[Freeipa-users] Urgent Help Needed - CA subsystem certificate renewal

Kamal Perera techpkiuser at gmail.com
Sat Nov 15 13:44:25 UTC 2014 

dear Martin,

Thanks. I will check and update the list.

On Fri, Nov 14, 2014 at 4:58 PM, Martin Kosek <mkosek at redhat.com> wrote:

> You need to get all certificates in
>
> # getcert list
>
> renewed. With FreeIPA 3.0+ the certificates should be already properly
> tracked, AFAIR.
>
> Was the uid=ipara,ou=People,o=ipaca entry (as described in
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) properly updated
> with a serial pointing to the new certificate?
>
> Maybe this is the reason why old RA certificate is loaded.
>
> If you are using RHEL/CentOS, I would also recommend updating ipa,
> certmonger and selinux-policy to the 6.6 version is there were several
> related fixes.
>
> Martin
>
> On 11/14/2014 11:56 AM, Kamal Perera wrote:
>
>> Hi Martin,
>>
>> Thanks for the reply.
>>
>> its FreeIPA 3.
>>
>> Actually my issue was, all my subsystem certificates were expired two days
>> back. So it wasnt possible to get the requests signed and approved by the
>> CA as
>> the web interface in inaccessible.
>>
>> But after several attempts, I got it done by changing the date back to a
>> valid
>> time. Now i have revert back and everything is fine except this.
>>
>> now the RA and OCSPs are not communicating with the CA.
>>
>> I guess its because the CA's subsystem certificate is expired. So do i
>> have to
>> reissue all the subsystem certificates in RA and OCSP?
>>
>> Any thoughts?
>>
>> Thanks
>>
>> On Fri, Nov 14, 2014 at 3:50 PM, Martin Kosek <mkosek at redhat.com
>> <mailto:mkosek at redhat.com>> wrote:
>>
>>     On 11/14/2014 08:02 AM, pki tech wrote:
>>
>>         Dear All,
>>
>>         In our Issuing CA, all the subsystem certificates are expired
>> except the
>>         caSigningCert.
>>
>>         I can generate the new certificate requests via certutil, but how
>> can i get
>>         them signed?
>>
>>         your swift response is appreciated.
>>
>>         Regards,
>>         Kamal
>>
>>
>>     What IPA version did you use? We have a related howto article on
>>     FreeIPA.org wiki with instructions what to do when PKI subsystem
>>     certificate expire:
>>
>>     http://www.freeipa.org/page/__IPA_2x_Certificate_Renewal
>>     <http://www.freeipa.org/page/IPA_2x_Certificate_Renewal>
>>
>>     Also CCing Jan who owns the PKI knowledge.
>>
>>     Martin
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141115/141789a3/attachment.htm>

More information about the Freeipa-users mailing list