Ian Kumlien via FreeIPA-users wrote:
On Thu, Jun 13, 2019 at 7:39 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
>
> Ian Kumlien wrote:
>> On Thu, Jun 13, 2019 at 3:47 PM Rob Crittenden <rcritten(a)redhat.com>
wrote:
>>> Ian Kumlien wrote:
[--8<--]
>>> Ok, we could fix that but below is more worrying.
>>>
>>>> Also, added the others, but i can't set "u"..
>>>>
>>>> new certs added are now:
>>>> ocspSigningCert cert-pki-ca ,,
>>>> subsystemCert cert-pki-ca ,,
>>>> auditSigningCert cert-pki-ca ,,P
>>>
>>> This means there is no private key to go along with the certificate.
>>>
>>> So do you have another working CA somewhere?
>>
>> No, but i do have backups from 2018, =)
>>
>> So I assume is should unpack there somewhere and do the old export/import trick
>
> Yes, that would do it. I'd be sure to make a backup of the current db
> before doing anything else to it.
>
>> Anything else I should think about? And key is the only missing bit?
>> (for the 'u' bit)
>
> The u flag is for user cert and indicates there is a private key
> associated with the certificate. It is automatic.
>
>> Also, how do i rename one specific "XERCES.LAN IPA CA" to the
caSigningCert bit?
>
> It looks to me like the signing key is missing. You'll want to delete
> those three of the "XERCES.LAN IPA CA" certs from the database and
> import the CA signing cert from your backup.
Humm... this might be from an older version, just using cert util
makes me worried:
certutil -L -d alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CT,C,C
ocspSigningCert cert-pki-ca ,,
auditSigningCert cert-pki-ca ,,P
subsystemCert cert-pki-ca ,,
Server-Cert cert-pki-ca u,u,u
transportCert cert-pki-kra u,u,u
storageCert cert-pki-kra u,u,u
auditSigningCert cert-pki-kra u,u,Pu
---
Are the keys somewhere else in older versions?
(I think you mentioned this on irc - will keep looking but...)
Yeah, that's bad. Look for /root/cacert.p12. It should have the keys as
well.
rob