[Freeipa-users] another certmonger question
Natxo Asenjo
natxo.asenjo at gmail.com
Fri Sep 30 11:54:16 UTC 2016
On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden <rcritten at redhat.com>
wrote:
> Natxo Asenjo wrote:
>
>>
>>
>> On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Natxo Asenjo wrote:
>>
>>
>>
>> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>>
>>
>> It's hard to say, it may in fact not be a problem.
>>
>> It is really a matter of what service the certificate(s)
>> are related
>> to. I'd look at the serial numbers and then correlate those
>> to the
>> issued certificates.
>>
>> I'd also do a service-find on the hostname to see if any
>> services
>> have certificates issued and with what serial numbers.
>>
>>
>> I agree, it could be that. But just for testing I have created a
>> vm,
>> joined it to the domain and resubmitted the certificate.
>>
>> Now there are two valid host certificates with the same subject:
>>
>>
>> $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>
>> <http://throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>>
>> ----------------------
>> 2 certificates matched
>> ----------------------
>> Serial number (hex): 0x3FFE0002
>> Serial number: 1073610754
>> Status: VALID
>> Subject: CN=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>
>> <http://throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>> <http://UNIX.IRISZORG.NL>
>>
>> Serial number (hex): 0x3FFE0003
>> Serial number: 1073610755
>> Status: VALID
>> Subject: CN=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>
>> <http://throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>> <http://UNIX.IRISZORG.NL>
>> ----------------------------
>> Number of entries returned 2
>> ----------------------------
>>
>>
>> So it certmonger in this centos 6.8 32bit host is renewing but not
>> having the old certificate revoked.
>>
>>
>> I'd check the Apache log to find the cert_request call to see if you
>> can see if there are any issues raised. It should be doing a
>> cert_revoke at the same time.
>>
>> Can you should how this certificate is being tracked?
>>
>>
>> sure:
>>
>> $ sudo getcert list
>> Number of certificates and requests being tracked: 1.
>> Request ID '20160929100945':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
>> throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>> subject: CN=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>> expires: 2018-09-30 10:13:17 UTC
>> principal name: host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
>> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> now, let's resubmit:
>>
>> $ sudo ipa-getcert resubmit -i 20160929100945
>> Resubmitting "20160929100945" to "IPA".
>> [jose.admin at throwaway ~]$ sudo getcert list
>> Number of certificates and requests being tracked: 1.
>> Request ID '20160929100945':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
>> throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>> subject: CN=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>> expires: 2018-09-30 20:41:28 UTC
>> principal name: host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
>> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> so it has been successfully renewed.
>>
>> In the access_log of the kdc I see this:
>>
>> 172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST
>> https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient
>> HTTP/1.1" 200 1913
>> 172.20.6.81 - host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
>> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
>> [29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929
>>
>> and in the error_log:
>> [Thu Sep 29 22:41:28.626669 2016] [:error] [pid 4617] ipa: INFO:
>> [xmlserver] host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
>> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>:
>> cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTW
>> k9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwg
>> gEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr+
>> +lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbt
>> W9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1
>> txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOi
>> pB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJD
>> EytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5N
>> V1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmg
>> ASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdAB
>> lACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHM
>> AegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQA
>> EgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4Lml
>> yaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxB
>> VTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F
>> 5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQ
>> UgXWL3vdW/I31tQxv5YjyMZy4x8kw!
>>
> DQYJKoZIhv
> cNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv
> /J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CH
> fdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mh
> ehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqN
> yCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8
> py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=',
>
>> principal=u'host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
>> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>', add=True,
>> version=u'2.51'): SUCCESS
>>
>> and now I have 3 valid certificates:
>>
>> $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>
>> ----------------------
>> 3 certificates matched
>> ----------------------
>> Serial number (hex): 0xFF9000D
>> Serial number: 267976717
>> Status: VALID
>> Subject: CN=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>>
>> Serial number (hex): 0x3FFE0002
>> Serial number: 1073610754
>> Status: VALID
>> Subject: CN=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>>
>> Serial number (hex): 0x3FFE0003
>> Serial number: 1073610755
>> Status: VALID
>> Subject: CN=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>> ----------------------------
>> Number of entries returned 3
>> ----------------------------
>>
>
> Ok, let me start by saying that this is not a bug in either certmonger or
> dogtag. IPA is supposed to do the revocation in the cert_request command.
>
> The steps IPA _should_ be taking are:
>
> 1. Figure out if we are doing a certificate for a host or a service.
