My company has 6 FreeIPA servers across 3 different locations. Five of the six servers are ok, but one we could not login to. The error messages pointed to the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt`
My question is how do I "properly" renew or recreate this certificate. I have been able to renew it with the command listed below - but the renewed cert does not have the same characteristics as the other certs. The existing ones all see to be self signed with the specified profile while my new one does not have these features. It seems to be working Ok but it would great to understand how to generate this cert correctly. All is any help is greatly appreciated.
The servers that work all display the following with using getcert list -f /var/kerberos/krb5kdc/kdc.crt
Request ID '20191003181545': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ipa01.sub1.acme.org,O=ACME.ORG subject: CN=ipa01.sub1.acme.org,O=ACME.ORG expires: 2022-08-09 22:06:33 UTC principal name: krbtgt/ACME.ORG@ACME.ORG certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
Using the local-getcert start-tracking command below gets me an updated cert but it is not self signed and does not have the specified profile.
local-getcert start-tracking \ -k /var/kerberos/krb5kdc/kdc.key \ -f /var/kerberos/krb5kdc/kdc.crt \ -T KDCs_PKINIT_Certs \ -C /usr/libexec/ipa/certmonger/renew_kdc_cert
Request ID '20220117193849': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: local issuer: CN=Certificate Authority,O=ACME.ORG subject: CN=vipa06.sub3.acme.org,O=ACME.ORG expires: 2024-01-18 17:32:20 UTC principal name: krbtgt/ACME.ORG@ACME.ORG key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes