Hello All,

I upgraded our ipa server and after the upgrade ipa won't start again. further investigation shows that components of ipa starts but pki-tomcatd@pki-tomcat.service appears to be where the issue lies. checking the logs suggested that issue lies in the certificate database. on checking the directory /etc/pki/pki-tomcat/alias with certutils

[namead@ipasvr01 alias]$ sudo certutil -K -d . -f pwdfile.txt

certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"

< 0> rsa 9bb20dbec9d8dd63e1db53b0662eaf37a1518bf9 ocspSigningCert cert-pki-ca

< 1> rsa 49d9f7a5f5ab3ed93d4037676b1bf9e236b89d0f subsystemCert cert-pki-ca

< 2> rsa df374a636d9a424aaefefc6367dcb868f82f536d Server-Cert cert-pki-ca

< 3> rsa 7cebd0bbadddd5e581c328a99982e0ef5172d61f (orphan)

< 4> rsa 52839be82200bb2a9ff2034629c53cd90a0575a8 auditSigningCert cert-pki-ca

< 5> rsa c4a6d42c22a874a69231a2d7446bccfe9ce0cbaa caSigningCert cert-pki-ca

Any help in the deleting the key would be appreciated.

Thanks

_Uz