Hi,
Certmonger can provide information related to the certificates it's tracking (stored in a file or in an NSS database). In your case, the certificate nickname is "transportCert cert-pki-kra", and to know where it's stored you can run the following command:
# getcert list -n 'transportCert cert-pki-kra'
Number of certificates and requests being tracked: 12.
Request ID '20220201080534':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='transportCert cert-pki-kra',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='transportCert cert-pki-kra',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.TEST
subject: CN=KRA Transport Certificate,O=IPA.TEST
issued: 2022-02-01 08:04:27 UTC
expires: 2024-01-22 08:04:27 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caTransportCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "transportCert cert-pki-kra"
track: yes
auto-renew: yes
The above command shows that the certificate and the key are stored in /etc/pki/pki-tomcat/alias, which is a NSS database. In order to see the certificate details, you can use certutil command (-L for displaying the cert, -d for the NSS DB path, -n for the cert nickname):
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'transportCert cert-pki-kra'
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11 (0xb)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=IPA.TEST"
Validity:
Not Before: Tue Feb 01 08:04:27 2022
Not After : Mon Jan 22 08:04:27 2024
Subject: "CN=KRA Transport Certificate,O=IPA.TEST"
[...]
If you want to see the output printed in ASCII format, simply add the -a option:
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'transportCert cert-pki-kra' -a
-----BEGIN CERTIFICATE-----
MIID6zCCAlOgAwIBAgIBCzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
[...]
KLVH0hPJY7vzphBJtKtPTuEjyxYLrU9eKHNe8e7XPBd8/nA2qDAYS08eLIHBlek=
-----END CERTIFICATE-----
The ipa-healthcheck command compares the certificate with the value stored in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg in the directive ca.connector.KRA.transportCert.
So you need to figure out which cert you want to keep and then make everything consistent (both servers should use the same 'transportCert cert-pki-kra'). How to figure out which one? Well, if both are valid, not revoked, any choice would work, you can pick the one with the furthest expiration date.
If you need to manipulate the certs in the NSSDB, use the certutil command (with -D to remove a cert, -A to add a cert). Always make a backup of the directory /etc/pki/pki-tomcat/alias first, this way any certificate can be recovered in case of issues. You will need to restart PKI after changing the cert, with # systemctl restart pki-tomcatd@pki-tomcat
HTH,
flo