# certutil -L -d /etc/httpd/alias -l
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
IPA.COMPANY.COM IPA CA CT,C,C
IPA.COMPANY.COM IPA CA CT,C,C
IPA.COMPANY.COM IPA CA CT,C,C
IPA.COMPANY.COM IPA CA CT,C,C
DSTRootCAX3 C,,
CN=R3,O=Let's Encrypt,C=US C,,
CN=E1,O=Let's Encrypt,C=US C,,
IPA.COMPANY.COM IPA CA CT,C,C
IPA.COMPANY.COM IPA CA CT,C,C
IPA.COMPANY.COM IPA CA CT,C,C
ISRGRootCAX3 C,,
ISRGRootCAX3 C,,
ISRGRootCAX1 C,,
CN=ISRG Root X2,O=Internet Security Research Group,C=US C,,
CN=R4,O=Let's Encrypt,C=US C,,
CN=E2,O=Let's Encrypt,C=US C,,
# certutil -L -d /etc/httpd/alias -n "Server-Cert" | grep -E "Certificate:|Subject:|Validity|Not Before|Not After|Issuer|Serial Number"
Certificate:
Serial Number: 268369924 (0xfff0004)
Issuer: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Validity:
Not Before: Mon Mar 08 22:31:53 2021
Not After : Thu Mar 09 22:31:53 2023
Subject: "CN=
ipa.internal.company.com,O=
IPA.COMPANY.COM"
# certutil -L -d /etc/httpd/alias -n "
IPA.COMPANY.COM IPA CA" | grep -E "Certificate:|Subject:|Validity|Not Before|Not After|Issuer|Serial Number"
Certificate:
Serial Number: 268369930 (0xfff000a)
Issuer: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Validity:
Not Before: Wed Sep 01 05:41:44 2021
Not After : Sun Sep 01 05:41:44 2041
Subject: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Certificate:
Serial Number: 268369929 (0xfff0009)
Issuer: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Validity:
Not Before: Wed Sep 01 05:34:27 2021
Not After : Sun Sep 01 05:34:27 2041
Subject: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Certificate:
Serial Number: 268369928 (0xfff0008)
Issuer: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Validity:
Not Before: Wed Sep 01 05:18:21 2021
Not After : Sun Sep 01 05:18:21 2041
Subject: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Certificate:
Serial Number: 268369927 (0xfff0007)
Issuer: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Validity:
Not Before: Wed Sep 01 05:16:37 2021
Not After : Sun Sep 01 05:16:37 2041
Subject: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Certificate:
Serial Number: 268369926 (0xfff0006)
Issuer: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Validity:
Not Before: Wed Sep 01 05:10:15 2021
Not After : Sun Sep 01 05:10:15 2041
Subject: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Certificate:
Serial Number: 268369925 (0xfff0005)
Issuer: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Validity:
Not Before: Wed Sep 01 05:04:01 2021
Not After : Sun Sep 01 05:04:01 2041
Subject: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Certificate:
Serial Number: 12 (0xc)
Issuer: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
Validity:
Not Before: Fri Dec 22 18:36:51 2017
Not After : Tue Dec 22 18:36:51 2037
Subject: "CN=Certificate Authority,O=
IPA.COMPANY.COM"
# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
# getcert resubmit -i 20190405192207
# getcert resubmit -i 20190405204558
# getcert resubmit -i 20190405204559
# journalctl -f
Nov 30 04:26:11
ipa.internal.company.com server[943811]: CMSEngine.initializePasswordStore() begins
Nov 30 04:26:11
ipa.internal.company.com server[943811]: CMSEngine.initializePasswordStore(): tag=internaldb
Nov 30 04:26:11
ipa.internal.company.com server[943811]: CMSEngine.initializePasswordStore(): tag=replicationdb
Nov 30 04:26:13
ipa.internal.company.com server[943811]: -----------------------
Nov 30 04:26:13
ipa.internal.company.com server[943811]: Disabled "ca" subsystem
Nov 30 04:26:13
ipa.internal.company.com server[943811]: -----------------------
Nov 30 04:26:13
ipa.internal.company.com server[943811]: Subsystem ID: ca
Nov 30 04:26:13
ipa.internal.company.com server[943811]: Instance ID: pki-tomcat
Nov 30 04:26:13
ipa.internal.company.com server[943811]: Enabled: False
Nov 30 04:26:13
ipa.internal.company.com server[943811]: CA is started.
Nov 30 04:26:13
ipa.internal.company.com server[943811]: WARNING: PKIListener: Subsystem CA is disabled.
Nov 30 04:26:13
ipa.internal.company.com server[943811]: WARNING: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors.
