Rob sorry, i trim my output thought not necessary but anyway here is
the full list (ignore CAPS letter in output)
[root@ldap-ca-master ~]# getcert list
Number of certificates and requests being tracked: 12.
Request ID '20190915042927':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=Certificate
Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043150':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-11-17 18:30:29 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043212':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=OCSP
Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:26 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043224':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=CA
Audit,O=EXAMPLE.COM
expires: 2020-11-17 18:32:07 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043237':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=CA
Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:16 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043246':
status: NEED_KEY_PAIR
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin
set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS
Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043304':
status: NEED_KEY_PAIR
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy
Intermediate',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy
Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045112':
status: NEED_KEY_PAIR
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA
CA',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM
IPA CA',token='NSS Certificate DB'
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=Certificate
Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045148':
status: NEED_KEY_PAIR
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS
Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045156':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
Certificate DB'
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=Object Signing
Cert,O=EXAMPLE.COM
expires: 2021-01-05 14:49:59 UTC
key usage: digitalSignature,keyCertSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045206':
status: NEED_KEY_PAIR
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy
Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy
Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045216':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=IPA
RA,O=EXAMPLE.COM
expires: 2020-11-17 18:31:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
>
> Satish Patel via FreeIPA-users wrote:
> > Few days ago my Master CA was messed up and getcert list was showing
> > empty list (no cert to track)
> >
> > So i run following command to add certs manually:
> >
> > getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> > 'ocspSigningCert cert-pki-ca' -P XXXXXXX
> > getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> > 'auditSigningCert cert-pki-ca' -P XXXXXXX
> > getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
> > cert-pki-ca' -P XXXXXXX
> > getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P
XXXXXXX
> > getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy
> > Intermediate' -P XXXXXXX
> >
> > And after that i am seeing this status (status: NEED_CA ) it should
> > be MONITORING right?
> >
> > # getcert list
> > Number of certificates and requests being tracked: 12.
>
> You setup the tracking wrong. Your output only shows 3 certs and yet
> certmonger thinks it has 12. Where are the other 9?
>
> rob