Re: [Freeipa-users] another certmonger question

Rob Crittenden Mon, 03 Oct 2016 08:38:58 -0700

Natxo Asenjo wrote:



On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Natxo Asenjo wrote:



        On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:

             Natxo Asenjo wrote:



                 On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden
                 <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
                 <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>>>> wrote:


                      It's hard to say, it may in fact not be a problem.

                      It is really a matter of what service the
        certificate(s)
                 are related
                      to. I'd look at the serial numbers and then
        correlate those
                 to the
                      issued certificates.

                      I'd also do a service-find on the hostname to see
        if any
                 services
                      have certificates issued and with what serial numbers.


                 I agree, it could be that. But just for testing I have
        created a vm,
                 joined it to the domain and resubmitted the certificate.

                 Now there are two valid host certificates with the same
        subject:


                    $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
                 <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>
                 <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
                 <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>>
                 ----------------------
                 2 certificates matched
                 ----------------------
                     Serial number (hex): 0x3FFE0002
                     Serial number: 1073610754
                     Status: VALID
                     Subject: CN=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
                 <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>
                 <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
                 <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>>,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
                 <http://UNIX.IRISZORG.NL>
                 <http://UNIX.IRISZORG.NL>

                     Serial number (hex): 0x3FFE0003
                     Serial number: 1073610755
                     Status: VALID
                     Subject: CN=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
                 <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>
                 <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
                 <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>>,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
                 <http://UNIX.IRISZORG.NL>
                 <http://UNIX.IRISZORG.NL>
                 ----------------------------
                 Number of entries returned 2
                 ----------------------------


                 So it certmonger in this centos 6.8 32bit host is
        renewing but not
                 having the old certificate revoked.


             I'd check the Apache log to find the cert_request call to
        see if you
             can see if there are any issues raised. It should be doing a
             cert_revoke at the same time.

             Can you should how this certificate is being tracked?


        sure:

        $ sudo getcert list
        Number of certificates and requests being tracked: 1.
        Request ID '20160929100945':
              status: MONITORING
              stuck: no
              key pair storage:
        type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
        Certificate -
        throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
              certificate:
        type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
        Machine Certificate - throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
              CA: IPA
              issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
        <http://UNIX.IRISZORG.NL>
              subject: CN=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
        <http://UNIX.IRISZORG.NL>
              expires: 2018-09-30 10:13:17 UTC
              principal name:
        host/throwaway.unix.iriszorg...@unix.iriszorg.nl
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>>
              key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
              eku: id-kp-serverAuth,id-kp-clientAuth
              pre-save command:
              post-save command:
              track: yes
              auto-renew: yes

        now, let's resubmit:

        $ sudo ipa-getcert resubmit -i 20160929100945
        Resubmitting "20160929100945" to "IPA".
        [jose.admin@throwaway ~]$ sudo getcert list
        Number of certificates and requests being tracked: 1.
        Request ID '20160929100945':
              status: MONITORING
              stuck: no
              key pair storage:
        type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
        Certificate -
        throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
              certificate:
        type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
        Machine Certificate - throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
              CA: IPA
              issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
        <http://UNIX.IRISZORG.NL>
              subject: CN=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
        <http://UNIX.IRISZORG.NL>
              expires: 2018-09-30 20:41:28 UTC
              principal name:
        host/throwaway.unix.iriszorg...@unix.iriszorg.nl
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>>
              key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
              eku: id-kp-serverAuth,id-kp-clientAuth
              pre-save command:
              post-save command:
              track: yes
              auto-renew: yes

        so it has been successfully renewed.

        In the access_log of the kdc I see this:

        172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST
        https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient
        <https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient>
        HTTP/1.1" 200 1913
        172.20.6.81 - host/throwaway.unix.iriszorg...@unix.iriszorg.nl
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>>
        [29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929

        and in the error_log:
        [Thu Sep 29 22:41:28.626669 2016 <tel:626669%202016>] [:error]
        [pid 4617] ipa: INFO:
        [xmlserver] host/throwaway.unix.iriszorg...@unix.iriszorg.nl
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>>:
        
cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5Yjy!

MZy4x8kw!


    DQYJKoZIhv
    
cNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=',

        principal=u'host/throwaway.unix.iriszorg...@unix.iriszorg.nl
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl
        <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>>', add=True,
        version=u'2.51'): SUCCESS

        and now I have 3 valid certificates:

        $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>
        ----------------------
        3 certificates matched
        ----------------------
            Serial number (hex): 0xFF9000D
            Serial number: 267976717
            Status: VALID
            Subject: CN=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
        <http://UNIX.IRISZORG.NL>

            Serial number (hex): 0x3FFE0002
            Serial number: 1073610754
            Status: VALID
            Subject: CN=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
        <http://UNIX.IRISZORG.NL>

            Serial number (hex): 0x3FFE0003
            Serial number: 1073610755
            Status: VALID
            Subject: CN=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
        <http://UNIX.IRISZORG.NL>
        ----------------------------
        Number of entries returned 3
        ----------------------------


    Ok, let me start by saying that this is not a bug in either
    certmonger or dogtag. IPA is supposed to do the revocation in the
    cert_request command.

