Thanks, I did it as your instruction, the old serial 268238851 was revoked and invalid. A
new serial was generated and valid already.
==================
# 268238851, certificateRepository, ca, ipaca
dn: cn=268238851,ou=certificateRepository,ou=ca,o=ipaca
objectClass: top
objectClass: certificateRecord
serialno: 09268238851
metaInfo: requestId:9970004
metaInfo: profileId:caInternalAuthServerCert
notBefore: 20171121164311Z
notAfter: 20191111164311Z
duration: 1162208000000
subjectName: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK
issuerName: CN=Certificate Authority,O=IPA.PTHL.HK
publicKeyData:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: XXXXXXXXXXXXXXXXXXXXXXXX
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20171121164311Z
autoRenew: ENABLED
issuedBy: admin-ipa.ipa.pthl.hk
cn: 268238851
revInfo: 20180625110026Z;CRLReasonExtension=0
revokedBy: ipara
revokedOn: 20180625110026Z
certStatus: REVOKED
dateOfModify: 20180625110026Z
===============
Thanks. It seems that all the certificates are stored in 389 DS and being tracked.