Hi flo,
here is the complete output. It does contain a line like that, but ...
------------
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=NET.IDA, CN=ipa1.ida.ing.tu-bs.de
Validity
Not Before: Sep 28 09:51:09 2020 GMT
Not After : Sep 28 09:51:09 2021 GMT
Subject: O=NET.IDA, CN=ipa1.ida.ing.tu-bs.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:c0:ea:93:30:c6:56:0a:60:f2:37:32:14:7f:
91:55:76:ff:f1:0e:f3:57:42:a4:26:be:80:08:2f:
4b:13:d7:f7:f0:69:0d:1c:dd:9b:cb:49:c1:c1:7f:
e9:83:e5:cb:32:c0:00:c8:cf:cd:b3:ee:e7:b8:e1:
c5:67:dc:ac:dd:5f:cd:fa:9a:06:cc:d2:dc:13:75:
61:d2:5a:d5:55:29:c0:90:d2:bc:1f:9f:40:79:0c:
03:d6:60:4c:58:5a:01:0e:2c:36:af:78:b3:f7:af:
ee:0d:ca:2f:72:62:88:73:8d:b7:65:d9:ac:10:ab:
a1:8c:d9:9b:10:30:46:13:23:b3:32:3a:cb:14:31:
10:14:d4:d4:a4:b7:4a:d1:8b:d5:86:75:03:9f:fd:
3a:f5:51:e1:29:44:5b:a1:37:7d:f0:00:39:90:d3:
6e:62:34:6e:9a:e5:d0:f7:21:6b:1c:cd:96:e0:c3:
17:01:c9:12:2e:09:c7:fc:a4:3c:fd:3c:57:c4:15:
e4:9c:bd:c1:db:83:fe:2f:b0:15:15:4e:4b:6d:fd:
b8:24:77:c9:dd:3d:b2:5c:47:54:e4:3a:f3:0b:9f:
0f:95:36:07:1c:68:db:58:ec:e0:23:c6:8f:2d:cf:
96:15:15:f7:62:c6:52:78:4d:22:89:44:17:3a:95:
5b:57
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
othername:<unsupported>, othername:<unsupported>
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
46:31:70:5C:55:B6:9F:D5:EC:29:9C:54:AE:3B:53:F5:0B:91:39:3A
1.3.6.1.4.1.311.20.2:
.".K.D.C.s._.P.K.I.N.I.T._.C.e.r.t.s
Signature Algorithm: sha256WithRSAEncryption
0f:55:e5:85:48:a2:66:1b:9d:81:f9:04:0e:38:ed:54:3d:f1:
43:07:13:76:2f:7a:28:e7:e1:03:3a:71:c7:01:de:2c:7b:1d:
d9:3e:73:02:80:5b:4d:43:5f:23:af:34:a4:a1:4f:82:06:10:
c2:b0:6b:7f:fe:75:1b:32:2a:59:3b:6f:75:23:5e:e7:e9:26:
4d:f0:91:dd:8b:9d:6e:fb:b1:ca:6c:57:55:42:f2:39:c0:c4:
32:cb:21:42:57:2f:73:da:37:35:f2:d5:c2:e0:57:c5:04:b1:
9c:75:a8:df:13:de:ab:9d:c3:a2:31:2a:3d:86:49:87:a5:0f:
2a:be:b3:ab:02:38:b3:d8:52:a4:33:63:cb:8d:70:13:ae:3c:
59:e6:99:ab:b1:4f:56:46:0a:f6:b8:88:48:d0:c2:d7:21:fd:
8f:7a:52:15:f1:ef:57:cf:3b:d2:6a:2b:67:6a:2b:4c:8b:f5:
d4:28:ee:b8:c5:8f:82:68:65:ad:18:97:44:e0:bd:02:0a:b3:
54:7c:a8:ae:7f:8c:83:b3:f4:b1:19:06:10:5a:2e:a7:b9:be:
69:6a:4b:99:53:25:62:4f:a6:55:54:13:e5:db:29:7a:2d:31:
0f:b7:f7:af:76:82:f7:87:2e:32:49:c9:bd:e4:9e:dc:b4:15:
d1:b7:49:da
[root@charon ~]# getcert list -f /var/kerberos/krb5kdc/kdc.crt
Number of certificates and requests being tracked: 1.
Request ID '20181025083152':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=ipa1.ida.ing.tu-bs.de,O=NET.IDA
subject: CN=ipa1.ida.ing.tu-bs.de,O=NET.IDA
expires: 2021-09-28 09:51:09 UTC
principal name: krbtgt/NET.IDA(a)NET.IDA
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
--------------------
I requested a new cert, and when I rerun the openssl command it does indeed display a new
one (ie changed serial number, new validity dates) but the line containg alternatives
lines still looks like that:
X509v3 extensions:
X509v3 Subject Alternative Name:
othername:<unsupported>, othername:<unsupported>
X509v3 Basic Constraints: critical