[Freeipa-users] Switch certificates from external CA to internal

Jeff Goddard jgoddard at emerlyn.com
Thu Jan 12 16:40:35 UTC 2017 

Thanks Flo,

My system is still in a bad state as I got this as a result of the command:

[root at id-management-1 ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Resubmitting certmonger request '20170101055025' timed out, please check
the request manually
The ipa-cacert-manage command failed.

The relevant output from getcert list was:
Request ID '20170101055025':
        status: NEED_CSR_GEN_TOKEN
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        subject: CN=localhost
        expires: 2037-01-01 06:28:46 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

I took the step of stopping tracking on that cert which was a mistake and
now I'm having a hard time with the syntax of adding it back.

Jeff







On Thu, Jan 12, 2017 at 10:46 AM, Florence Blanc-Renaud <flo at redhat.com>
wrote:

> On 01/12/2017 02:57 PM, Jeff Goddard wrote:
>
>> I've had issues with expired certificates. In the course of
>> troubleshooting I've somehow set the cas to external. Is there a way I
>> can switch back?
>>
>> [root at id-management-1 conf]# getcert list-cas
>> CA 'SelfSign':
>>         is-default: no
>>         ca-type: INTERNAL:SELF
>>         next-serial-number: 01
>> CA 'IPA':
>>         is-default: no
>>         ca-type: EXTERNAL
>>         helper-location: /usr/libexec/certmonger/ipa-server-guard
>> /usr/libexec/certmonger/ipa-submit
>> CA 'certmaster':
>>         is-default: no
>>         ca-type: EXTERNAL
>>         helper-location: /usr/libexec/certmonger/certmaster-submit
>> CA 'dogtag-ipa-renew-agent':
>>         is-default: no
>>         ca-type: EXTERNAL
>>         helper-location: /usr/libexec/certmonger/ipa-server-guard
>> /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
>> CA 'local':
>>         is-default: no
>>         ca-type: EXTERNAL
>>         helper-location: /usr/libexec/certmonger/local-submit
>> CA 'dogtag-ipa-ca-renew-agent':
>>         is-default: no
>>         ca-type: EXTERNAL
>>         helper-location:
>> /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -vv
>>
>> Thanks,
>>
>> Jeff
>>
>>
>>
>> Hi Jeff,
>
> the following documentation explains how to change the certificate chain
> from externally-signed to self-signed:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/change-cert-chaining.html
>
> HTH,
> Flo.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170112/fde58f9c/attachment.htm>

More information about the Freeipa-users mailing list