certutil -V -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" -u O certutil -V -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" -u C certutil -V -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" -u V certutil -V -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" -u J certutil -V -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" -u L
that is more or less where our selftests are doing for PKI component.
Hello,
we have an issue with resubmitting several certificates.
We suspect the reason might be the encoding mismatch between the certificate and the CA certificate.
Our environment was upgraded during the years from some 3.x version to current 4.5.4. So the very first CA certificate was encoded in PRINTABLESTRING.
Issuer:
organizationName = PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate Authority
Validity
Not Before: Dec 1 14:14:37 2014 GMT
Not After : Dec 1 14:14:37 2034 GMT
Subject:
organizationName = PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate Authority
When we renew-ed (due to SHA1) we got to PRINTABLESTRING X UTF8STRING and after we renewed again, so now we have:
Issuer:
organizationName = UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:Certificate Authority
Validity
Not Before: Oct 9 07:34:24 2017 GMT
Not After : Oct 9 07:34:24 2037 GMT
Subject:
organizationName = UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:Certificate Authority
And most certificated were renewed fine.
However, recently we noticed that several certificated can't be resubmitted, all of them seem to be like this:
Issuer:
organizationName = PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate Authority
Validity
Not Before: Nov 24 12:17:12 2016 GMT
Not After : Nov 14 12:17:12 2018 GMT
Subject:
organizationName = UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:ipa07.example.com
The error when resubmitting is:
Peer certificate cannot be authenticated with given CA certificates. The tcpdump from 8443 says Unknown CA.
Is the assumption that the encoding mismatch is blocking the submitting certificate correct?
One of the certificate which we also can't renew is the 'IPA RA' (/var/lib/ipa/ra-agent.pem)
What we tried:
Add all versions of CA certificate to /etc/pki/pki-tomcat/alias trust store (also add them one-by-one)
Setting date back before the expiration.
Advises from: https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/
Deleting the related CSR from o=ipaca, supposing that newly generated csr will be fine.
Any suggestions what else we could try?
Thanks
Petr
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org