[Freeipa-users] Switch certificates from external CA to internal
Florence Blanc-Renaud
flo at redhat.com
Mon Jan 16 09:10:42 UTC 2017
On 01/12/2017 05:40 PM, Jeff Goddard wrote:
> Thanks Flo,
>
> My system is still in a bad state as I got this as a result of the command:
>
> [root at id-management-1 ~]# ipa-cacert-manage renew --self-signed
> Renewing CA certificate, please wait
> Resubmitting certmonger request '20170101055025' timed out, please check
> the request manually
> The ipa-cacert-manage command failed.
>
> The relevant output from getcert list was:
> Request ID '20170101055025':
> status: NEED_CSR_GEN_TOKEN
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
> <http://INTERNAL.EMERLYN.COM>
> subject: CN=localhost
> expires: 2037-01-01 06:28:46 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> I took the step of stopping tracking on that cert which was a mistake
> and now I'm having a hard time with the syntax of adding it back.
>
Hi Jeff,
You would need the following to start-tracking the cert:
1. get the internal PIN
# grep 'internal=' /etc/pki/pki-tomcat/password.conf
2. monitor the cert
# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent -B
/usr/libexec/ipa/certmonger/stop_pkicad -C
'/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"'
HTH,
Flo.
> Jeff
>
>
>
>
>
>
>
> On Thu, Jan 12, 2017 at 10:46 AM, Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com>> wrote:
>
> On 01/12/2017 02:57 PM, Jeff Goddard wrote:
>
> I've had issues with expired certificates. In the course of
> troubleshooting I've somehow set the cas to external. Is there a
> way I
> can switch back?
>
> [root at id-management-1 conf]# getcert list-cas
> CA 'SelfSign':
> is-default: no
> ca-type: INTERNAL:SELF
> next-serial-number: 01
> CA 'IPA':
> is-default: no
> ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/ipa-server-guard
> /usr/libexec/certmonger/ipa-submit
> CA 'certmaster':
> is-default: no
> ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/certmaster-submit
> CA 'dogtag-ipa-renew-agent':
> is-default: no
> ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/ipa-server-guard
> /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> CA 'local':
> is-default: no
> ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/local-submit
> CA 'dogtag-ipa-ca-renew-agent':
> is-default: no
> ca-type: EXTERNAL
> helper-location:
> /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -vv
>
> Thanks,
>
> Jeff
>
>
>
> Hi Jeff,
>
> the following documentation explains how to change the certificate
> chain from externally-signed to self-signed:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html>
>
> HTH,
> Flo.
>
>
>
>
>
More information about the Freeipa-users
mailing list