On 1/3/20 3:03 AM, luckydog xf via FreeIPA-users wrote:
> On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote:
> Hi,
>
> can you check if the cert is revoked with:
> $ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca'
> | grep -i Serial
> (note the Serial number)
> $ ipa cert-show <serial found above>
>
> Does the last command display "Revoked: True" with a Revocation reason
> or "Revoked: False"?
>
> flo
[root@ipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert
cert-pki-ca' | grep serial -i
Serial Number: 268238851 (0xffd0003)
****************************************************************
[root@ipa ~]# ipa cert-show 268238851
Issuing CA: ipa
Certificate: ..... ### chopped ###
Subject: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK
Issuer: CN=Certificate Authority,O=IPA.PTHL.HK
Not Before: Tue Nov 21 08:43:11 2017 UTC
Not After: Mon Nov 11 08:43:11 2019 UTC
Serial number: 268238851
Serial number (hex): 0xFFD0003
Revoked: True
Revocation reason: 0
---------------------------------------------------
Yes, this serial Number was marked 'revoked'.
Hi,
the following is not a supported procedure but you can try to manually
edit the certificate entry and remove the revocation information.
The entry is cn=<serial>,ou=certificaterepository,ou=ca,o=ipaca and you
will need to remove the attributes revokedOn, revokedBy, revInfo and
replace certStatus: REVOKED with certStatus: VALID.
You can use ldapmodify:
$ ldapmodify -D "cn=directory manager" -W -f mod.ldif
With the following mod.ldif:
$ cat mod.ldif
dn: cn=<serial>,ou=certificateRepository,ou=ca,o=ipaca
changetype: modify
delete: revokedOn
-
delete: revokedBy
-
delete: revInfo
-
replace: certStatus
certStatus: VALID
After that, check that the cert is not revoked any more with $ ipa
cert-show <serial>, and you should be able to retry the renewal.
HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...