Kathy Zhu via FreeIPA-users wrote:
> Hi Team,
>
> We have an IPA certificate expiring very soon. I do not believe that is
> in use, but I need to verify that. I checked in following two ways:
How do you know you have a certificate expiring soon? Where is it
located? Are you trying to see if it is on disk somewhere? You could use
ipa service-find to look for all the services on the host to get the
serial number and a blob of the certificate. That may provide a clue to
its purpose too based on the service principal.
>
> 1, Via GUI, Identity, Services, searched for the host (which is our very
> first IPA server), compared each cert against the serial number of the
> expiring one.
With the blob you can convert it into PEM format (BEGIN/END header, 64
characters per line). The cert may have a Kerberos principal in it. I
think we encoded it as a SAN in the RHEL-7 days.
It would be tedious though because I don't believe openssl 1.x displays
a SAN UPN, it shows as "other". You can load it into a temporary NSS
database and it would show something like:
Other Name: "HTTP/[email protected]"
OID: Microsoft NT Principal Name
> 2, Checked nssdb:
>
> # certutil -L -d /etc/pki/nssdb
>
>
> Certificate Nickname Trust
> Attributes
>
>
> SSL,S/MIME,JAR/XPI
>
>
> #
The only thing we ever put there was the host certificate when we
requested one for all hosts, except servers. So since this is a server I
wouldn't expect one.
> Are there other ways to verify this?
Is certmonger tracking it? If so that gives you the file location(s)
and/or NSS database it is in and you could use that as a starting point.
As I mentioned, if you can find the associated IPA service for the cert
that is a good clue for where to start looking. For example, if it's
something like smtp/hostname then it's probably a mail daemon. If it's
host it could be nfs, etc.
Other I can't think of a clever way to determine if a host is using a
cert other than brute force through a lot of recursive grep, find, etc.
Worst case you wait until after it expires and then it will,
unfortunately, be extremely clear what it is.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
