My company has 6 FreeIPA servers across 3 different locations. Five
of the six servers are ok, but one we could not login to. The error messages pointed to
the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt`
My question is how do I "properly" renew or recreate this certificate. I have
been able to renew it with the command listed below - but the renewed cert does not have
the same characteristics as the other certs. The existing ones all see to be self signed
with the specified profile while my new one does not have these features. It seems to be
working Ok but it would great to understand how to generate this cert correctly. All is
any help is greatly appreciated.
The servers that work all display the following with using getcert list -f
/var/kerberos/krb5kdc/kdc.crt
Request ID '20191003181545':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer:
CN=ipa01.sub1.acme.org,O=ACME.ORG
subject:
CN=ipa01.sub1.acme.org,O=ACME.ORG
expires: 2022-08-09 22:06:33 UTC
principal name: krbtgt/ACME.ORG(a)ACME.ORG
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Using the local-getcert start-tracking command below gets me an updated cert but it is
not self signed and does not have the specified profile.
local-getcert start-tracking \
-k /var/kerberos/krb5kdc/kdc.key \
-f /var/kerberos/krb5kdc/kdc.crt \
-T KDCs_PKINIT_Certs \
-C /usr/libexec/ipa/certmonger/renew_kdc_cert
Request ID '20220117193849':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: local
issuer: CN=Certificate
Authority,O=ACME.ORG
subject:
CN=vipa06.sub3.acme.org,O=ACME.ORG
expires: 2024-01-18 17:32:20 UTC
principal name: krbtgt/ACME.ORG(a)ACME.ORG
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
The prefix before getcert is a shortcut to the certmonger CA helper that
manages the certificate. selfsign and local are two different helpers.
You probably want getcert start-tracking -c selfsign <blah> instead.
You can use getcert stop-tracking -i 20220117193849 to start over.
Take this with a grain of salt because I'm not sure where this renewed
certificate came from. The one tracked by local here looks more like it
was issued by IPA than selfsign based on the issuer.
rob