[Pki-users] expired pki-server 10.3.3 certificates

Dinesh Prasanth Moluguwan Krishnamoorthy dmoluguw at redhat.com
Tue Dec 4 20:25:00 UTC 2018 

ZD,
Open the .crt file and delete the newline, header and footer. Now,
update the CS.cfg with this value.
Reference: 
https://www.dogtagpki.org/wiki/System_Certificate_Renewal#PKI_10.3_or_earlier_2
Regards,Dinesh
On Sun, 2018-12-02 at 02:09 +0000, Z D wrote:
> Thanks Dinesh, 
> 
> 
> I misread that argument for ca-cert-request-review is serial number,
> but as you said it has to be request ID.  Indeed, I made progress,
> and
> can retrieve renewed Cert: 
> 
> 
> 
> 
> [root at ca-ldap04 tmp]# pki ca-cert-show 0x8fff0090 --output
> ipacert.crt
> 
> ------------------------
> 
> Certificate "0x8fff0090"
> 
> ------------------------
> 
>   Serial Number: 0x8fff0090
> 
>   Issuer: CN=Certificate Authority,O=DOMAIN.COM
> 
>   Subject: CN=IPA RA,O=DOMIAN.COM
> 
>   Status: VALID
> 
>   Not Before: Fri Aug 10 01:08:19 PDT 2018
> 
>   Not After: Thu Jul 30 01:08:19 PDT 2020
> 
> 
> 
> 
> I also stopped PKI server, removed old cert from NSS database, and
> installed new one. This is all for ipaCert. But before I start
> renewing other ones (audit, ocsp, subsystem), I have to ask next
> 
> 
> 
> 
> 
> [1] how to properly convert cert (.crt file) into one line?
> 
> 
> 
> 
> 
> 
> I believe I need this in order to update below lines in CS.cfg file.
> 
> 
> 
> 
> ca.audit_signing.cert=...
> 
> ca.ocsp_signing.cert=...
> 
> ca.subsystem.cert=...
> 
> 
> 
> Thanks a lot for your support. Zarko
> 
> 
> 
> 
> 
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
> 
> Sent: Tuesday, November 27, 2018 9:56 AM
> 
> To: Z D; John Magne; pki-users at redhat.com
> 
> Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
>  
> 
> 
> ZD,
> 
> 
> 
> From [6], your request ID is 89990160. But, you are passing request
> ID as 7
> 
> 
> 
> Regards,
> Dinesh
> 
> 
> 
> On Thu, 2018-11-22 at 06:17 +0000, Z D wrote:
> > [6] Submit cert request, it's pending 
> > 
> > 
> > 
> > 
> > # pki ca-cert-request-submit caManualRenewal.xml
> > 
> > -----------------------------
> > 
> > Submitted certificate request
> > 
> > -----------------------------
> > 
> >   Request ID: 89990160
> > 
> >   Type: renewal
> > 
> >   Request Status: pending
> > 
> >   Operation Result: success
> > 
> > 
> > 
> > 
> > 
> > [7] This fails with message  "BadRequestException: Request Not In
> > Pending State", as per [6] it should be in pending state
> > 
> > 
> > 
> > 
> > # pki -v -d /etc/httpd/alias -c
> > e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-
> > request-review 7 --action approve
> 
> 
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20181204/9f95db75/attachment.htm>

More information about the Pki-users mailing list