[Freeipa-users] Urgent Help Needed - CA subsystem certificate renewal

Martin Kosek mkosek at redhat.com
Fri Nov 14 11:28:09 UTC 2014 

You need to get all certificates in

# getcert list

renewed. With FreeIPA 3.0+ the certificates should be already properly tracked, 
AFAIR.

Was the uid=ipara,ou=People,o=ipaca entry (as described in 
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) properly updated with a 
serial pointing to the new certificate?

Maybe this is the reason why old RA certificate is loaded.

If you are using RHEL/CentOS, I would also recommend updating ipa, certmonger 
and selinux-policy to the 6.6 version is there were several related fixes.

Martin

On 11/14/2014 11:56 AM, Kamal Perera wrote:
> Hi Martin,
>
> Thanks for the reply.
>
> its FreeIPA 3.
>
> Actually my issue was, all my subsystem certificates were expired two days
> back. So it wasnt possible to get the requests signed and approved by the CA as
> the web interface in inaccessible.
>
> But after several attempts, I got it done by changing the date back to a valid
> time. Now i have revert back and everything is fine except this.
>
> now the RA and OCSPs are not communicating with the CA.
>
> I guess its because the CA's subsystem certificate is expired. So do i have to
> reissue all the subsystem certificates in RA and OCSP?
>
> Any thoughts?
>
> Thanks
>
> On Fri, Nov 14, 2014 at 3:50 PM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
>     On 11/14/2014 08:02 AM, pki tech wrote:
>
>         Dear All,
>
>         In our Issuing CA, all the subsystem certificates are expired except the
>         caSigningCert.
>
>         I can generate the new certificate requests via certutil, but how can i get
>         them signed?
>
>         your swift response is appreciated.
>
>         Regards,
>         Kamal
>
>
>     What IPA version did you use? We have a related howto article on
>     FreeIPA.org wiki with instructions what to do when PKI subsystem
>     certificate expire:
>
>     http://www.freeipa.org/page/__IPA_2x_Certificate_Renewal
>     <http://www.freeipa.org/page/IPA_2x_Certificate_Renewal>
>
>     Also CCing Jan who owns the PKI knowledge.
>
>     Martin
>
>

More information about the Freeipa-users mailing list