Mark Selby via FreeIPA-users wrote: > My company has 6 FreeIPA servers across 3 different locations. Five of the > six servers are ok, but one we could not login to. The error messages pointed > to the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt` > > My question is how do I "properly" renew or recreate this certificate. I have > been able to renew it with the command listed below - but the renewed cert > does not have the same characteristics as the other certs. The existing ones > all see to be self signed with the specified profile while my new one does > not have these features. It seems to be working Ok but it would great to > understand how to generate this cert correctly. All is any help is greatly > appreciated. > > The servers that work all display the following with using getcert list -f > /var/kerberos/krb5kdc/kdc.crt > > Request ID '20191003181545': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: SelfSign > issuer: CN=ipa01.sub1.acme.org,O=ACME.ORG > subject: CN=ipa01.sub1.acme.org,O=ACME.ORG > expires: 2022-08-09 22:06:33 UTC > principal name: krbtgt/[email protected] > certificate template/profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > Using the local-getcert start-tracking command below gets me an updated cert > but it is not self signed and does not have the specified profile. > > local-getcert start-tracking \ > -k /var/kerberos/krb5kdc/kdc.key \ > -f /var/kerberos/krb5kdc/kdc.crt \ > -T KDCs_PKINIT_Certs \ > -C /usr/libexec/ipa/certmonger/renew_kdc_cert > > Request ID '20220117193849': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: local > issuer: CN=Certificate Authority,O=ACME.ORG > subject: CN=vipa06.sub3.acme.org,O=ACME.ORG > expires: 2024-01-18 17:32:20 UTC > principal name: krbtgt/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes
The prefix before getcert is a shortcut to the certmonger CA helper that manages the certificate. selfsign and local are two different helpers. You probably want getcert start-tracking -c selfsign <blah> instead. You can use getcert stop-tracking -i 20220117193849 to start over. Take this with a grain of salt because I'm not sure where this renewed certificate came from. The one tracked by local here looks more like it was issued by IPA than selfsign based on the issuer. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
