[Freeipa-users] Problem with IPAv2 certificate renewal

Rob Crittenden rcritten at redhat.com
Wed Jul 16 17:17:44 UTC 2014

Michal Nawrocki wrote:
> Hello,
> I¹m trying to renew IPA server certificates according to this howto:
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and have problem
> with one of them.
> After starting tracking and resubmitting all 4 PKI certificates
> ("auditSigningCert cert-pki-ca², "ocspSigningCert cert-pki-ca²,
> "subsystemCert cert-pki-ca² and "Server-Cert cert-pki-ca²)
> three of them get refreshed but "ocspSigningCert cert-pki-ca" gets
> refreshed with different values of certificate subject and "extended key
> usage" attribute.
> Original:
> Subject: "CN=OCSP Subsystem,O=[REALM]²
> Name: Extended Key Usage
>     OCSP Responder Certificate
> Afrer renewal:
> Subject: ³CN=[server full hostname],O=[REALM]²
> Name: Extended Key Usage
>     TLS Web Server Authentication Certificate
>     TLS Web Client Authentication Certificate

Hard to say but my guess would be the wrong profile was used at some
point. It may be difficult now to figure out what happened.

> On testing environment every certificate got refreshed without problems.
> ocsp certificate got refreshed with only ³not before² and ³not after²
> values changed.
> After trying to manually delete certificate from database in
> /var/lib/pki-ca/alias by running:
> certutil -D -d /var/lib/pki-ca/alias/ -n "ocspSigningCert cert-pki-ca"
> creating request with this command:
> getcert request -d /var/lib/pki-ca/alias/ -n "ocspSigningCert cert-pki-ca"
> -P [PIN] -N "CN=OCSP Subsystem,O=REALM" -c dogtag-ipa-renew-agent -T
> caOCSPCert -U id-kp-OCSPSigning

It is very possible you got a new private key as well when you did this.
I don't know if that is harmful or not.

You probably have a backup of the original certs in /root/cacert.p12.
You can extract those in a temporary database and see what they looked
like at install time, and what the serial #'s were.

> we end up with new ocsp certificate with proper subject (Subject: "CN=OCSP
> Subsystem,O=[REALM]²), but Extended Key Usage is still set to:
> "TLS Web Server Authentication Certificate
>     TLS Web Client Authentication Certificate
> "
> After changing ³ca.ocsp_signing.cert² entry in /etc/pki-ca/CS.cfg with
> one-line version of new certificate, pki-cad daemon starts only for a few
> seconds and then shuts down without anything in log files.

I'd check the debug and selftests.log logs carefully. Sometimes the
output is subtle in the CA logs, so errors don't immediately jump out.

> Everything is done with accordance with howto and everything was done
> several times on testing environment.
> After some investigation we noticed that:
> ipa cert-show 2 shows "CN=OCSP Subsystem" certificate on test env but host
> certificate on production.
> It looks like there was some problems with replication of pki / dogtag and
> certificate with serial no #2 got replaced.

There is no guaranteed ordering of serial numbers so it may be just
fine. It would not be related to replication in any case.


> Anyone had similar problem?
> I will appreciate any help because in 2 weeks our IPA certificates will
> expire...
> Best regards
> Michal

More information about the Freeipa-users mailing list