On Thu, Nov 08, 2018 at 06:03:27AM -0000, Zarko D via FreeIPA-users wrote:
Thank you Fraser for the support.
'REALM.COM IPA CA' or caSigningCert is valid for 20 years, should be no problem
here.
But I am afraid I can't find common date for remaining four certs. As per bellow
data:
[1] There is common date for auditSigningCert, subsystemCert and Server-Cert
[2] There is common date for Server-Cert and ocspSigningCert
[3] ocspSigningCert CANNOT have common date with auditSigningCert and subsystemCert
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'auditSigningCert cert-pki-ca'
Not Before: Wed Aug 24 20:49:38 2016
Not After : Tue Aug 14 20:49:38 2018
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
Not Before: Wed Aug 24 20:49:35 2016
Not After : Sun Aug 24 20:49:35 2036
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca'
Not Before: Wed Aug 24 20:49:36 2016
Not After : Tue Aug 14 20:49:36 2018
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca'
Not Before: Sat Nov 12 16:21:33 2016
Not After : Fri Nov 02 15:21:33 2018
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca'
Not Before: Mon Oct 22 20:15:53 2018
Not After : Sun Oct 11 20:15:53 2020
# certutil -L -d /etc/dirsrv/slapd-REALM-COM -n 'REALM.COM IPA CA'
Not Before: Wed Aug 24 20:49:35 2016
Not After : Sun Aug 24 20:49:35 2036
What would you suggest now ?
I'm not 100% sure on the procedure but it will be something like:
1. Find an older version of the ocspSigningCert under
'ou=certificateRepository,ou=ca,o=ipaca', that is valid at the same
time as all the other certs. Copy the certificate data to a file.
2. Back up the ocspSigningCert from the /etc/pki/pki-tomcat/alias
NSSDB, via pk12util.
3. Delete the ocspSigningCert from the /etc/pki/pki-tomcat/alias
NSSDB, i.e.:
certutil -d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/alias/pwdfile.txt \
-D -n "ocspSigningCert cert-pki-ca"
4. IIRC, (3) should only delete the "most recent" version of the
OCSP cert, and expose the earlier version. But if this is not the
case, then import the certificate you saved at (1) via `certutil
-A`.
Once you have coerced to the NSSDB to have a set of certificates
that are all valid at some point in time, set the system clock to
that time, restart Dogtag, and initiate renewals.
Cheers,
Fraser