[Freeipa-users] Renewing FreeIPA 2.2 certificate

William Muriithi william.muriithi at gmail.com
Sun Nov 2 21:58:07 UTC 2014 

Afternoon

I have been trying to renew FreeIPA certificate for the last three
days and I am running out of luck. I can't for example use the GUI
interface and the ipa cli tools are also failing since the certificate
expired on 27th last month.  I have followed the instructions below
but may be missing a step.

http://www.freeipa.org/page/IPA_2x_Certificate_Renewal

Below is what I have done.  I seem to have renewed some certificate
successfully.


[root at ipa1-yyz-int 10.30.2014]# cat certificate_status.sh #!/bin/bash

for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert
cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
   do
     echo $nickname
     certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
   done


[root at ipa1-yyz-int 10.30.2014]# ./certificate_status.sh
auditSigningCert cert-pki-ca
            Not After : Thu Apr 23 22:18:47 2015 ocspSigningCert cert-pki-ca
            Not After : Fri Oct 14 22:17:47 2016 subsystemCert cert-pki-ca
            Not After : Fri Oct 14 22:17:47 2016 Server-Cert cert-pki-ca
            Not After : Fri Oct 14 22:17:48 2016


I think I have done the steps above correctly but dont understand this section

[root at ipa1-yyz-int 10.30.2014]# certutil -L -d /etc/httpd/alias -n ipaCert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7 (0x7)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=EXAMPLE.LOC"
        Validity:
            Not Before: Tue Nov 06 21:35:53 2012
            Not After : Mon Oct 27 21:35:53 2014

As you can see below, this certificate was not renewed, and therefore
I couldnt change the serial # through ldap tools.  Which step would I
have missed, or rather what should I re-run?


Would be grateful for a second eye looking at it and advice what I
could be missing.

I know I am using old software and did setup a replica successfully on
Friday but it also have certificate issues.  I plan to move all the
certificate role to the free-IPA 3 once I get the certificate issues
sorted and decommission Free-IPA 2.2

William

More information about the Freeipa-users mailing list