[Freeipa-users] another certmonger question
Natxo Asenjo
natxo.asenjo at gmail.com
Thu Sep 29 10:30:06 UTC 2016
On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
> It's hard to say, it may in fact not be a problem.
>
> It is really a matter of what service the certificate(s) are related to.
> I'd look at the serial numbers and then correlate those to the issued
> certificates.
>
> I'd also do a service-find on the hostname to see if any services have
> certificates issued and with what serial numbers.
>
I agree, it could be that. But just for testing I have created a vm, joined
it to the domain and resubmitted the certificate.
Now there are two valid host certificates with the same subject:
$ ipa cert-find --subject=throwaway.unix.iriszorg.nl
----------------------
2 certificates matched
----------------------
Serial number (hex): 0x3FFE0002
Serial number: 1073610754
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
Serial number (hex): 0x3FFE0003
Serial number: 1073610755
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
----------------------------
Number of entries returned 2
----------------------------
So it certmonger in this centos 6.8 32bit host is renewing but not having
the old certificate revoked.
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160929/99e64206/attachment.htm>
More information about the Freeipa-users
mailing list