    The steps IPA _should_ be taking are:

    1. Figure out if we are doing a certificate for a host or a service.
    2. See if the requester is allowed to manage this entry
    3. Look at the entry to see if it has a usercertificate attribute.
    If so revoke that serial number, then clear the usercertificate
    value in the host or service entry (via service_mod or host_mod)
    4. Request a new certificate
    5. Update IPA with the new value

    Does a certificate appear in ipa host-show
    throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>, and
    which certificate serial number?


$ ipa host-show throwaway
   Host name: throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>
   Certificate:
MIIE0DCCA7igAwIBAgIED/kADTANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MjA0MTI4WhcNMTgwOTMwMjA0MTI4WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw!

GA1UEAwwVQ
2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQB6KplOoHG5d2+3c5J/TSE/qxWkfObqPdpzYSMg5ma+PKL7ofuEgtozfoZfH/GXKIKtUpPZCJL2NQQKauagdIwto7PX184FcohCjJxHD30RRbc6q2rm3PE7Q1vDzSxW1ZCFELmpvK0XN4YX1tz6iaPgo2B7wuyhbZpT4Vd2itT1rOQ6cAnAB7BFhVNj5XDPDoMaHabtWRJVLlIOMeGyrZDUMxmoPys5g1c1SZM1ld+8+zdgqIVEsdTo9qThqPraTUi8GTjP4QvuQkLbnlFO6KQe5RqfbVXA0gKVWDtepY7h+cBQxMa/eHROFtnhW/w1+FdKHDPvOdj8aTF1tSIU2RYP,


MIIE0DCCA7igAwIBAgIEP/4AAjANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAwOTUwWhcNMTgwOTMwMTAwOTUwWjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw!

GA1UEAwwVQ
2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCvTRaJrl3J7Ky4VkFVfkwIGoaxocXrllYSjXZzhzHV0zJtlVeQGmHwulyrEbEzaRuMqbXe7c8WseOgU/K+UwByGiZoyxUmHgBmu2mv8Cln48UbESEAm0py4hRMmE7UzIhsHzTAKjUfyQXujB21S+FYwd97QymGRgn7kJ2TtH99zslQO0kMC//LmctUxIfTOOcrBgOojIEpcbzTeWNcyuN5+MHr6H2DNUYQZpvnDBv7XVphrk7ACrh4ETeYW5E1fFl84CdSxWehhWILF6t2WdA4RSjvtg3zvMPL+uVU8w1aru33dMuCKqvMG3iaRrDjVZ4k9/36lpf4/r1PwKYxusvg,


MIIE0DCCA7igAwIBAgIEP/4AAzANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAxMzE3WhcNMTgwOTMwMTAxMzE3WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw!

GA1UEAwwVQ
2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCh6lySZa1AyUyP8AuaLUDj6X0Lt/tGS+ZIw/O248FVMJDwvLvkFUxOjTAK1mip0AHxkib+QtKqFgN9lbidnxeKFYNN2komTfLgFV+G+8kBIInxWbU1OsuYw4J6xCu5IE+F7jfdHX1yw6HSgDixYgKHe9mw+8HTbUR1a/ntZ90pmai8I7daem9bMrPHGSSChjcbjif6YNZ8ibmilqq0vw8CEwQopXFToO/mHfbXNDw6gJY5rKu19fWPi3VRQdQxKKtwY/gXg39q4FWBymDaMwjErC7G4AnGeeTYp4iFYZkfcjYvdxGXGF0CpLgunvcMMQ0rTYx5w1MrLbbnqjq1qBZO

   Principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
   Password: False
   Keytab: True
   Managed by: throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
   Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
   Serial Number: 267976717
   Serial Number (hex): 0xFF9000D
   Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
   Not Before: Thu Sep 29 20:41:28 2016 UTC
   Not After: Sun Sep 30 20:41:28 2018 UTC
   Fingerprint (MD5): 52:a1:06:a1:39:27:bc:ed:dd:45:f5:36:32:11:99:c1
   Fingerprint (SHA1):
81:d4:01:5a:26:83:9c:c4:fb:76:fb:c3:29:cd:32:c1:8a:4c:eb:45
   SSH public key fingerprint:
61:66:4D:D7:E6:83:B3:31:BB:50:C3:28:11:79:FD:42 (ssh-rsa),

71:80:40:26:50:64:CD:FE:9A:FB:8D:DA:55:56:18:95 (ssh-dss)


so it shows the three certificates but the serial is 267976717


Sadly I don't have much useful information for you. This is what I found.

usercertificate is a multi-valued LDAP attribute but IPA 3.0 only reallyoperates on the "first" value returned (I didn't look at more recentversions). In this case it is the 267976717 cert. The other certs shownwithout details are for the other serial numbers that cert-find isreporting.

I can't see a way that this first usercertificate value isn't revokedand removed upon renewal so I can't quite figure out how you got intothis state (and so easily as I understand it). I wasn't able toreproduce it myself. Do you have any idea how wide-spread this is inyour infrastructure?

I can see that once in this state that any "extra" certs would just bestuck there, never to be revoked.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] another certmonger question

Reply via email to