On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Ian Kumlien via FreeIPA-users wrote:
> On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>> Ian Kumlien via FreeIPA-users wrote:
[--8<--]
> Certificate Nickname
Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Server-Cert cert-pki-ca u,u,u
> transportCert cert-pki-kra u,u,u
> storageCert cert-pki-kra u,u,u
> auditSigningCert cert-pki-kra u,u,Pu
> XERCES.LAN IPA CA CT,C,C
> XERCES.LAN IPA CA CT,C,C
> XERCES.LAN IPA CA CT,C,C
You're missing all the CA certificates except the one that tomcat uses!?
That includes the CA signing cert!
It should look more like (excluding the *kra certs):
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
Do the keys for those certs exist?
# grep internal /etc/pki/pki-tomcat/password.conf
internal=foo
# certutil -K -d /etc/pki/pki-tomcat/alias/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB": foo
Perhaps a bunch of orphans?
Seems like it, I have three orphans and the keys for subsystemCert,
caSigningCert, ocspSigningCert seems to exists
Any clue of why this happened, I have two more servers that I can look
at if you need clues....
I mainly want to figure this out before my vacation starts ;)
> rob