Hi, I would start by doing a backup of the NSS database (save the directory and files from /etc/pki/pki-tomcat/alias). Then remove the wrong cert using: certutil -D -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
and install the good one using certutil -A -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' -I /etc/ipa/ca.crt -t Ct,C,C and try to restart the whole stack with ipactl restart. I’m not sure this will work, it really depends whether the original key is still in the nss database. There may also be other places where the CA cert has to be replaced. flo _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
