[Freeipa-users] another certmonger question
Natxo Asenjo
natxo.asenjo at gmail.com
Mon Sep 26 20:03:08 UTC 2016
hi,
after our upgrade from centos 6.8 to 7.2, when I renew a certificate using
ipa-getcert resubmit -i xxxxxx the certificate is properly renewed, but the
info on ipa host-show still shows the old certificate info. Is this normal?
$ sudo getcert list | grep expires
expires: 2018-09-27 19:46:03 UTC
so that certificate has successfully been renewed, but this is the host's
info:
$ ipa host-show hostname | grep -i after
Not After: Wed Jun 07 14:30:47 2017 UTC
and I see there as well more than one certificate for that host:
$ ipa cert-find --subject=hostname
----------------------
5 certificates matched
----------------------
Serial number (hex): 0xFF90008
Serial number: 267976712
Status: VALID
Subject: CN=hostname.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
Serial number (hex): 0xFF90009
Serial number: 267976713
Status: VALID
Subject: CN=hostname.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
Serial number (hex): 0xFF9000A
Serial number: 267976714
Status: VALID
Subject: CN=hostname.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
Serial number (hex): 0xFFF001D
Serial number: 268369949
Status: REVOKED_EXPIRED
Subject: CN=hostname.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
Serial number (hex): 0xFFF0093
Serial number: 268370067
Status: REVOKED
Subject: CN=hostname.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
----------------------------
Number of entries returned 5
----------------------------
And three of them are still valid. As a comparison, another hosts which was
installed about the same time also has 5 certificates, but 4 are revoked
and the expires info of getcert list and of the valid certificate are the
same.
So how do I correct this?
--
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160926/4491fad0/attachment.htm>
More information about the Freeipa-users
mailing list