On 3/17/20 11:44 AM, Bhavin Vaidya via FreeIPA-users wrote:
> Hello Flo,
>
> thank you for your response.
>
> [root@srv01 ~]# ipa config-show | grep renewal
> IPA CA renewal master: srv01.arteris.com
>
> We followed following step, but Certificates will not renew.
>
> Stopped NTP and went back to 2018-05-11
> systemctl restart certmonger.service
>
> no luck, so we did
>
> Stopped NTP and went back to 2018-05-11
> systemctl restart certmonger.service
> stopped FreeIPA - ipactl stop
> Started services manually as per this RedHat doc
> <
https://access.redhat.com/solutions/3146271>.
> getcert list ---- shows either SUBMITTING, CA_UNREACHABLE or
> NEED_TO_SUBMIT
>
Hi,
you need to wait a while for certmonger to renew all the certs. As the
new output shows, some progress was made: the LDAP certificate was renewed.
You can try:
getcert resubmit -i 20180315021503
then wait for the RA cert to move to MONITORING and do the same for each
cert that needs to be renewed (resubmit, wait for the cert to move to
MONITORING, etc...).
flo
> [root@srv01 ~]# getcert list
>
> Number of certificates and requests being tracked: 8.
>
> Request ID '20180228053337':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>
> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>
> CA: SelfSign
>
> issuer: CN=srv01.example.com,O=EXAMPLE.COM
>
> subject: CN=srv01.example.com,O=EXAMPLE.COM
>
> expires: 2021-01-11 21:56:57 UTC
>
> principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> <
mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM>
>
> certificate template/profile: KDCs_PKINIT_Certs
>
> pre-save command:
>
> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021457':
>
> status: SUBMITTING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-ca-renew-agent
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=CA Audit,O=EXAMPLE.COM
>
> expires: 2020-02-25 04:27:49 UTC
>
> key usage: digitalSignature,nonRepudiation
>
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021500':
>
> status: SUBMITTING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB'
>
> CA: dogtag-ipa-ca-renew-agent
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=OCSP Subsystem,O=EXAMPLE.COM
>
> expires: 2020-02-25 04:28:38 UTC
>
> eku: id-kp-OCSPSigning
>
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021501':
>
> status: SUBMITTING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-ca-renew-agent
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=CA Subsystem,O=EXAMPLE.COM
>
> expires: 2020-02-25 04:31:47 UTC
>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021502':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-ca-renew-agent-reuse
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=Certificate Authority,O=EXAMPLE.COM
>
> expires: 2038-03-07 03:47:46 UTC
>
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021503':
>
> status: CA_UNREACHABLE
>
> ca-error: Error 28 connecting to
>
https://srv01.example.com:8443/ca/agent/ca/profileReview: Timeout was
> reached.
>
> stuck: no
>
> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>
> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>
> CA: dogtag-ipa-ca-renew-agent
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=IPA RA,O=EXAMPLE.COM
>
> expires: 2018-06-15 23:15:23 UTC
>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021505':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=srv01.example.com,O=EXAMPLE.COM
>
> expires: 2020-05-12 01:41:53 UTC
>
> principal name: ldap/srv01.example.com@EXAMPLE.COM
> <
mailto:ldap/srv01.example.com@EXAMPLE.COM>
>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021510':
>
> status: NEED_TO_SUBMIT
>
> ca-error: Server at
https://srv01.example.com/ipa/xmlfailed request,
> will retry: -504 (libcurl failed to execute the HTTP POST transaction,
> explaining:Peer's Certificate has expired.).
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=srv01.example.com,O=EXAMPLE.COM
>
> expires: 2020-03-07 08:49:51 UTC
>
> principal name: HTTP/srv01.example.com@EXAMPLE.COM
> <
mailto:HTTP/srv01.example.com@EXAMPLE.COM>
>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>
> track: yes
>
> auto-renew: yes
>
>
>
> Thank you and with regards,
> Bhavin
>
>
>
> ------------------------------------------------------------------------
> *From:* Florence Blanc-Renaud <flo@redhat.com>
> *Sent:* Tuesday, March 17, 2020 1:17 AM
> *To:* FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> *Cc:* Bhavin Vaidya <bvaidya@hotmail.com>
> *Subject:* Re: [Freeipa-users] Expired Certificates, rolling back time
> didn't help
> On 3/16/20 11:44 PM, Bhavin Vaidya via FreeIPA-users wrote:
>> Hello,
>>
>> We had similar issue 2 yrs back, and resurface as it didn't auto-renew.
>> Went back in time to 2016-06-11 as well as 2020-02-20, restarted
>> "certmonger", didn't update.
>>
> Hi,
>
> you need to check first which server is your renewal master:
>
> $ kinit admin
>
> $ ipa config-show | grep renewal
>
>
> The output should display the name of the renewal master. This host is
> the first server that needs to be fixed.
>
>
> In the getcert list output that you provided, we can see that:
>
> - the PKI certificates shared between the servers expired on 2020-02-25
> (auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca,
> subsystemCert cert-ki-ca)
>
> - the CA cert is still valid
>
> - the RA cert expired on 2018-06-15
>
> - the HTTP and LDAP server certs expired on 2020-03-07
>
>
> You need to carefully pick the date you go back in time: at that given
> date, all the certs must be valid (not expired yet but *already valid*).
> From your output, the date needs to be before 2018-06-15 but after
> 2018-03-08 (=the validFrom date for the PKI certs).
