Travis West via FreeIPA-users wrote:
I've just found an old p12 file from 2019. I was able to extract
the key from that and it does match the CA Subystem cert that expired 8 March that is
listed in LDAP.
So if I could somehow generate a new certificate with this and import into the NSS DB for
/etc/pki/pki-tomcat/alias would that at least get the CA started?
Perhaps. It will
be complicated because you'll need to move time
multiple times (e.g. start in 2019, renew, move to 2021-ish, renew, move
to 2023-ish, renew).
First you need to fix your certmonger tracking or its likely to fail
again. Back in 2019 when things are running then executing
ipa-server-upgrade should repair the bad tracking.
rob