dear Martin, Thanks. I will check and update the list.
On Fri, Nov 14, 2014 at 4:58 PM, Martin Kosek <[email protected]> wrote: > You need to get all certificates in > > # getcert list > > renewed. With FreeIPA 3.0+ the certificates should be already properly > tracked, AFAIR. > > Was the uid=ipara,ou=People,o=ipaca entry (as described in > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) properly updated > with a serial pointing to the new certificate? > > Maybe this is the reason why old RA certificate is loaded. > > If you are using RHEL/CentOS, I would also recommend updating ipa, > certmonger and selinux-policy to the 6.6 version is there were several > related fixes. > > Martin > > On 11/14/2014 11:56 AM, Kamal Perera wrote: > >> Hi Martin, >> >> Thanks for the reply. >> >> its FreeIPA 3. >> >> Actually my issue was, all my subsystem certificates were expired two days >> back. So it wasnt possible to get the requests signed and approved by the >> CA as >> the web interface in inaccessible. >> >> But after several attempts, I got it done by changing the date back to a >> valid >> time. Now i have revert back and everything is fine except this. >> >> now the RA and OCSPs are not communicating with the CA. >> >> I guess its because the CA's subsystem certificate is expired. So do i >> have to >> reissue all the subsystem certificates in RA and OCSP? >> >> Any thoughts? >> >> Thanks >> >> On Fri, Nov 14, 2014 at 3:50 PM, Martin Kosek <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 11/14/2014 08:02 AM, pki tech wrote: >> >> Dear All, >> >> In our Issuing CA, all the subsystem certificates are expired >> except the >> caSigningCert. >> >> I can generate the new certificate requests via certutil, but how >> can i get >> them signed? >> >> your swift response is appreciated. >> >> Regards, >> Kamal >> >> >> What IPA version did you use? We have a related howto article on >> FreeIPA.org wiki with instructions what to do when PKI subsystem >> certificate expire: >> >> http://www.freeipa.org/page/__IPA_2x_Certificate_Renewal >> <http://www.freeipa.org/page/IPA_2x_Certificate_Renewal> >> >> Also CCing Jan who owns the PKI knowledge. >> >> Martin >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
