Swapping the O and CN in the req did the trick for the getcert list output
Request ID '20190322032031':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=IPA.****.NET
subject: CN=CA
Subsystem,O=IPA.****.NET
expires: 2034-04-01 11:35:47 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190322032030':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=IPA.****.NET
subject: CN=OCSP
Subsystem,O=IPA.****.NET
expires: 2034-04-01 11:32:48 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190322032029':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=IPA.****.NET
subject: CN=CA
Audit,O=IPA.****.NET
expires: 2034-04-01 11:38:26 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
I then updated LDAP with the new CA Subsystem cert, so that and the serial for it match
# ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca
userCertificate description seeAlso
Enter LDAP Password:
dn: uid=pkidbuser,ou=people,o=ipaca
userCertificate:: MIIDNj....RXOm8Q==
description: 2;4;CN=Certificate Authority,O=IPA.****.NET;CN=CA
Subsystem,O=IPA.****.NET
seeAlso: CN=CA
Subsystem,O=IPA.****.NET
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a
-----BEGIN CERTIFICATE-----
MIIDNj....RXOm8Q==
-----END CERTIFICATE-----
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep
Serial
Serial Number: 4 (0x4)
After this I tried an 'ipactl restart --ignore-service-failures' but pki-tomcat
still failed to start. So I tried manually stopping that service using systemctl stop
pki-tomcatd(a)pki-tomcat.service then issuing an 'ipactl start
--ignore-service-failures.
This time all services seem to have started
# ipactl start --ignore-service-failures
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
If I login to the UI I can now browse to Authentication > Certificates, where as before
I got an error when going here.
So far so good. Now, I've got 5 other servers in this cluster, all denoted as Master,
with this server set as the CA Renewal Master. Do I need to repeat the certificate import
steps on the other 5 servers or is there a way to replicate over the new certificates to
the other hosts?