[Pki-users] Implications of Root Certificate reissue with a new key pair
pki tech
techpkiuser at gmail.com
Fri Aug 2 04:19:41 UTC 2013
Dear all,
I have been trying to regain my PKI system after a root certificate renewal
with a NEW ROOT KEY PAIR. but still failing to start the CA instance.
I'm using DogTag 9.0 over Fedora 15 with two tier local PKI hierarchy with
root CA and one subordinate CA.
Steps followed;
1. renew the caSigningCert via the pkiconsole with a new key pair and same
DN as earlier
2. restart the CA instance
Then the ca instance is not starting and returns the followings
[root at root admin]# /sbin/service pki-cad restart pki-ca
Stopping pki-ca: [FAILED]
Starting pki-ca: [ OK ]
[root at root admin]# /sbin/service pki-cad status
pki-ca dead but subsys locked [WARNING]
I do understand that the subsystem certs and other system certificates need
to be renewed after the root key renewal. I did try that out by renewing
all the system certs via pkiconsole after the root key renewal without
restarting the CA instance. but it was a blind guess and got the following
hits in the debug log.
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert
tag=signing
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname():
calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname()
failed:caSigningCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=caSigningCert
cert-pki-ca] CIMC certificate verification
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert
tag=ocsp_signing
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname():
calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname()
failed:ocspSigningCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=ocspSigningCert
cert-pki-ca] CIMC certificate verification
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert
tag=sslserver
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname():
calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname()
failed:Server-Cert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=Server-Cert
cert-pki-ca] CIMC certificate verification
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert
tag=subsystem
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname():
calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname()
failed:subsystemCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=subsystemCert
cert-pki-ca] CIMC certificate verification
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert
tag=audit_signing
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname():
calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname()
failed:auditSigningCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=auditSigningCert
cert-pki-ca] CIMC certificate verification
It will be a great if someone could help me out to update the rest of the
system certificates after the root key renewal and restore the CA
functionality.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20130802/ececf815/attachment.htm>
More information about the Pki-users
mailing list