Few days ago my Master CA was messed up and getcert list was showing
empty list (no cert to track)
So i run following command to add certs manually:
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
'ocspSigningCert cert-pki-ca' -P XXXXXXX
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
'auditSigningCert cert-pki-ca' -P XXXXXXX
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
cert-pki-ca' -P XXXXXXX
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy
Intermediate' -P XXXXXXX
And after that i am seeing this status (status: NEED_CA ) it should
be MONITORING right?
# getcert list
Number of certificates and requests being tracked: 12.
Request ID '20190915042927':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate
Authority,O=example.com
subject: CN=Certificate
Authority,O=example.com
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043150':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alaas',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate
Authority,O=example.com
subject:
CN=ldap-example-5-1.foo.example.com,O=example.com
expires: 2020-11-17 18:30:29 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043212':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate
Authority,O=example.com
subject: CN=OCSP
Subsystem,O=example.com
expires: 2020-11-17 18:31:26 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes