So just to add it seems that the 2nd IPA server hasn't managed to get the subCA
cert & key as when I check the nssdb they aren't present on the 2nd IPA server.
(See below)
Running the command as my own user
/usr/libexec/ipa/ipa-pki-retrieve-key "caSigningCert cert-pki-ca
dd4ea812-c044-41c0-93bf-ec376c732c93" man-fb-ipa-01.testhost.com
returns with what looks like a JSON response with certificate and wrapped_key
attributes which corespond to the subCA.
The question now is why does dogtag not get a response / thinks that it did not
get a response?
Master IPA Server
certutil -L -d sql:/etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca dd4ea812-c044-41c0-93bf-ec376c732c93 u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
Replica IPA Server
certutil -L -d sql:/etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
