[Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:
Michael Plemmons
michael.plemmons at crosschx.com
Fri May 5 19:19:18 UTC 2017
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemmons at crosschx.com
www.crosschx.com
On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Michael Plemmons wrote:
> > I just realized that I sent the reply directly to Rob and not to the
> > list. My response is inline
>
> Ok, this is actually good news.
>
> I made a similar proposal in another case and I was completely wrong.
> Flo had the user do something and it totally fixed their auth error, I
> just can't remember what it was or find the e-mail thread. I'm pretty
> sure it was this calendar year though.
>
> rob
>
>
Do you or Flo know what I could search for in the past emails to find the
answer to the problem?
> >
> >
> >
> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
> > *
> > 614.427.2411
> > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
> > www.crosschx.com <http://www.crosschx.com/>
> >
> > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons
> > <michael.plemmons at crosschx.com <mailto:michael.plemmons at crosschx.com>>
> > wrote:
> >
> >
> >
> >
> >
> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
> > *
> > 614.427.2411
> > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
> > www.crosschx.com <http://www.crosschx.com/>
> >
> > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>> wrote:
> >
> > Michael Plemmons wrote:
> > > I realized that I was not very clear in my statement about
> > testing with
> > > ldapsearch. I had initially run it without logging in with a
> > DN. I was
> > > just running the local ldapsearch -x command. I then tested on
> > > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the
> > admin and
> > > "cn=Directory Manager" from ipa12.mgmt (broken server) and
> > ipa11.mgmt
> > > and both ldapsearch command succeeded.
> > >
> > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non
> > root user.
> > > I also ran the command showing a line count for the output and
> > the line
> > > counts for each were the same when run from ipa12.mgmt and
> > ipa11.mgmt.
> > >
> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com
> > <http://ipa12.mgmt.crosschx.com>
> > > <http://ipa12.mgmt.crosschx.com
> > <http://ipa12.mgmt.crosschx.com>> -D "DN" -w PASSWORD -b
> > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn
> > >
> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com
> > <http://ipa12.mgmt.crosschx.com>
> > > <http://ipa12.mgmt.crosschx.com
> > <http://ipa12.mgmt.crosschx.com>> -D "cn=directory manager" -w
> > PASSWORD dn
> >
> > The CA has its own suffix and replication agreements. Given the
> auth
> > error and recent (5 months) renewal of CA credentials I'd check
> > that the
> > CA agent authentication entries are correct.
> >
> > Against each master with a CA run:
> >
> > $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b
> > uid=ipara,ou=people,o=ipaca description
> >
> > The format is 2;serial#,subject,issuer
> >
> > Then on each run:
> >
> > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
> >
> > The serial # should match that in the description everywhere.
> >
> > rob
> >
> >
> >
> > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that the
> > serial number is 7. I then ran the certutil command on all three
> > servers and the serial number is 7 as well.
> >
> >
> > I also ran the ldapsearch command against the other two servers and
> > they also showed a serial number of 7.
> >
> >
> >
> >
> > >
> > >
> > >
> > >
> > >
> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
> > > *
> > > 614.427.2411
> > > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
> > <mailto:mike.plemmons at crosschx.com
> > <mailto:mike.plemmons at crosschx.com>>
> > > www.crosschx.com <http://www.crosschx.com>
> > <http://www.crosschx.com/>
> > >
> > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons
> > > <michael.plemmons at crosschx.com
> > <mailto:michael.plemmons at crosschx.com>
> > <mailto:michael.plemmons at crosschx.com
> > <mailto:michael.plemmons at crosschx.com>>>
> > > wrote:
> > >
> > > I have a three node IPA cluster.
> > >
> > > ipa11.mgmt - was a master over 6 months ago
> > > ipa13.mgmt - current master
> > > ipa12.mgmt
> > >
> > > ipa13 has agreements with ipa11 and ipa12. ipa11 and
> > ipa12 do not
> > > have agreements between each other.
> > >
> > > It appears that either ipa12.mgmt lost some level of its
> > replication
> > > agreement with ipa13. I saw some level because users /
> > hosts were
> > > replicated between all systems but we started seeing DNS
> > was not
> > > resolving properly from ipa12. I do not know when this
> > started.