> 2. See if the requester is allowed to manage this entry
> 3. Look at the entry to see if it has a usercertificate attribute. If so
> revoke that serial number, then clear the usercertificate value in the host
> or service entry (via service_mod or host_mod)
> 4. Request a new certificate
> 5. Update IPA with the new value
>
> Does a certificate appear in ipa host-show throwaway.unix.iriszorg.nl,
> and which certificate serial number?
>
$ ipa host-show throwaway
Host name: throwaway.unix.iriszorg.nl
Certificate:
MIIE0DCCA7igAwIBAgIED/kADTANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MjA0MTI4WhcNMTgwOTMwMjA0MTI4WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQB6KplOoHG5d2+3c5J/TSE/qxWkfObqPdpzYSMg5ma+PKL7ofuEgtozfoZfH/GXKIKtUpPZCJL2NQQKauagdIwto7PX184FcohCjJxHD30RRbc6q2rm3PE7Q1vDzSxW1ZCFELmpvK0XN4YX1tz6iaPgo2B7wuyhbZpT4Vd2itT1rOQ6cAnAB7BFhVNj5XDPDoMaHabtWRJVLlIOMeGyrZDUMxmoPys5g1c1SZM1ld+8+zdgqIVEsdTo9qThqPraTUi8GTjP4QvuQkLbnlFO6KQe5RqfbVXA0gKVWDtepY7h+cBQxMa/eHROFtnhW/w1+FdKHDPvOdj8aTF1tSIU2RYP,
MIIE0DCCA7igAwIBAgIEP/4AAjANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAwOTUwWhcNMTgwOTMwMTAwOTUwWjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCvTRaJrl3J7Ky4VkFVfkwIGoaxocXrllYSjXZzhzHV0zJtlVeQGmHwulyrEbEzaRuMqbXe7c8WseOgU/K+UwByGiZoyxUmHgBmu2mv8Cln48UbESEAm0py4hRMmE7UzIhsHzTAKjUfyQXujB21S+FYwd97QymGRgn7kJ2TtH99zslQO0kMC//LmctUxIfTOOcrBgOojIEpcbzTeWNcyuN5+MHr6H2DNUYQZpvnDBv7XVphrk7ACrh4ETeYW5E1fFl84CdSxWehhWILF6t2WdA4RSjvtg3zvMPL+uVU8w1aru33dMuCKqvMG3iaRrDjVZ4k9/36lpf4/r1PwKYxusvg,
MIIE0DCCA7igAwIBAgIEP/4AAzANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAxMzE3WhcNMTgwOTMwMTAxMzE3WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCh6lySZa1AyUyP8AuaLUDj6X0Lt/tGS+ZIw/O248FVMJDwvLvkFUxOjTAK1mip0AHxkib+QtKqFgN9lbidnxeKFYNN2komTfLgFV+G+8kBIInxWbU1OsuYw4J6xCu5IE+F7jfdHX1yw6HSgDixYgKHe9mw+8HTbUR1a/ntZ90pmai8I7daem9bMrPHGSSChjcbjif6YNZ8ibmilqq0vw8CEwQopXFToO/mHfbXNDw6gJY5rKu19fWPi3VRQdQxKKtwY/gXg39q4FWBymDaMwjErC7G4AnGeeTYp4iFYZkfcjYvdxGXGF0CpLgunvcMMQ0rTYx5w1MrLbbnqjq1qBZO
Principal name: host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
Password: False
Keytab: True
Managed by: throwaway.unix.iriszorg.nl
Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
Serial Number: 267976717
Serial Number (hex): 0xFF9000D
Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
Not Before: Thu Sep 29 20:41:28 2016 UTC
Not After: Sun Sep 30 20:41:28 2018 UTC
Fingerprint (MD5): 52:a1:06:a1:39:27:bc:ed:dd:45:f5:36:32:11:99:c1
Fingerprint (SHA1):
81:d4:01:5a:26:83:9c:c4:fb:76:fb:c3:29:cd:32:c1:8a:4c:eb:45
SSH public key fingerprint:
61:66:4D:D7:E6:83:B3:31:BB:50:C3:28:11:79:FD:42 (ssh-rsa),
71:80:40:26:50:64:CD:FE:9A:FB:8D:DA:55:56:18:95 (ssh-dss)
so it shows the three certificates but the serial is 267976717
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160930/09057795/attachment.htm>
More information about the Freeipa-users
mailing list