[Freeipa-users] Problems with expired certificates

Tómas Edwardsson tommi at tommi.org
Wed Oct 16 23:56:57 UTC 2013 

I'm having issues with expired certificates in /var/lib/pki-ca/alias which I'm quite unsure on how to fix. The ones that have expired are:

  subsystemCert cert-pki-ca
  Server-Cert cert-pki-ca

According to "getcert list" the following 2 requests are stuck


  Request ID '20130415234030':
	status: CA_UNREACHABLE
 	ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.
	stuck: yes
	key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-renew-agent
	issuer: CN=Certificate Authority,O=D.LAN
	subject: CN=CA Subsystem,O=D.LAN
	expires: 2013-07-10 14:24:34 UTC
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
	track: yes
	auto-renew: yes

  Request ID '20130415234032':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.
	stuck: yes
	key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-renew-agent
	issuer: CN=Certificate Authority,O=D.LAN
	subject: CN=auth.d.lan,O=D.LAN
	expires: 2013-07-10 14:24:33 UTC
	eku: id-kp-serverAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes


Here is what I could find from some browsing with certutil:

  [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L
  Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

  subsystemCert cert-pki-ca                                    u,u,u
  ocspSigningCert cert-pki-ca                                  u,u,u
  caSigningCert cert-pki-ca                                    CTu,Cu,Cu
  Server-Cert cert-pki-ca                                      u,u,u
  auditSigningCert cert-pki-ca                                 u,u,Pu



  [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "subsystemCert cert-pki-ca"|grep "Not After"
            Not After : Wed Jul 10 14:24:34 2013
  [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "ocspSigningCert cert-pki-ca"|grep "Not After"
            Not After : Mon Jun 29 00:00:55 2015
  [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "caSigningCert cert-pki-ca"|grep "Not After"
            Not After : Sun Jul 21 14:24:32 2019
  [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "Server-Cert cert-pki-ca"|grep "Not After"
            Not After : Wed Jul 10 14:24:33 2013
  [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "auditSigningCert cert-pki-ca"|grep "Not After"
            Not After : Mon Jun 29 00:01:55 2015



How can I renew the affected certificates?

--- 
Tomas Edwardsson

More information about the Freeipa-users mailing list