I know this is an old thread but I'm just posting this for someone who comes
along the same issue like me...
In order to fix my problem I had to do the following to fix for example the
'ocspSigningCert cert-pki-ca' certificate renewing with wrong subjects:
Find the Serial number for that certificate:
#certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" |
grep Serial
Get the reqeustID:
#ldapsearch -D "cn=Directory Manager" -W -s sub -b
cn={SERIALNUMBER},ou=certificateRepository,ou=ca,o=ipaca "metaInfo"
Get the request data:
#ldapsearch -D "cn=Directory Manager" -W -s sub -b
cn={REQUESTID},ou=ca,ou=requests,o=ipaca
If the request data does not match the current certificate, we need to find one
which should be used instead.
#certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" |
grep Subject
#ldapsearch -D "cn=Directory Manager" -W -s sub -b ou=ca,ou=requests,o=ipaca
"extdata-req--005fsubject--005fname--002ecn={SUBJECT}"
If we have multiple results check the one which has the right attributes set
comparing to a different system. Once you know which request to use change the
requestid in the certificateRepository to the one selected. I used ldapadmin to
connect to change but the ldapmodify should also work.
Hope this helps someone in the future...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/QYTZMNXASGLFCFX54FA4KOPPIMPV376H/
