[Freeipa-users] approving certs?
Nalin Dahyabhai
nalin at redhat.com
Tue Aug 4 18:33:32 UTC 2015
On Tue, Aug 04, 2015 at 07:29:13AM -0700, Janelle wrote:
> Hello,
>
> Well, I am more used to working with openssl directly, so I am a little
> confused when using FreeIPA and certmonger. I assume that when a
> certificate is in this state:
>
> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
> stuck: yes
>
> That it needs to be approved, but I am not sure where that is. I see all the
> "cert" commands, but don't see anything relating to approvals? Am I missing
> something obvious here?
That state means that certmonger went to use the private key (most often
for generating a signing request), but couldn't, either because the PIN
it was given can't be used to decrypt the private key, or because it's
having trouble reading the file in which it's been told the PIN is kept.
If there's a PIN file (the -p flag), check the SELinux labeling of the
file. Otherwise, check that the value that's specified (with the -P
flag) is correct -- if there isn't one, then there should be.
HTH,
Nalin
More information about the Freeipa-users
mailing list