Nov 30 04:26:13
ipa.internal.company.com server[943811]: WARNING: PKIListener: To enable the subsystem:
Nov 30 04:26:13
ipa.internal.company.com server[943811]: WARNING: PKIListener: pki-server subsystem-enable -i pki-tomcat ca
# cat /var/log/pki/pki-tomcat/ca/selftests.log
0.localhost-startStop-1 - [01/Sep/2021:05:00:56 UTC] [20] [1] SystemCertsVerification: system certs verification failure: Certutils.verifySystemCertValidityByNickname: faliled: nickname: caSigningCert cert-pki-cacause: java.lang.Exception: Certutils.verifySystemCertValidityByNickname: failed: nickname: caSigningCert cert-pki-ca
# journal -f
Sep 02 05:04:30
ipa.internal.company.com renew_ca_cert[945080]: Stopping pki_tomcatd
Sep 02 05:04:30
ipa.internal.company.com systemd[1]: Stopping PKI Tomcat Server pki-tomcat...
Sep 02 05:04:30
ipa.internal.company.com server[945093]: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
Sep 02 05:04:30
ipa.internal.company.com server[945093]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
Sep 02 05:04:30
ipa.internal.company.com server[945093]: main class used: org.apache.catalina.startup.Bootstrap
Sep 02 05:04:30
ipa.internal.company.com server[945093]: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni
Sep 02 05:04:30
ipa.internal.company.com server[945093]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Sep 02 05:04:30
ipa.internal.company.com server[945093]: arguments used: stop
Sep 02 05:04:30
ipa.internal.company.com server[945093]: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false]
Sep 02 05:04:31
ipa.internal.company.com systemd[1]: Stopped PKI Tomcat Server pki-tomcat.
Sep 02 05:04:31
ipa.internal.company.com renew_ca_cert[945080]: Stopped pki_tomcatd
Sep 02 05:04:31
ipa.internal.company.com renew_ca_cert[945080]: Updating entry cn=ac46e0eb-c924-420b-9795-9a7074ba8060,ou=authorities,ou=ca,o=ipaca
Sep 02 05:04:31
ipa.internal.company.com renew_ca_cert[945080]: Not updating CS.cfg
Sep 02 05:04:31
ipa.internal.company.com renew_ca_cert[945080]: Failed to remove certificate ISRGRootCAX3
Sep 02 05:04:32
ipa.internal.company.com renew_ca_cert[945080]: Starting pki_tomcatd
# certutil -d /etc/httpd/alias -D -n ISRGRootCAX3
# getcert resubmit -i 20190405204557
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20190405192115':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-COMPANY-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-COMPANY-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-COMPANY-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=
IPA.COMPANY.COM subject: CN=
ipa.internal.company.com,O=
IPA.COMPANY.COM expires: 2023-03-09 22:30:53 UTC
dns:
ipa.internal.company.com principal name: ldap/
ipa.internal.company.com@IPA.COMPANY.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-COMPANY-COM
track: yes
auto-renew: yes
Request ID '20190405192140':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=
IPA.COMPANY.COM subject: CN=
ipa.internal.company.com,O=
IPA.COMPANY.COM expires: 2023-03-09 22:31:53 UTC
dns:
ipa.internal.company.com principal name: HTTP/
ipa.internal.company.com@IPA.COMPANY.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20190405192207':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=
IPA.COMPANY.COM subject: CN=IPA RA,O=
IPA.COMPANY.COM expires: 2023-08-23 05:08:49 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20190405192208':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=
IPA.COMPANY.COM subject: CN=
ipa.internal.company.com,O=
IPA.COMPANY.COM expires: 2023-03-09 22:30:44 UTC
principal name: krbtgt/
IPA.COMPANY.COM@IPA.COMPANY.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20190405204557':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=
IPA.COMPANY.COM subject: CN=CA Audit,O=
IPA.COMPANY.COM expires: 2023-08-23 05:24:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190405204558':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=
IPA.COMPANY.COM subject: CN=OCSP Subsystem,O=
IPA.COMPANY.COM expires: 2023-08-23 05:12:19 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190405204559':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=
IPA.COMPANY.COM subject: CN=CA Subsystem,O=
IPA.COMPANY.COM expires: 2023-08-23 05:14:24 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190405204600':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=
IPA.COMPANY.COM subject: CN=Certificate Authority,O=
IPA.COMPANY.COM expires: 2041-09-02 05:05:18 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190405204601':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=
IPA.COMPANY.COM subject: CN=
ipa.internal.company.com,O=
IPA.COMPANY.COM expires: 2023-02-15 22:30:43 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes