<div dir="ltr"><div><div>Thanks Flo,<br><br>My system is still in a bad state as I got this as a result of the command:<br><br>[root@id-management-1 ~]# ipa-cacert-manage renew --self-signed<br>Renewing CA certificate, please wait<br>Resubmitting certmonger request '20170101055025' timed out, please check the request manually<br>The ipa-cacert-manage command failed.<br><br></div>The relevant output from getcert list was:<br>Request ID '20170101055025':<br>        status: NEED_CSR_GEN_TOKEN<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set<br>        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'<br>        CA: dogtag-ipa-ca-renew-agent<br>        issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM">INTERNAL.EMERLYN.COM</a><br>        subject: CN=localhost<br>        expires: 2037-01-01 06:28:46 UTC<br>        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes<br><br></div><div>I took the step of stopping tracking on that cert which was a mistake and now I'm having a hard time with the syntax of adding it back. <br><br></div><div>Jeff<br></div><div><br></div><div><br></div><div><br><br></div><div><div><br><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 12, 2017 at 10:46 AM, Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 01/12/2017 02:57 PM, Jeff Goddard wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I've had issues with expired certificates. In the course of<br>
troubleshooting I've somehow set the cas to external. Is there a way I<br>
can switch back?<br>
<br>
[root@id-management-1 conf]# getcert list-cas<br>
CA 'SelfSign':<br>
        is-default: no<br>
        ca-type: INTERNAL:SELF<br>
        next-serial-number: 01<br>
CA 'IPA':<br>
        is-default: no<br>
        ca-type: EXTERNAL<br>
        helper-location: /usr/libexec/certmonger/ipa-se<wbr>rver-guard<br>
/usr/libexec/certmonger/ipa-su<wbr>bmit<br>
CA 'certmaster':<br>
        is-default: no<br>
        ca-type: EXTERNAL<br>
        helper-location: /usr/libexec/certmonger/certma<wbr>ster-submit<br>
CA 'dogtag-ipa-renew-agent':<br>
        is-default: no<br>
        ca-type: EXTERNAL<br>
        helper-location: /usr/libexec/certmonger/ipa-se<wbr>rver-guard<br>
/usr/libexec/certmonger/dogtag<wbr>-ipa-renew-agent-submit<br>
CA 'local':<br>
        is-default: no<br>
        ca-type: EXTERNAL<br>
        helper-location: /usr/libexec/certmonger/local-<wbr>submit<br>
CA 'dogtag-ipa-ca-renew-agent':<br>
        is-default: no<br>
        ca-type: EXTERNAL<br>
        helper-location:<br>
/usr/libexec/certmonger/dogtag<wbr>-ipa-ca-renew-agent-submit -vv<br>
<br>
Thanks,<br>
<br>
Jeff<br>
<br>
<br>
<br>
</blockquote>
Hi Jeff,<br>
<br>
the following documentation explains how to change the certificate chain from externally-signed to self-signed:<br>
<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html" rel="noreferrer" target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Enterp<wbr>rise_Linux/7/html/Linux_Domain<wbr>_Identity_Authentication_and_<wbr>Policy_Guide/change-cert-<wbr>chaining.html</a><br>
<br>
HTH,<br>
Flo.<br>
</blockquote></div><br><br clear="all"><br><br>
</div></div></div></div></div>