[Pki-users] expired pki-server 10.3.3 certificates
Dinesh Prasanth Moluguwan Krishnamoorthy
dmoluguw at redhat.com
Tue Dec 4 20:25:00 UTC 2018
ZD,
Open the .crt file and delete the newline, header and footer. Now,
update the CS.cfg with this value.
Reference:
https://www.dogtagpki.org/wiki/System_Certificate_Renewal#PKI_10.3_or_earlier_2
Regards,Dinesh
On Sun, 2018-12-02 at 02:09 +0000, Z D wrote:
> Thanks Dinesh,
>
>
> I misread that argument for ca-cert-request-review is serial number,
> but as you said it has to be request ID. Indeed, I made progress,
> and
> can retrieve renewed Cert:
>
>
>
>
> [root at ca-ldap04 tmp]# pki ca-cert-show 0x8fff0090 --output
> ipacert.crt
>
> ------------------------
>
> Certificate "0x8fff0090"
>
> ------------------------
>
> Serial Number: 0x8fff0090
>
> Issuer: CN=Certificate Authority,O=DOMAIN.COM
>
> Subject: CN=IPA RA,O=DOMIAN.COM
>
> Status: VALID
>
> Not Before: Fri Aug 10 01:08:19 PDT 2018
>
> Not After: Thu Jul 30 01:08:19 PDT 2020
>
>
>
>
> I also stopped PKI server, removed old cert from NSS database, and
> installed new one. This is all for ipaCert. But before I start
> renewing other ones (audit, ocsp, subsystem), I have to ask next
>
>
>
>
>
> [1] how to properly convert cert (.crt file) into one line?
>
>
>
>
>
>
> I believe I need this in order to update below lines in CS.cfg file.
>
>
>
>
> ca.audit_signing.cert=...
>
> ca.ocsp_signing.cert=...
>
> ca.subsystem.cert=...
>
>
>
> Thanks a lot for your support. Zarko
>
>
>
>
>
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
>
> Sent: Tuesday, November 27, 2018 9:56 AM
>
> To: Z D; John Magne; pki-users at redhat.com
>
> Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
>
>
>
> ZD,
>
>
>
> From [6], your request ID is 89990160. But, you are passing request
> ID as 7
>
>
>
> Regards,
> Dinesh
>
>
>
> On Thu, 2018-11-22 at 06:17 +0000, Z D wrote:
> > [6] Submit cert request, it's pending
> >
> >
> >
> >
> > # pki ca-cert-request-submit caManualRenewal.xml
> >
> > -----------------------------
> >
> > Submitted certificate request
> >
> > -----------------------------
> >
> > Request ID: 89990160
> >
> > Type: renewal
> >
> > Request Status: pending
> >
> > Operation Result: success
> >
> >
> >
> >
> >
> > [7] This fails with message "BadRequestException: Request Not In
> > Pending State", as per [6] it should be in pending state
> >
> >
> >
> >
> > # pki -v -d /etc/httpd/alias -c
> > e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-
> > request-review 7 --action approve
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20181204/9f95db75/attachment.htm>
More information about the Pki-users
mailing list