ldapsearch -D "cn=directory manager" -W -b o=ipaca
"(uid=ipara)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (uid=ipara)
# requesting: ALL
#
# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: ipara
sn: ipara
cn: ipara
usertype: agentType
userstate: 1
userCertificate:: MIID4TCCAkmgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtM
T0MuRVBITC5CWTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIwMDYzMDE5MzE1M
VoXDTIyMDYyMDE5MzE1MVowJzEUMBIGA1UECgwLTE9DLkVQSEwuQlkxDzANBgNVBAMTBklQQSBSQT
CCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALieCvFxG8rA+dpk3G2cXsaRAepgSYRwQy0
iXnzQm+c00ANABfCYdRog3XF2TXZzpUnEjG4BA0XGId/GV/jhROrMz3TMCYZASVlX1ucd3SrGpkNY
RqVMwQir8b8hdyzhO0BA4k2z+AIyJk2LP0RdHYb1I34e5D5ys1O9Hyi+VhBK1lfmLEyTB56nwp2wt
Y0PnK2OnQPQjKhS+FmDAciI3jOf0wUR0z+NY37JcX5HwaqHkVeitMS/rJoRBdXWU4f68cgHw5J6JP
3wB2HPLMRRLkXeRRdz1yrYAdNIfNEHsSEVrwjM8K76bu+aZ9Cdz8dlB4cVX4+44RR36pB/OVjcfh0
CAwEAAaOBiDCBhTAfBgNVHSMEGDAWgBRAqsIyAvQfYf69qbdaPaXhdXQT4jA9BggrBgEFBQcBAQQx
MC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly9pcGEtY2EubG9jLmVwaGwuYnkvY2Evb2NzcDAOBgNVHQ8BA
f8EBAMCBLAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBADiqrIuv4IqJ3C
Q0D4W9IT9irKPsuKMonbWBwZ53vF3FRLYNvg/WNghzLkHhIKLQ4/crJpqSjAvRtBj7tKY9weOJ7XJ
VWr/nC4SaShLGB8CCOVPfZ+AcOHRsNXODzixsni0RPPFgYzeuBb5VYOybqHsxWs6bAJ1dzWtSH7pb
TdicgdteVa+F/LPeHnstMRAuYldW8+/1f0eyzCI3InNk4jWp+AhfEkcxYGVuF/77/hVnpNK9wx+MN
OM9Rbb7v0a0IDcBqp/8jNzKOzXabwYYkc/58yIqPTntArGBb9+InRBDSzMAB6ggjtd4dmiKII5Cb4
gnjYZzVzVM3NwE8WjZcWu/pY3Ea3oiMYLvgQupIjOePVcEBkm5ASwSS3eC/OP2ofO139h7PjsGl/z
Qa0981ESnqlc+IxvqtB0ELnid2ryNg0VmugTZWf+TpCH44N3cl4gdfSickOcoX3Hv3FfFe98BNo/o
VmqTFOmllduUMjn8HJfLbpvLiIpbatoYvAvoBA==
description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=LOC.EPHL.B
Y
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
openssl x509 -text -in /var/lib/ipa/ra-agent.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O =
DOMAIN.COM, CN = Certificate Authority
Validity
Not Before: Jun 30 19:31:51 2020 GMT
Not After : Jun 20 19:31:51 2022 GMT
Subject: O =
DOMAIN.COM, CN = IPA RA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b8:9e:0a:f1:71:1b:ca:c0:f9:da:64:dc:6d:9c:
5e:c6:91:01:ea:60:49:84:70:43:2d:22:5e:7c:d0:
9b:e7:34:d0:03:40:05:f0:98:75:1a:20:dd:71:76:
4d:76:73:a5:49:c4:8c:6e:01:03:45:c6:21:df:c6:
57:f8:e1:44:ea:cc:cf:74:cc:09:86:40:49:59:57:
d6:e7:1d:dd:2a:c6:a6:43:58:46:a5:4c:c1:08:ab:
f1:bf:21:77:2c:e1:3b:40:40:e2:4d:b3:f8:02:32:
26:4d:8b:3f:44:5d:1d:86:f5:23:7e:1e:e4:3e:72:
b3:53:bd:1f:28:be:56:10:4a:d6:57:e6:2c:4c:93:
07:9e:a7:c2:9d:b0:b5:8d:0f:9c:ad:8e:9d:03:d0:
8c:a8:52:f8:59:83:01:c8:88:de:33:9f:d3:05:11:
d3:3f:8d:63:7e:c9:71:7e:47:c1:aa:87:91:57:a2:
b4:c4:bf:ac:9a:11:05:d5:d6:53:87:fa:f1:c8:07:
c3:92:7a:24:fd:f0:07:61:cf:2c:c4:51:2e:45:de:
45:17:73:d7:2a:d8:01:d3:48:7c:d1:07:b1:21:15:
af:08:cc:f0:ae:fa:6e:ef:9a:67:d0:9d:cf:c7:65:
07:87:15:5f:8f:b8:e1:14:77:ea:90:7f:39:58:dc:
