So just to add it seems that the 2nd IPA server hasn't managed to get the subCA cert & key as when I check the nssdb they aren't present on the 2nd IPA server. (See below)
Running the command as my own user /usr/libexec/ipa/ipa-pki-retrieve-key "caSigningCert cert-pki-ca dd4ea812-c044-41c0-93bf-ec376c732c93" man-fb-ipa-01.testhost.com returns with what looks like a JSON response with certificate and wrapped_key attributes which corespond to the subCA. The question now is why does dogtag not get a response / thinks that it did not get a response? Master IPA Server certutil -L -d sql:/etc/pki/pki-tomcat/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca dd4ea812-c044-41c0-93bf-ec376c732c93 u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u Replica IPA Server certutil -L -d sql:/etc/pki/pki-tomcat/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org