[Freeipa-users] Problem with IPAv2 certificate renewal

Michal Nawrocki michal.nawrocki at allegrogroup.com
Tue Jul 15 12:07:51 UTC 2014 

Hello,
I¹m trying to renew IPA server certificates according to this howto:
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and have problem
with one of them.

After starting tracking and resubmitting all 4 PKI certificates
("auditSigningCert cert-pki-ca², "ocspSigningCert cert-pki-ca²,
"subsystemCert cert-pki-ca² and "Server-Cert cert-pki-ca²)
three of them get refreshed but "ocspSigningCert cert-pki-ca" gets
refreshed with different values of certificate subject and "extended key
usage" attribute.

Original:
Subject: "CN=OCSP Subsystem,O=[REALM]²
Name: Extended Key Usage
    OCSP Responder Certificate

Afrer renewal:
Subject: ³CN=[server full hostname],O=[REALM]²
Name: Extended Key Usage
    TLS Web Server Authentication Certificate
    TLS Web Client Authentication Certificate

On testing environment every certificate got refreshed without problems.
ocsp certificate got refreshed with only ³not before² and ³not after²
values changed.

After trying to manually delete certificate from database in
/var/lib/pki-ca/alias by running:
certutil -D -d /var/lib/pki-ca/alias/ -n "ocspSigningCert cert-pki-ca"

creating request with this command:
getcert request -d /var/lib/pki-ca/alias/ -n "ocspSigningCert cert-pki-ca"
-P [PIN] -N "CN=OCSP Subsystem,O=REALM" -c dogtag-ipa-renew-agent -T
caOCSPCert -U id-kp-OCSPSigning

we end up with new ocsp certificate with proper subject (Subject: "CN=OCSP
Subsystem,O=[REALM]²), but Extended Key Usage is still set to:
"TLS Web Server Authentication Certificate
    TLS Web Client Authentication Certificate
"
After changing ³ca.ocsp_signing.cert² entry in /etc/pki-ca/CS.cfg with
one-line version of new certificate, pki-cad daemon starts only for a few
seconds and then shuts down without anything in log files.

Everything is done with accordance with howto and everything was done
several times on testing environment.

After some investigation we noticed that:
ipa cert-show 2 shows "CN=OCSP Subsystem" certificate on test env but host
certificate on production.
It looks like there was some problems with replication of pki / dogtag and
certificate with serial no #2 got replaced.

Anyone had similar problem?

I will appreciate any help because in 2 weeks our IPA certificates will
expire...

Best regards
Michal

More information about the Freeipa-users mailing list