7e:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:40:AA:C2:32:02:F4:1F:61:FE:BD:A9:B7:5A:3D:A5:E1:75:74:13:E2
Authority Information Access:
OCSP -
URI:http://ipa-ca.domain.com/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
38:aa:ac:8b:af:e0:8a:89:dc:24:34:0f:85:bd:21:3f:62:ac:
a3:ec:b8:a3:28:9d:b5:81:c1:9e:77:bc:5d:c5:44:b6:0d:be:
0f:d6:36:08:73:2e:41:e1:20:a2:d0:e3:f7:2b:26:9a:92:8c:
0b:d1:b4:18:fb:b4:a6:3d:c1:e3:89:ed:72:55:5a:bf:e7:0b:
84:9a:4a:12:c6:07:c0:82:39:53:df:67:e0:1c:38:74:6c:35:
73:83:ce:2c:6c:9e:2d:11:3c:f1:60:63:37:ae:05:be:55:60:
ec:9b:a8:7b:31:5a:ce:9b:00:9d:5d:cd:6b:52:1f:ba:5b:4d:
d8:9c:81:db:5e:55:af:85:fc:b3:de:1e:7b:2d:31:10:2e:62:
57:56:f3:ef:f5:7f:47:b2:cc:22:37:22:73:64:e2:35:a9:f8:
08:5f:12:47:31:60:65:6e:17:fe:fb:fe:15:67:a4:d2:bd:c3:
1f:8c:34:e3:3d:45:b6:fb:bf:46:b4:20:37:01:aa:9f:fc:8c:
dc:ca:3b:35:da:6f:06:18:91:cf:f9:f3:22:2a:3d:39:ed:02:
b1:81:6f:df:88:9d:10:43:4b:33:00:07:a8:20:8e:d7:78:76:
68:8a:20:8e:42:6f:88:27:8d:86:73:57:35:4c:dc:dc:04:f1:
68:d9:71:6b:bf:a5:8d:c4:6b:7a:22:31:82:ef:81:0b:a9:22:
33:9e:3d:57:04:06:49:b9:01:2c:12:4b:77:82:fc:e3:f6:a1:
f3:b5:df:d8:7b:3e:3b:06:97:fc:d0:6b:4f:7c:d4:44:a7:aa:
57:3e:23:1b:ea:b4:1d:04:2e:78:9d:da:bc:8d:83:45:66:ba:
04:d9:59:ff:93:a4:21:f8:e0:dd:dc:97:88:1d:7d:28:9c:90:
e7:28:5f:71:ef:dc:57:c5:7b:df:01:36:8f:e8:56:6a:93:14:
e9:a5:95:db:94:32:39:fc:1c:97:cb:6e:9b:cb:88:8a:5b:6a:
da:18:bc:0b:e8:04
-----BEGIN CERTIFICATE-----
MIID4TCCAkmgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtMT0Mu
RVBITC5CWTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIwMDYz
MDE5MzE1MVoXDTIyMDYyMDE5MzE1MVowJzEUMBIGA1UECgwLTE9DLkVQSEwuQlkx
DzANBgNVBAMTBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALieCvFxG8rA+dpk3G2cXsaRAepgSYRwQy0iXnzQm+c00ANABfCYdRog3XF2TXZz
pUnEjG4BA0XGId/GV/jhROrMz3TMCYZASVlX1ucd3SrGpkNYRqVMwQir8b8hdyzh
O0BA4k2z+AIyJk2LP0RdHYb1I34e5D5ys1O9Hyi+VhBK1lfmLEyTB56nwp2wtY0P
nK2OnQPQjKhS+FmDAciI3jOf0wUR0z+NY37JcX5HwaqHkVeitMS/rJoRBdXWU4f6
8cgHw5J6JP3wB2HPLMRRLkXeRRdz1yrYAdNIfNEHsSEVrwjM8K76bu+aZ9Cdz8dl
B4cVX4+44RR36pB/OVjcfh0CAwEAAaOBiDCBhTAfBgNVHSMEGDAWgBRAqsIyAvQf
Yf69qbdaPaXhdXQT4jA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6
Ly9pcGEtY2EubG9jLmVwaGwuYnkvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYD
VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBADiqrIuv4IqJ3CQ0
D4W9IT9irKPsuKMonbWBwZ53vF3FRLYNvg/WNghzLkHhIKLQ4/crJpqSjAvRtBj7
tKY9weOJ7XJVWr/nC4SaShLGB8CCOVPfZ+AcOHRsNXODzixsni0RPPFgYzeuBb5V
YOybqHsxWs6bAJ1dzWtSH7pbTdicgdteVa+F/LPeHnstMRAuYldW8+/1f0eyzCI3
InNk4jWp+AhfEkcxYGVuF/77/hVnpNK9wx+MNOM9Rbb7v0a0IDcBqp/8jNzKOzXa
bwYYkc/58yIqPTntArGBb9+InRBDSzMAB6ggjtd4dmiKII5Cb4gnjYZzVzVM3NwE
8WjZcWu/pY3Ea3oiMYLvgQupIjOePVcEBkm5ASwSS3eC/OP2ofO139h7PjsGl/zQ
a0981ESnqlc+IxvqtB0ELnid2ryNg0VmugTZWf+TpCH44N3cl4gdfSickOcoX3Hv
3FfFe98BNo/oVmqTFOmllduUMjn8HJfLbpvLiIpbatoYvAvoBA==
-----END CERTIFICATE-----
This all looks sane. Any luck with freeipa-healthcheck?
You can find more information about this tool here: