On Thu, Jun 13, 2019 at 7:39 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Ian Kumlien wrote:
> On Thu, Jun 13, 2019 at 3:47 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>> Ian Kumlien wrote:
[--8<--]
>> Ok, we could fix that but below is more worrying.
>>
>>> Also, added the others, but i can't set "u"..
>>>
>>> new certs added are now:
>>> ocspSigningCert cert-pki-ca ,,
>>> subsystemCert cert-pki-ca ,,
>>> auditSigningCert cert-pki-ca ,,P
>>
>> This means there is no private key to go along with the certificate.
>>
>> So do you have another working CA somewhere?
>
> No, but i do have backups from 2018, =)
>
> So I assume is should unpack there somewhere and do the old export/import trick
Yes, that would do it. I'd be sure to make a backup of the current db
before doing anything else to it.
> Anything else I should think about? And key is the only missing bit?
> (for the 'u' bit)
The u flag is for user cert and indicates there is a private key
associated with the certificate. It is automatic.
> Also, how do i rename one specific "XERCES.LAN IPA CA" to the
caSigningCert bit?
It looks to me like the signing key is missing. You'll want to delete
those three of the "XERCES.LAN IPA CA" certs from the database and
import the CA signing cert from your backup.
Humm... this might be from an older version, just using cert util
makes me worried:
certutil -L -d alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CT,C,C
ocspSigningCert cert-pki-ca ,,
auditSigningCert cert-pki-ca ,,P
subsystemCert cert-pki-ca ,,
Server-Cert cert-pki-ca u,u,u
transportCert cert-pki-kra u,u,u
storageCert cert-pki-kra u,u,u
auditSigningCert cert-pki-kra u,u,Pu
---
Are the keys somewhere else in older versions?
(I think you mentioned this on irc - will keep looking but...)
> rob