Okay, I've sort of fixed the tracking, but there is still an issue I can't seem to solve. Here is the tracking now for the Audit, OCSP, and Subsystem certificates
Number of certificates and requests being tracked: 9. Request ID '20190322032029': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.****.NET subject: O=IPA.****.NET,CN="CA Audit " expires: 2034-03-31 14:24:53 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes [root@ipa1-sea2 ~]# getcert list -i 20190322032030 Number of certificates and requests being tracked: 9. Request ID '20190322032030': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.****.NET subject: O=IPA.****.NET,CN="OCSP Subsystem " expires: 2034-03-31 14:15:41 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes [root@ipa1-sea2 ~]# getcert list -i 20190322032031 Number of certificates and requests being tracked: 9. Request ID '20190322032031': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.****.NET subject: O=IPA.****.NET,CN="CA Subsystem " expires: 2034-03-31 14:40:33 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes In each of these the Subject line has the CN and O backwards. If I look at the certificates themselves, they have it listed correctly # openssl pkcs12 -info -in audit.p12 MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: A8 74 8A 94 58 C0 9E 28 3F 55 B9 F7 AC 9D 78 33 8E D3 C6 E3 friendlyName: auditSigningCert cert-pki-ca subject=/CN=CA Audit /O=IPA.****.NET issuer=/O=IPA.****.NET/CN=Certificate Authority So I'm confused as to how the 'getcert' output has the items in Subject reversed. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue