[Pki-users] Urgent Help Needed - CA subsystem certificate renewal

Kamal Perera techpkiuser at gmail.com
Wed Nov 19 03:11:54 UTC 2014 

No all the certificates of RA are not expired.

In the case of OCSP, once the CA system certificates are renewed, CA
subSystemCert should be replaced in the OCSP via the pkiconsole.

How can we do that in the RA?

On Tue, Nov 18, 2014 at 8:57 PM, Ade Lee <alee at redhat.com> wrote:

> The RA communicates with the CA using its subsystem cert.
> Is that cert expired too?
>
> You should look at the logs on the RA and the CA to try to see why the
> requests are not being processed correctly.
>
> Ade
>
> On Sat, 2014-11-15 at 19:12 +0530, Kamal Perera wrote:
> > Dear John (remembering the movie dear John :))
> >
> >
> > Thank you for replying.
> >
> >
> > all the four certificates (casubsystemCert, auditSigningCert,
> > ocspSigningCert and serverCert) were expired, however after several
> > tries, i was able to renew them by changing the system date back to a
> > valid time and renew them via the pkiconsole.
> >
> >
> > Although it was successful, now RA and OCSP are not communicating with
> > the CA. Which means, OCSP updates are not being published, and RA
> > requests are not being signed (getting the CA:invalid request error).
> >
> >
> > Any suggestion?
> >
> >
> > On Fri, Nov 14, 2014 at 11:41 PM, John Magne <jmagne at redhat.com>
> > wrote:
> >         Hi:
> >
> >         If you could, could you tell us exactly which certs are
> >         expired?
> >
> >         Also, related how much functionality does your CA have? Does
> >         it
> >         even start and field requests?
> >
> >         thanks,
> >         jack
> >
> >
> >
> >         ----- Original Message -----
> >         > From: "pki tech" <techpkiuser at gmail.com>
> >         > To: pki-users at redhat.com
> >         > Sent: Thursday, November 13, 2014 10:31:18 PM
> >         > Subject: [Pki-users] Urgent Help Needed - CA subsystem
> >         certificate renewal
> >         >
> >         > Dear All,
> >         >
> >         > In our Issuing CA, all the subsystem certificates are
> >         expired except the
> >         > caSigningCert.
> >         >
> >         > I can generate the new certificate requests via certutil,
> >         but how can i get
> >         > them signed?
> >         >
> >         > your swift response is appreciated.
> >         >
> >         > Regards,
> >         > Kamal
> >         >
> >
> >         > _______________________________________________
> >         > Pki-users mailing list
> >         > Pki-users at redhat.com
> >         > https://www.redhat.com/mailman/listinfo/pki-users
> >
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141119/8aec4eca/attachment.htm>

More information about the Pki-users mailing list