> > >
> > > When looking at replication agreements on ipa12 I did not
> > see any
> > > agreement with ipa13.
> > >
> > > When I run ipa-replica-manage list all three hosts show
> > has master.
> > >
> > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt
> > is a replica.
> > >
> > > When I run ipa-replica-manage ipa12.mgmt nothing returned.
> > >
> > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt
> > > ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com>
> > <http://ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com
> >>
> > > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
> > <http://ipa13.mgmt.crosschx.com
> > <http://ipa13.mgmt.crosschx.com>> on ipa12.mgmt
> > >
> > > I then ran the following
> > >
> > > ipa-replica-manage force-sync --from
> > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
> > > <http://ipa13.mgmt.crosschx.com
> > <http://ipa13.mgmt.crosschx.com>>
> > >
> > > ipa-replica-manage re-initialize --from
> > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
> > > <http://ipa13.mgmt.crosschx.com
> > <http://ipa13.mgmt.crosschx.com>>
> > >
> > > I was still seeing bad DNS returns when dig'ing against
> > ipa12.mgmt.
> > > I was able to create user and DNS records and see the
> > information
> > > replicated properly across all three nodes.
> > >
> > > I then ran ipactl stop on ipa12.mgmt and then ipactl start
> on
> > > ipa12.mgmt because I wanted to make sure everything was
> > running
> > > fresh after the changes above. While IPA was staring up
> (DNS
> > > started) we were able to see valid DNS queries returned but
> > > pki-tomcat would not start.
> > >
> > > I am not sure what I need to do in order to get this
> > working. I
> > > have included the output of certutil and getcert below
> > from all
> > > three servers as well as the debug output for pki.
> > >
> > >
> > > While the IPA system is coming up I am able to
> > successfully run
> > > ldapsearch -x as the root user and see results. I am also
> > able to
> > > login with the "cn=Directory Manager" account and see
> results.
> > >
> > >
> > > The debug log shows the following error.
> > >
> > >
> > > [03/May/2017:21:22:01][localhost-startStop-1]:
> > > ============================================
> > > [03/May/2017:21:22:01][localhost-startStop-1]: =====
> DEBUG
> > > SUBSYSTEM INITIALIZED =======
> > > [03/May/2017:21:22:01][localhost-startStop-1]:
> > > ============================================
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > restart at
> > > autoShutdown? false
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > > autoShutdown crumb file path?
> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > about to
> > > look for cert for auto-shutdown support:auditSigningCert
> > cert-pki-ca
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > found
> > > cert:auditSigningCert cert-pki-ca
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > done init
> > > id=debug
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > > initialized debug
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > > initSubsystem id=log
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > ready to
> > > init id=log
> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> > >
> > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/
> signedAudit/ca_audit)
> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/
> transactions)
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > restart at
> > > autoShutdown? false
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > > autoShutdown crumb file path?
> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > about to
> > > look for cert for auto-shutdown support:auditSigningCert
> > cert-pki-ca
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > found
> > > cert:auditSigningCert cert-pki-ca
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > done init
> > > id=log
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > > initialized log
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > > initSubsystem id=jss
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > ready to
> > > init id=jss
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > restart at
> > > autoShutdown? false
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > > autoShutdown crumb file path?
> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > about to
> > > look for cert for auto-shutdown support:auditSigningCert
> > cert-pki-ca
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > found
> > > cert:auditSigningCert cert-pki-ca
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > done init
> > > id=jss
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > > initialized jss
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > > initSubsystem id=dbs
> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> > ready to
> > > init id=dbs
> > > [03/May/2017:21:22:01][localhost-startStop-1]:
> > DBSubsystem: init()
> > > mEnableSerialMgmt=true
> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> > > LdapBoundConnFactor(DBSubsystem)
> > > [03/May/2017:21:22:01][localhost-startStop-1]:
> > LdapBoundConnFactory:
> > > init
> > > [03/May/2017:21:22:01][localhost-startStop-1]:
> > > LdapBoundConnFactory:doCloning true
> > > [03/May/2017:21:22:01][localhost-startStop-1]:
> > LdapAuthInfo: init()
> > > [03/May/2017:21:22:01][localhost-startStop-1]:
> > LdapAuthInfo: init begins
> > > [03/May/2017:21:22:01][localhost-startStop-1]:
> > LdapAuthInfo: init ends
> > > [03/May/2017:21:22:01][localhost-startStop-1]: init:
> before
> > > makeConnection errorIfDown is true
> > > [03/May/2017:21:22:01][localhost-startStop-1]:
> makeConnection:
> > > errorIfDown true
> > > [03/May/2017:21:22:02][localhost-startStop-1]:
> > > SSLClientCertificateSelectionCB: Setting desired cert
> > nickname to:
> > > subsystemCert cert-pki-ca
> > > [03/May/2017:21:22:02][localhost-startStop-1]:
> > LdapJssSSLSocket: set
> > > client auth cert nickname subsystemCert cert-pki-ca
> > > [03/May/2017:21:22:02][localhost-startStop-1]:
> > > SSLClientCertificatSelectionCB: Entering!
> > > [03/May/2017:21:22:02][localhost-startStop-1]:
> > > SSLClientCertificateSelectionCB: returning: null
> > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL
> > handshake happened
> > > Could not connect to LDAP server host
> > ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com>
> > > <http://ipa12.mgmt.crosschx.com
> > <http://ipa12.mgmt.crosschx.com>> port 636 Error
> > > netscape.ldap.LDAPException: Authentication failed (48)
> > > at
> > >
> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.
> makeConnection(LdapBoundConnFactory.java:205)
> > > at
> > >
> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(
> LdapBoundConnFactory.java:166)
> > > at
> > >
> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(
> LdapBoundConnFactory.java:130)
> > > at
> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
> > > at
> > >
> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(
> CMSEngine.java:1169)
> > > at
> > >
> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(
> CMSEngine.java:1075)
> > > at
> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
> > > at
> > >
> > com.netscape.cms.servlet.base.CMSStartServlet.init(
> CMSStartServlet.java:114)
> > > at
> > javax.servlet.GenericServlet.init(GenericServlet.java:158)
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> > > at
> > >
> > sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> > > at
> > >
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > at
> > >
> > org.apache.catalina.security.SecurityUtil$1.run(
> SecurityUtil.java:288)
> > > at
> > >
> > org.apache.catalina.security.SecurityUtil$1.run(
> SecurityUtil.java:285)
> > > at java.security.AccessController.doPrivileged(Native
> > Method)
> > > at javax.security.auth.Subject.do
> > <http://javax.security.auth.Subject.do>AsPrivileged(
> Subject.java:549)
> > > at
> > >
> > org.apache.catalina.security.SecurityUtil.execute(
> SecurityUtil.java:320)
> > > at
> > >
> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> SecurityUtil.java:175)
> > > at
> > >
> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> SecurityUtil.java:124)
> > > at
> > >
> > org.apache.catalina.core.StandardWrapper.initServlet(
> StandardWrapper.java:1270)
> > > at
> > >
> > org.apache.catalina.core.StandardWrapper.loadServlet(
> StandardWrapper.java:1195)
> > > at
> > >
> > org.apache.catalina.core.StandardWrapper.load(
> StandardWrapper.java:1085)
> > > at
> > >
> > org.apache.catalina.core.StandardContext.loadOnStartup(
> StandardContext.java:5318)
> > > at
> > >
> > org.apache.catalina.core.StandardContext.startInternal(
> StandardContext.java:5610)
> > > at
> > >
> > org.apache.catalina.util.LifecycleBase.start(
> LifecycleBase.java:147)
> > > at
> > >
> > org.apache.catalina.core.ContainerBase.addChildInternal(
> ContainerBase.java:899)
> > > at
> > >
> > org.apache.catalina.core.ContainerBase.access$000(
> ContainerBase.java:133)
> > > at
> > >
> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
> ContainerBase.java:156)
> > > at
> > >
> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
> ContainerBase.java:145)
> > > at java.security.AccessController.doPrivileged(Native
> > Method)
> > > at
> > >
> > org.apache.catalina.core.ContainerBase.addChild(
> ContainerBase.java:873)
> > > at
> > >
> > org.apache.catalina.core.StandardHost.addChild(
> StandardHost.java:652)
> > > at
> > >
> > org.apache.catalina.startup.HostConfig.deployDescriptor(
> HostConfig.java:679)
> > > at
> > >
> > org.apache.catalina.startup.HostConfig$DeployDescriptor.
