not After"
Not After : Wed Jul 10 14:24:33 2013
[root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "auditSigningCert cert-pki-ca"|grep "Not After"
Not After : Mon Jun 29 00:01:55 2015
How can I renew the affected certificates?
---
Tomas Edwardsson
More information about the Freeipa-users
mailing list