Update:
I was able to get all of the subsystem certs unstuck using the following:
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n <cert-name> -P <pwd> -c
dogtag-ipa-ca-renew-agent
However, the caSigningCert is still having issues, and the status is not very helpful:
Request ID '20200922184058':
status: NEED_GUIDANCE
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=...
subject: CN=Certificate Authority,O=...
expires: 2036-02-17 17:05:50 MST
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Any ideas on how to fix this?