> run(HostConfig.java:1966)
> > > at
> > >
> > java.util.concurrent.Executors$RunnableAdapter.
> call(Executors.java:511)
> > > at java.util.concurrent.FutureTask.run(FutureTask.
> java:266)
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> > > at java.lang.Thread.run(Thread.java:745)
> > > Internal Database Error encountered: Could not connect to
> LDAP
> > > server host ipa12.mgmt.crosschx.com
> > <http://ipa12.mgmt.crosschx.com> <http://ipa12.mgmt.crosschx.com
> > <http://ipa12.mgmt.crosschx.com>>
> > > port 636 Error netscape.ldap.LDAPException: Authentication
> > failed (48)
> > > at
> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
> > > at
> > >
> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(
> CMSEngine.java:1169)
> > > at
> > >
> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(
> CMSEngine.java:1075)
> > > at
> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
> > > at
> > >
> > com.netscape.cms.servlet.base.CMSStartServlet.init(
> CMSStartServlet.java:114)
> > > at
> > javax.servlet.GenericServlet.init(GenericServlet.java:158)
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> > > at
> > >
> > sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> > > at
> > >
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > at
> > >
> > org.apache.catalina.security.SecurityUtil$1.run(
> SecurityUtil.java:288)
> > > at
> > >
> > org.apache.catalina.security.SecurityUtil$1.run(
> SecurityUtil.java:285)
> > > at java.security.AccessController.doPrivileged(Native
> > Method)
> > > at javax.security.auth.Subject.do
> > <http://javax.security.auth.Subject.do>AsPrivileged(
> Subject.java:549)
> > > at
> > >
> > org.apache.catalina.security.SecurityUtil.execute(
> SecurityUtil.java:320)
> > > at
> > >
> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> SecurityUtil.java:175)
> > > at
> > >
> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> SecurityUtil.java:124)
> > > at
> > >
> > org.apache.catalina.core.StandardWrapper.initServlet(
> StandardWrapper.java:1270)
> > > at
> > >
> > org.apache.catalina.core.StandardWrapper.loadServlet(
> StandardWrapper.java:1195)
> > > at
> > >
> > org.apache.catalina.core.StandardWrapper.load(
> StandardWrapper.java:1085)
> > > at
> > >
> > org.apache.catalina.core.StandardContext.loadOnStartup(
> StandardContext.java:5318)
> > > at
> > >
> > org.apache.catalina.core.StandardContext.startInternal(
> StandardContext.java:5610)
> > > at
> > >
> > org.apache.catalina.util.LifecycleBase.start(
> LifecycleBase.java:147)
> > > at
> > >
> > org.apache.catalina.core.ContainerBase.addChildInternal(
> ContainerBase.java:899)
> > > at
> > >
> > org.apache.catalina.core.ContainerBase.access$000(
> ContainerBase.java:133)
> > > at
> > >
> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
> ContainerBase.java:156)
> > > at
> > >
> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
> ContainerBase.java:145)
> > > at java.security.AccessController.doPrivileged(Native
> > Method)
> > > at
> > >
> > org.apache.catalina.core.ContainerBase.addChild(
> ContainerBase.java:873)
> > > at
> > >
> > org.apache.catalina.core.StandardHost.addChild(
> StandardHost.java:652)
> > > at
> > >
> > org.apache.catalina.startup.HostConfig.deployDescriptor(
> HostConfig.java:679)
> > > at
> > >
> > org.apache.catalina.startup.HostConfig$DeployDescriptor.
> run(HostConfig.java:1966)
> > > at
> > >
> > java.util.concurrent.Executors$RunnableAdapter.
> call(Executors.java:511)
> > > at java.util.concurrent.FutureTask.run(FutureTask.
