This morning I thought I had found what I was missing, import the new RA cert to ~/.dogtag/nssdb, which I've done and now all the places I know about the RA cert matches.
# certutil -L -d /root/.dogtag/nssdb
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Certificate Authority - IPA.****.NET CT,C,C IPA RA - IPA.****.NET u,u,u
# certutil -L -d /root/.dogtag/nssdb -n "IPA RA - IPA.****.NET" -a -----BEGIN CERTIFICATE----- MIID6jCC...ssifAg== -----END CERTIFICATE-----
# certutil -L -d /root/.dogtag/nssdb -n "IPA RA - IPA.****.NET" | grep Serial Serial Number: 7 (0x7)
# ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=ipara,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=IPA.****.NET;CN=IPA RA,O=IPA.****.NET userCertificate:: MIID6jCC...ssifAg== uid: ipara sn: ipara usertype: agentType userstate: 1 objectClass: cmsuser objectClass: top objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: person cn: ipara
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
# cat /var/lib/ipa/ra-agent.pem -----BEGIN CERTIFICATE----- MIID6jCC...ssifAg== -----END CERTIFICATE-----
but the openssl verify command with the -show_chain flag still seems to fail
]# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt /var/lib/ipa/ra-agent.pem usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2 ... recognized usages: sslclient SSL client sslserver SSL server nssslserver Netscape SSL server smimesign S/MIME signing smimeencrypt S/MIME encryption crlsign CRL signing any Any Purpose ocsphelper OCSP helper timestampsign Time Stamp signing