Hi,
On Tue, May 9, 2023 at 1:24 PM Justin Sanderson via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hey Flo - thanks so much for your willingness to help.
My setup is just a single VM server. I will give it a try tonight once
everyone has gone home for the day.
Also, does it make sense to have certmonger monitor this cert? I found
a command on the RH access portal that shows how to add it to certmonger
but I had doubts about whether it would update LDAP when the cert got
renewed...
By default the cert should already be tracked by certmonger. If you run *getcert
list*,you should see it in the list of tracked certs. For instance on my
system:
# getcert list -f /var/lib/ipa/ra-agent.pem
Number of certificates and requests being tracked: 12.
Request ID '20230324140132':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.TEST
subject: CN=IPA RA,O=IPA.TEST
issued: 2022-05-31 12:32:55 UTC
expires: 2024-05-20 12:32:55 UTC
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
With a single server (that is the renewal master), certmonger renewal
should put the new cert directly in the file /var/lib/ipa/ra-agent.pem (and
then later in LDAP but that's not relevant in this case).
flo
Thanks again for the help and i'll report back the result tonight.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue