[Freeipa-users] Urgent Help Needed - CA subsystem certificate renewal
Martin Kosek
mkosek at redhat.com
Fri Nov 14 11:28:09 UTC 2014
You need to get all certificates in
# getcert list
renewed. With FreeIPA 3.0+ the certificates should be already properly tracked,
AFAIR.
Was the uid=ipara,ou=People,o=ipaca entry (as described in
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) properly updated with a
serial pointing to the new certificate?
Maybe this is the reason why old RA certificate is loaded.
If you are using RHEL/CentOS, I would also recommend updating ipa, certmonger
and selinux-policy to the 6.6 version is there were several related fixes.
Martin
On 11/14/2014 11:56 AM, Kamal Perera wrote:
> Hi Martin,
>
> Thanks for the reply.
>
> its FreeIPA 3.
>
> Actually my issue was, all my subsystem certificates were expired two days
> back. So it wasnt possible to get the requests signed and approved by the CA as
> the web interface in inaccessible.
>
> But after several attempts, I got it done by changing the date back to a valid
> time. Now i have revert back and everything is fine except this.
>
> now the RA and OCSPs are not communicating with the CA.
>
> I guess its because the CA's subsystem certificate is expired. So do i have to
> reissue all the subsystem certificates in RA and OCSP?
>
> Any thoughts?
>
> Thanks
>
> On Fri, Nov 14, 2014 at 3:50 PM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> On 11/14/2014 08:02 AM, pki tech wrote:
>
> Dear All,
>
> In our Issuing CA, all the subsystem certificates are expired except the
> caSigningCert.
>
> I can generate the new certificate requests via certutil, but how can i get
> them signed?
>
> your swift response is appreciated.
>
> Regards,
> Kamal
>
>
> What IPA version did you use? We have a related howto article on
> FreeIPA.org wiki with instructions what to do when PKI subsystem
> certificate expire:
>
> http://www.freeipa.org/page/__IPA_2x_Certificate_Renewal
> <http://www.freeipa.org/page/IPA_2x_Certificate_Renewal>
>
> Also CCing Jan who owns the PKI knowledge.
>
> Martin
>
>
More information about the Freeipa-users
mailing list