On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden <rcrit...@redhat.com> wrote: > > Ian Kumlien via FreeIPA-users wrote: > > On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden <rcrit...@redhat.com> wrote: > >> Ian Kumlien via FreeIPA-users wrote:
[--8<--] > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert cert-pki-ca u,u,u > > transportCert cert-pki-kra u,u,u > > storageCert cert-pki-kra u,u,u > > auditSigningCert cert-pki-kra u,u,Pu > > XERCES.LAN IPA CA CT,C,C > > XERCES.LAN IPA CA CT,C,C > > XERCES.LAN IPA CA CT,C,C > > > You're missing all the CA certificates except the one that tomcat uses!? > That includes the CA signing cert! > > It should look more like (excluding the *kra certs): > > caSigningCert cert-pki-ca CTu,Cu,Cu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > Server-Cert cert-pki-ca u,u,u > > Do the keys for those certs exist? > > # grep internal /etc/pki/pki-tomcat/password.conf > internal=foo > # certutil -K -d /etc/pki/pki-tomcat/alias/ > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private > Key and Certificate Services" > Enter Password or Pin for "NSS Certificate DB": foo > > Perhaps a bunch of orphans? Seems like it, I have three orphans and the keys for subsystemCert, caSigningCert, ocspSigningCert seems to exists Any clue of why this happened, I have two more servers that I can look at if you need clues.... I mainly want to figure this out before my vacation starts ;) > rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
