Okay, I've sort of fixed the tracking, but there is still an issue I can't seem
to solve. Here is the tracking now for the Audit, OCSP, and Subsystem
certificates
Number of certificates and requests being tracked: 9.
Request ID '20190322032029':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.****.NET
subject: O=IPA.****.NET,CN="CA Audit "
expires: 2034-03-31 14:24:53 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
[root@ipa1-sea2 ~]# getcert list -i 20190322032030
Number of certificates and requests being tracked: 9.
Request ID '20190322032030':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.****.NET
subject: O=IPA.****.NET,CN="OCSP Subsystem "
expires: 2034-03-31 14:15:41 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
[root@ipa1-sea2 ~]# getcert list -i 20190322032031
Number of certificates and requests being tracked: 9.
Request ID '20190322032031':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.****.NET
subject: O=IPA.****.NET,CN="CA Subsystem "
expires: 2034-03-31 14:40:33 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
In each of these the Subject line has the CN and O backwards. If I look at the
certificates themselves, they have it listed correctly
# openssl pkcs12 -info -in audit.p12
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: A8 74 8A 94 58 C0 9E 28 3F 55 B9 F7 AC 9D 78 33 8E D3 C6 E3
friendlyName: auditSigningCert cert-pki-ca
subject=/CN=CA Audit /O=IPA.****.NET
issuer=/O=IPA.****.NET/CN=Certificate Authority
So I'm confused as to how the 'getcert' output has the items in Subject
reversed.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