> java:266)
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> > > at java.lang.Thread.run(Thread.java:745)
> > > [03/May/2017:21:22:02][localhost-startStop-1]:
> > CMSEngine.shutdown()
> > >
> > >
> > > =============================
> > >
> > >
> > > IPA11.MGMT
> > >
> > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
> > > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
> > Server-Cert
> > > u,u,u MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C
> > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
> > Certificate
> > > Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert
> > > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu
> > > ocspSigningCert cert-pki-ca u,u,u subsystemCert
> > cert-pki-ca u,u,u
> > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil
> -L -d
> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname
> > Trust
> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u
> > MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C (root)>certutil
> -L -d
> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust
> > Attributes
> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert
> > cert-pki-ca
> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert
> > cert-pki-ca u,u,u
> > > IPA12.MGMT (root)>certutil -L -d
> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname
> > Trust
> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u
> > MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> IPA CA C,, (root)>certutil -L
> -d
> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust
> > Attributes
> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert
> > cert-pki-ca
> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert
> > cert-pki-ca u,u,u
> > > =================================================
> IPA11.MGMT
> > > (root)>getcert list Number of certificates and requests
> being
> > > tracked: 8. Request ID '20161229155314': status:
> > MONITORING stuck:
> > > no key pair storage:
> > >
> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-
> COM',nickname='Server-Cert',token='NSS
> > > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
> pwdfile.txt'
> > > certificate:
> > >
> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-
> COM',nickname='Server-Cert',token='NSS
> > > Certificate DB' CA: IPA issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=ipa11.mgmt.crosschx.com <http://ipa11.mgmt.crosschx.com
> >
> > > <http://ipa11.mgmt.crosschx.com
> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:43
> > UTC key
> > > usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > post-save
> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
> > > '20161229155652': status: MONITORING stuck: no key pair
> > storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> expires:
> > > 2018-11-12 13:00:29 UTC key usage:
> > digitalSignature,nonRepudiation
> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save
> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > "auditSigningCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229155654':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
> > > expires: 2018-11-12 13:00:26 UTC key usage:
> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
> > > id-kp-OCSPSigning pre-save command:
> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229155655':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
> > > expires: 2018-11-12 13:00:28 UTC key usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229155657':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
> > UTC key
> > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> > pre-save
> > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save
> > command:
> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229155659':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> Server-Cert
> > cert-pki-ca',token='NSS
> > > Certificate DB',pin set certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> Server-Cert
> > cert-pki-ca',token='NSS
> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
> > CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=ipa11.mgmt.crosschx.com <http://ipa11.mgmt.crosschx.com
> >
> > > <http://ipa11.mgmt.crosschx.com
> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:56:20
> > UTC key
> > > usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-
> emailProtection
> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save
> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > "Server-Cert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229155921':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB' CA: IPA issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=ipa11.mgmt.crosschx.com <http://ipa11.mgmt.crosschx.com
> >
> > > <http://ipa11.mgmt.crosschx.com
> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:46
> > UTC key
> > > usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > post-save
> > > command: /usr/libexec/ipa/certmonger/restart_httpd track:
> yes
> > > auto-renew: yes Request ID '20161229160009': status:
> > MONITORING
> > > stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='
> ipaCert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='
> ipaCert',token='NSS
> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
> > CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> expires:
> > > 2018-11-12 13:01:34 UTC key usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
> > command:
> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
> > auto-renew: yes
> > > ================================== IPA13.MGMT
> > (root)>getcert list
> > > Number of certificates and requests being tracked: 8.
