I know this is an old thread but I'm just posting this for someone who comes along the
same issue like me...
In order to fix my problem I had to do the following to fix for example the
'ocspSigningCert cert-pki-ca' certificate renewing with wrong subjects:
Find the Serial number for that certificate:
#certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" |
grep Serial
Get the reqeustID:
#ldapsearch -D "cn=Directory Manager" -W -s sub -b
cn={SERIALNUMBER},ou=certificateRepository,ou=ca,o=ipaca "metaInfo"
Get the request data:
#ldapsearch -D "cn=Directory Manager" -W -s sub -b
cn={REQUESTID},ou=ca,ou=requests,o=ipaca
If the request data does not match the current certificate, we need to find one which
should be used instead.
#certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" |
grep Subject
#ldapsearch -D "cn=Directory Manager" -W -s sub -b ou=ca,ou=requests,o=ipaca
"extdata-req--005fsubject--005fname--002ecn={SUBJECT}"
If we have multiple results check the one which has the right attributes set comparing to
a different system. Once you know which request to use change the requestid in the
certificateRepository to the one selected. I used ldapadmin to connect to change but the
ldapmodify should also work.
Hope this helps someone in the future...