Hi,
On Mon, Dec 12, 2022 at 10:20 AM junhou he via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi ,
getcert list
Number of certificates and requests being tracked: 7.
Request ID '20221116023302':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=IPA RA,O=WINGON.HK
issued: 2022-11-16 10:33:02 HKT
expires: 2024-11-05 10:33:02 HKT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20221116023307':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=CA Audit,O=WINGON.HK
issued: 2022-11-16 10:31:47 HKT
expires: 2024-11-05 10:31:47 HKT
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221116023309':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=OCSP Subsystem,O=WINGON.HK
issued: 2022-11-16 10:31:46 HKT
expires: 2024-11-05 10:31:46 HKT
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221116023310':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=CA Subsystem,O=WINGON.HK
issued: 2022-11-16 10:31:46 HKT
expires: 2024-11-05 10:31:46 HKT
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221116023311':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=Certificate Authority,O=WINGON.HK
issued: 2022-11-16 10:31:44 HKT
expires: 2042-11-16 10:31:44 HKT
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221116023312':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=wocfreeipa.wingon.hk,O=WINGON.HK
issued: 2022-11-16 10:31:46 HKT
expires: 2024-11-05 10:31:46 HKT
dns: wocfreeipa.wingon.hk
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221116023354':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=wocfreeipa.wingon.hk,O=WINGON.HK
issued: 2022-11-16 10:33:55 HKT
expires: 2024-11-16 10:33:55 HKT
dns: wocfreeipa.wingon.hk
principal name: krbtgt/WINGON.HK(a)WINGON.HK
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
So far, looks good. All the tracked certs are still valid.
One question, though: there is no tracking for httpd and ldap server
certificates, does it mean that they were replaced with externally-signed
server certificates using ipa-server-certinstall?
ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b
uid=ipara,ou=people,o=ipaca description usercertificate*
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=WINGON.HK;CN=IPA RA,O=
WINGON.HK
Is there a usercertificate attribute in this entry? (maybe a copy-paste
issue but
there is a * in your command, it should not be there).
The value stored in this usercertificate attribute should be identical to
the content of /var/lib/ipa/ra-agent.pem.
openssl x509 -nameopt RFC2253 -noout -subject -serial -issuer -in
/var/lib/ipa/ra-agent.pem
subject=CN=IPA RA,O=WINGON.HK
serial=07
issuer=CN=Certificate Authority,O=WINGON.HK
The RA certificate and the info stored in LDAP are consistent, no issue
seen so
far.
[root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n
ipaCert
certutil: Could not find cert: ipaCert
: PR_FILE_NOT_FOUND_ERROR: File not found
This error can be ignored, with your version the cert is stored in the pem
file /var/lib/ipa/ra-agent.pem.
[root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\,
Inc.,C=US C,,
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate
Authority -
G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
I executed the above command as you suggested, unfortunately ipaCert*
cannot be found
Yes, this error can be ignored, you must have IPA >= 4.5.
What is the content of /var/log/pki/pki-tomcat/ca/debug?
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue