You need to get all certificates in
# getcert list
renewed. With FreeIPA 3.0+ the certificates should be already properly tracked,
AFAIR.
Was the uid=ipara,ou=People,o=ipaca entry (as described in
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) properly updated with a
serial pointing to the new certificate?
Maybe this is the reason why old RA certificate is loaded.
If you are using RHEL/CentOS, I would also recommend updating ipa, certmonger
and selinux-policy to the 6.6 version is there were several related fixes.
Martin
On 11/14/2014 11:56 AM, Kamal Perera wrote:
Hi Martin,
Thanks for the reply.
its FreeIPA 3.
Actually my issue was, all my subsystem certificates were expired two days
back. So it wasnt possible to get the requests signed and approved by the CA as
the web interface in inaccessible.
But after several attempts, I got it done by changing the date back to a valid
time. Now i have revert back and everything is fine except this.
now the RA and OCSPs are not communicating with the CA.
I guess its because the CA's subsystem certificate is expired. So do i have to
reissue all the subsystem certificates in RA and OCSP?
Any thoughts?
Thanks
On Fri, Nov 14, 2014 at 3:50 PM, Martin Kosek <[email protected]
<mailto:[email protected]>> wrote:
On 11/14/2014 08:02 AM, pki tech wrote:
Dear All,
In our Issuing CA, all the subsystem certificates are expired except the
caSigningCert.
I can generate the new certificate requests via certutil, but how can i
get
them signed?
your swift response is appreciated.
Regards,
Kamal
What IPA version did you use? We have a related howto article on
FreeIPA.org wiki with instructions what to do when PKI subsystem
certificate expire:
http://www.freeipa.org/page/__IPA_2x_Certificate_Renewal
<http://www.freeipa.org/page/IPA_2x_Certificate_Renewal>
Also CCing Jan who owns the PKI knowledge.
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