>
>
> HTH,
>
> flo
>
>> FreeIPA Master:*CentOS 7.4.1708, FreeIPA Version: **4.5.0,
>> API_VERSION: 2.228*
>>
>> whileipactl start, it will not start pki-tomcat with
>> message,pki-tomcatd Service: STOPPED.
>>
>> Referring toRob's blog
>> <
https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/>
>>
>> [root@srv01 ~]# curl --cacert /etc/ipa/ca.crt
>> -v[
https://%60hostname%60:8443/ca/ww/ca/getCertChain]https://`hostname`:8443/ca/ww/ca/getCertChain
>>
>> * About to connect() to srv01.example.com port 8443 (#0)
>>
>> *Trying 192.168.10.146...
>>
>> * Connected to srv01.example.com (192.168.10.146) port 8443 (#0)
>>
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>>
>> *CAfile: /etc/ipa/ca.crt
>>
>> CApath: none
>>
>> * Server certificate:
>>
>> *subject: CN=srv01.example.com,O=EXAMPLE.COM
>>
>> *start date: Dec 26 21:02:44 2016 GMT
>>
>> *expire date: Dec 16 21:02:44 2018 GMT
>>
>> *common name: srv01.example.com
>>
>> *issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
>>
>> * Peer's certificate issuer has been marked as not trusted by the user.
>>
>> * Closing connection 0
>>
>> curl: (60) Peer's certificate issuer has been marked as not trusted by
>> the user.
>>
>> More details here:http://curl.haxx.se/docs/sslcerts.html
>>
>> curl performs SSL certificate verification by default, using a "bundle"
>>
>> of Certificate Authority (CA) public keys (CA certs). If the
>> defaultbundle file isn't adequate, you can specify an alternate
>> fileusing the --cacert option.
>>
>> If this HTTPS server uses a certificate signed by a CA represented
>> inthe bundle, the certificate verification probably failed due to
>> aproblem with the certificate (it might be expired, or the name
>> mightnot match the domain name in the URL).
>>
>> If you'd like to turn off curl's verification of the certificate,
>> usethe -k (or --insecure) option.
>>
>>
>> While, CA cert check asper
>> <
https://www.freeipa.org/page/V4/CA_certificate_renewal>,
>>
>> [root@srv01 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n
>> 'caSigningCert cert-pki-ca'
>>
>> Number of certificates and requests being tracked: 8.
>>
>> Request ID '20180315021502':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
>> Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
>> Certificate DB'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> expires: 2038-03-07 03:47:46 UTC
>>
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "caSigningCert cert-pki-ca"
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> We also have few others certificates, which are not renewed.
>>
>>
>> [root@srv01 ~]# getcert list
>>
>> Number of certificates and requests being tracked: 8.
>>
>> Request ID '20180228053337':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>>
>> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>>
>> CA: SelfSign
>>
>> issuer: CN=srv01.example.com,O=EXAMPLE.COM
>>
>> subject: CN=srv01.example.com,O=EXAMPLE.COM
>>
>> expires: 2021-01-11 21:56:57 UTC
>>
>> principal name:krbtgt/EXAMPLE.COM@EXAMPLE.COM
>> <
mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM>
>>
>> certificate template/profile: KDCs_PKINIT_Certs
>>
>> pre-save command:
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021457':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=CA Audit,O=EXAMPLE.COM
>>
>> expires: 2020-02-25 04:27:49 UTC
>>
>> key usage: digitalSignature,nonRepudiation
>>
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021500':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM
>>
>> expires: 2020-02-25 04:28:38 UTC
>>
>> eku: id-kp-OCSPSigning
>>
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021501':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>> Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>> Certificate DB'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=CA Subsystem,O=EXAMPLE.COM
>>
>> expires: 2020-02-25 04:31:47 UTC
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021502':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
>> Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
>> Certificate DB'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> expires: 2038-03-07 03:47:46 UTC
>>
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "caSigningCert cert-pki-ca"
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021503':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Error 60 connecting
>> tohttps://srv01.example.com:8443/ca/agent/ca/profileReview: Peer
>> certificate cannot be authenticated with given CA certificates.
>>
>> stuck: no
>>
>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>>
>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=IPA RA,O=EXAMPLE.COM
>>
>> expires: 2018-06-15 23:15:23 UTC
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021505':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server athttps://srv01.example.com/ipa/xmlfailed request,
>> will retry: 4016 (RPC failed at server.Failed to authenticate to CA
>> REST API).
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwd
>>
>> file.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=srv01.example.com,O=EXAMPLE.COM
>>
>> expires: 2020-03-07 08:49:36 UTC
>>
>> principal name:ldap/srv01.example.com@EXAMPLE.COM
>> <
mailto:ldap/srv01.example.com@EXAMPLE.COM>
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021510':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server athttps://srv01.example.com/ipa/xmlfailed request,
>> will retry: 4016 (RPC failed at server.Failed to authenticate to CA
>> REST API).
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=srv01.example.com,O=EXAMPLE.COM
>>
>> expires: 2020-03-07 08:49:51 UTC
>>
>> principal name:HTTP/srv01.example.com@EXAMPLE.COM
>> <
mailto:HTTP/srv01.example.com@EXAMPLE.COM>
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>>
>> track: yes
>>
>> auto-renew: yes
>>
>>
>> thank you for your help.
>> Bhavin
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org <
mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org <
mailto:freeipa-users-leave@lists.fedorahosted.org>
>> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>