-----Original Message-----
From: Ian Kumlien via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Wednesday, June 12, 2019 3:27 PM
To: Rob Crittenden <rcritten(a)redhat.com>
Cc: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Ian Kumlien
<ian.kumlien(a)gmail.com>
Subject: [Freeipa-users] Re: Issues with pki-tomcat - CA
On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Ian Kumlien via FreeIPA-users wrote:
> On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>> Ian Kumlien via FreeIPA-users wrote:
[--8<--]
> Certificate Nickname
Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert cert-pki-ca u,u,u
> transportCert cert-pki-kra u,u,u
> storageCert cert-pki-kra u,u,u
> auditSigningCert cert-pki-kra u,u,Pu
> XERCES.LAN IPA CA CT,C,C
> XERCES.LAN IPA CA CT,C,C
> XERCES.LAN IPA CA CT,C,C
You're missing all the CA certificates except the one that tomcat uses!?
That includes the CA signing cert!
It should look more like (excluding the *kra certs):
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
Do the keys for those certs exist?
# grep internal /etc/pki/pki-tomcat/password.conf internal=foo #
certutil -K -d /etc/pki/pki-tomcat/alias/
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB": foo
Perhaps a bunch of orphans?
Seems like it, I have three orphans and the keys for subsystemCert, caSigningCert,
ocspSigningCert seems to exists
Any clue of why this happened, I have two more servers that I can look at if you need
clues....
I mainly want to figure this out before my vacation starts ;)
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__getfedora.org_code-2...
List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
Sorry for butting in on this discussion, but is this an issue where the cert for that
server didn't get renewed and the tomcat-pki service won't start?
I ask because that's an issue we're having and not sure how to address the
issue.
--Jim