On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote:
Hi,
can you check if the cert is revoked with:
$ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca'
| grep -i Serial
(note the Serial number)
$ ipa cert-show <serial found above>
Does the last command display "Revoked: True" with a Revocation reason
or "Revoked: False"?
flo
[root@ipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert
cert-pki-ca' | grep serial -i
Serial Number: 268238851 (0xffd0003)
****************************************************************
[root@ipa ~]# ipa cert-show 268238851
Issuing CA: ipa
Certificate: ..... ### chopped ###
Subject: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK
Issuer: CN=Certificate Authority,O=IPA.PTHL.HK
Not Before: Tue Nov 21 08:43:11 2017 UTC
Not After: Mon Nov 11 08:43:11 2019 UTC
Serial number: 268238851
Serial number (hex): 0xFFD0003
Revoked: True
Revocation reason: 0
---------------------------------------------------
Yes, this serial Number was marked 'revoked'.