Hello,
we have an issue with resubmitting several certificates.
We suspect the reason might be the encoding mismatch between the certificate and the CA
certificate.
Our environment was upgraded during the years from some 3.x version to current 4.5.4. So
the very first CA certificate was encoded in PRINTABLESTRING.
Issuer:
organizationName =
PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate Authority
Validity
Not Before: Dec 1 14:14:37 2014 GMT
Not After : Dec 1 14:14:37 2034 GMT
Subject:
organizationName =
PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate Authority
When we renew-ed (due to SHA1) we got to PRINTABLESTRING X UTF8STRING and after we renewed
again, so now we have:
Issuer:
organizationName =
UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:Certificate Authority
Validity
Not Before: Oct 9 07:34:24 2017 GMT
Not After : Oct 9 07:34:24 2037 GMT
Subject:
organizationName =
UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:Certificate Authority
And most certificated were renewed fine.
However, recently we noticed that several certificated can't be resubmitted, all of
them seem to be like this:
Issuer:
organizationName =
PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate Authority
Validity
Not Before: Nov 24 12:17:12 2016 GMT
Not After : Nov 14 12:17:12 2018 GMT
Subject:
organizationName =
UTF8STRING:EXAMPLE.COM
commonName =
UTF8STRING:ipa07.example.com
The error when resubmitting is:
Peer certificate cannot be authenticated with given CA certificates. The tcpdump from 8443
says Unknown CA.
Is the assumption that the encoding mismatch is blocking the submitting certificate
correct?
One of the certificate which we also can't renew is the 'IPA RA'
(/var/lib/ipa/ra-agent.pem)
What we tried:
Add all versions of CA certificate to /etc/pki/pki-tomcat/alias trust store (also add
them one-by-one)
Setting date back before the expiration.
Advises from:
https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-auth...
Deleting the related CSR from o=ipaca, supposing that newly generated csr will be fine.
Any suggestions what else we could try?
Thanks
Petr