[Freeipa-users] regenerate certificate

mohammad sereshki mohammadsereshki at yahoo.com
Thu Jul 21 07:59:19 UTC 2016 

dear 
thanks, but would you please check below and let me know what is your idea?I checked your command but it did not work.


Number of certificates and requests being tracked: 8.
Request ID '20140817123525':
        status: MONITORING
        ca-error: Unable to determine principal name for signing request.
        stuck: no
        key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=IPA RA,O=EXAMPLE.COM
        expCOMes: 2018-06-30 07:56:06 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20140817123534':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)).
        stuck: yes
        key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
        expCOMes: 2016-08-17 12:35:34 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE.-COM
        track: yes
        auto-renew: yes
Request ID '20140817123602':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)).
        stuck: yes
        key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
        expCOMes: 2016-08-17 12:36:02 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA
        track: yes
        auto-renew: yes
Request ID '20140817123752':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)).
        stuck: yes
        key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
        expCOMes: 2016-08-17 12:37:51 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
You have new mail in /var/spool/mail/root


      From: Florence Blanc-Renaud <flo at redhat.com>
 To: mohammad sereshki <mohammadsereshki at yahoo.com>; Freeipa-users <freeipa-users at redhat.com> 
 Sent: Thursday, July 21, 2016 11:30 AM
 Subject: Re: [Freeipa-users] regenerate certificate
   
On 07/20/2016 10:04 PM, mohammad sereshki wrote:
> hi
> I check my IPA server which is version ipa-server-3.0.0-25 , command
> "ipa-get-cert list" show, my certificate will be expired in next 20 days,
> I do not know how to regenerate them
> but command "getcert list" shows epirtion certificates are related just
> to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,  has enough
> time .
> would you please help me to know how to regenerate CA:IPA certificates?
>
> Best Regards
>
>
>

Hi Mohammad,

the certificates issued by IPA CA are normally tracked by certmonger and 
automatically renewed when they are near their expiration date. To make 
sure that your certificates are tracked, you can issue
$ ipa-getcert list
and check the "status:" field for each certificate. It should display 
"MONITORING".

If you want to manually renew them, you must note their request ID and 
use the command
$ ipa-getcert resubmit -i $REQUEST_ID

Hope this helps,
Flo.


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160721/3ed31e18/attachment.htm>

More information about the Freeipa-users mailing list