> > Request ID
> > > '20161229143449': status: MONITORING stuck: no key pair
> > storage:
> > >
> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-
> COM',nickname='Server-Cert',token='NSS
> > > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
> pwdfile.txt'
> > > certificate:
> > >
> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-
> COM',nickname='Server-Cert',token='NSS
> > > Certificate DB' CA: IPA issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com
> >
> > > <http://ipa13.mgmt.crosschx.com
> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:20
> > UTC key
> > > usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > post-save
> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
> > > '20161229143826': status: MONITORING stuck: no key pair
> > storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> expires:
> > > 2018-11-12 13:00:29 UTC key usage:
> > digitalSignature,nonRepudiation
> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save
> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > "auditSigningCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229143828':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
> > > expires: 2018-11-12 13:00:26 UTC key usage:
> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
> > > id-kp-OCSPSigning pre-save command:
> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229143831':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
> > > expires: 2018-11-12 13:00:28 UTC key usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229143833':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
> > UTC key
> > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> > pre-save
> > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save
> > command:
> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229143835':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> Server-Cert
> > cert-pki-ca',token='NSS
> > > Certificate DB',pin set certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> Server-Cert
> > cert-pki-ca',token='NSS
> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
> > CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com
> >
> > > <http://ipa13.mgmt.crosschx.com
> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 14:37:54
> > UTC key
> > > usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-
> emailProtection
> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save
> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > "Server-Cert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229144057':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB' CA: IPA issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com
> >
> > > <http://ipa13.mgmt.crosschx.com
> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:23
> > UTC key
> > > usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > post-save
> > > command: /usr/libexec/ipa/certmonger/restart_httpd track:
> yes
> > > auto-renew: yes Request ID '20161229144146': status:
> > MONITORING
> > > stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='
> ipaCert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='
> ipaCert',token='NSS
> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
> > CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> expires:
> > > 2018-11-12 13:01:34 UTC key usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
> > command:
> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
> > auto-renew: yes
> > > =========================== IPA12.MGMT (root)>getcert list
> > Number of
> > > certificates and requests being tracked: 8. Request ID
> > > '20161229151518': status: MONITORING stuck: no key pair
> > storage:
> > >
> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-
> COM',nickname='Server-Cert',token='NSS
> > > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
> pwdfile.txt'
> > > certificate:
> > >
> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-
> COM',nickname='Server-Cert',token='NSS
> > > Certificate DB' CA: IPA issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com
> >
> > > <http://ipa12.mgmt.crosschx.com
> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:51
> > UTC key
> > > usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > post-save
> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
> > > '20161229151850': status: MONITORING stuck: no key pair
> > storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> expires:
> > > 2018-11-12 13:00:29 UTC key usage:
> > digitalSignature,nonRepudiation
> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save
> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > "auditSigningCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229151852':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
> > > expires: 2018-11-12 13:00:26 UTC key usage:
> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
> > > id-kp-OCSPSigning pre-save command:
> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229151854':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
> > > expires: 2018-11-12 13:00:28 UTC key usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229151856':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > > cert-pki-ca',token='NSS Certificate DB' CA:
> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
> > UTC key
> > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> > pre-save
> > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save
> > command:
> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229151858':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> Server-Cert
> > cert-pki-ca',token='NSS
> > > Certificate DB',pin set certificate:
> > >
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> Server-Cert
> > cert-pki-ca',token='NSS
> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
> > CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com
> >
> > > <http://ipa12.mgmt.crosschx.com
> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:18:16
> > UTC key
> > > usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-
> emailProtection
> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save
> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > "Server-Cert
> > > cert-pki-ca" track: yes auto-renew: yes Request ID
> > '20161229152115':
> > > status: MONITORING stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB' CA: IPA issuer: CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com
> >
> > > <http://ipa12.mgmt.crosschx.com
> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
> > <http://MGMT.CROSSCHX.COM>
> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:54
> > UTC key
> > > usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > post-save
> > > command: /usr/libexec/ipa/certmonger/restart_httpd track:
> yes
> > > auto-renew: yes Request ID '20161229152204': status:
> > MONITORING
> > > stuck: no key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='
> ipaCert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='
> ipaCert',token='NSS
> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
> > CN=Certificate
> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> subject:
> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> > <http://MGMT.CROSSCHX.COM> expires:
> > > 2018-11-12 13:01:34 UTC key usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
> > command:
> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
> > auto-renew: yes
> > >
> > >
> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
> > > *
> > > 614.427.2411
> > > mike.plemmons at crosschx.com
> > <mailto:mike.plemmons at crosschx.com>
> > <mailto:mike.plemmons at crosschx.com
> > <mailto:mike.plemmons at crosschx.com>>
> > > www.crosschx.com <http://www.crosschx.com>
> > <http://www.crosschx.com/>
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170505/14a274bd/attachment.htm>
More information about the Freeipa-users
mailing list