Am 03.05.2019 10:18, schrieb Florence Blanc-Renaud via FreeIPA-users:
On 5/2/19 7:08 PM, H. Frenzel via FreeIPA-users wrote:
> What could be wrong here?
Hi,
the key is present, its name is just "NSS Certificate
DB:subsystemCert cert-pki-ca" without any space after the colon. You
can check the next steps, i.e. is the "subsystemCert cert-pki-ca"
certificate consistent with the content of the LDAP entry
uid=pkidbuser,ou=people,o=ipaca.
flo
Tried the ldapsearch and found three userCertificates, one of them
matches with that one in /etc/pki/pki-tomcat/alias:
# ldapsearch -LLL -D 'cn=directory manager' -W -b
uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso
Enter LDAP Password:
dn: uid=pkidbuser,ou=people,o=ipaca
userCertificate:: MIIDbD...
...
.../342g==
userCertificate:: MIIDbj...
...
...xQ4WGL4
userCertificate:: MIIDaT...
...
...PP09A==
description: 2;2684289388;CN=Certificate
Authority,O=EXAMPLE.COM;CN=CA Subsystem,O
=EXAMPLE.COM
seeAlso: CN=CA
Subsystem,O=EXAMPLE.COM
The last one (MIIDaT...PP09A==) is the matching one.
The Serial Number seems to match too:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
cert-pki-ca' | grep -A1 Serial
Serial Number:
00:9f:ff:01:6c
# printf %d, 0x009fff016c
2684289388
What next? Can those other two certificates been removed?
Thanks in advance & b/r
H.