[Freeipa-users] Problems with expired certificates
Dmitri Pal
dpal at redhat.com
Sat Oct 19 21:17:15 UTC 2013
On 10/16/2013 07:56 PM, Tómas Edwardsson wrote:
> I'm having issues with expired certificates in /var/lib/pki-ca/alias which I'm quite unsure on how to fix. The ones that have expired are:
>
> subsystemCert cert-pki-ca
> Server-Cert cert-pki-ca
Please search this list for some recommendations. There have been some
recently.
They will give you some hints.
The general path is to set the time into the past and then force the
certificate rotation.
The specific steps depend on the version of IPA you have.
>
> According to "getcert list" the following 2 requests are stuck
>
>
> Request ID '20130415234030':
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.
> stuck: yes
> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=D.LAN
> subject: CN=CA Subsystem,O=D.LAN
> expires: 2013-07-10 14:24:34 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
>
> Request ID '20130415234032':
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.
> stuck: yes
> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=D.LAN
> subject: CN=auth.d.lan,O=D.LAN
> expires: 2013-07-10 14:24:33 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
> Here is what I could find from some browsing with certutil:
>
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> subsystemCert cert-pki-ca u,u,u
> ocspSigningCert cert-pki-ca u,u,u
> caSigningCert cert-pki-ca CTu,Cu,Cu
> Server-Cert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
>
>
>
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "subsystemCert cert-pki-ca"|grep "Not After"
> Not After : Wed Jul 10 14:24:34 2013
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "ocspSigningCert cert-pki-ca"|grep "Not After"
> Not After : Mon Jun 29 00:00:55 2015
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "caSigningCert cert-pki-ca"|grep "Not After"
> Not After : Sun Jul 21 14:24:32 2019
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "Server-Cert cert-pki-ca"|grep "Not After"
> Not After : Wed Jul 10 14:24:33 2013
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "auditSigningCert cert-pki-ca"|grep "Not After"
> Not After : Mon Jun 29 00:01:55 2015
>
>
>
> How can I renew the affected certificates?
>
> ---
> Tomas Edwardsson
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list