This morning I thought I had found what I was missing, import the new RA cert to ~/.dogtag/nssdb, which I've done and now all the places I know about the RA cert matches.
# certutil -L -d /root/.dogtag/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Certificate Authority - IPA.****.NET CT,C,C IPA RA - IPA.****.NET u,u,u # certutil -L -d /root/.dogtag/nssdb -n "IPA RA - IPA.****.NET" -a -----BEGIN CERTIFICATE----- MIID6jCC...ssifAg== -----END CERTIFICATE----- # certutil -L -d /root/.dogtag/nssdb -n "IPA RA - IPA.****.NET" | grep Serial Serial Number: 7 (0x7) # ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=ipara,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL # # ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=IPA.****.NET;CN=IPA RA,O=IPA.****.NET userCertificate:: MIID6jCC...ssifAg== uid: ipara sn: ipara usertype: agentType userstate: 1 objectClass: cmsuser objectClass: top objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: person cn: ipara # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 # cat /var/lib/ipa/ra-agent.pem -----BEGIN CERTIFICATE----- MIID6jCC...ssifAg== -----END CERTIFICATE----- but the openssl verify command with the -show_chain flag still seems to fail ]# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt /var/lib/ipa/ra-agent.pem usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2 ... recognized usages: sslclient SSL client sslserver SSL server nssslserver Netscape SSL server smimesign S/MIME signing smimeencrypt S/MIME encryption crlsign CRL signing any Any Purpose ocsphelper OCSP helper timestampsign Time Stamp signing -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue