I'm asking you to compare because it's unexpected to see a
subject
CN=localhost for the IPA CA. Someone has probably messed up with some
commands and replaced the original IPA CA with a wrong one in the
/etc/pki/pki-tomcat/alias database. If that's the case, we can put the
right CA back with certutil commands but we need to be sure what to put
there.
Good call—they are completely different:
/etc/ipa/ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O =
SIMPLYWS.COM, CN = Certificate Authority
Validity
Not Before: Nov 14 21:09:26 2020 GMT
Not After : Nov 14 21:09:26 2040 GMT
Subject: O = <domain>, CN = Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
and the one in the pki-tomcat/alias db is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O =
SIMPLYWS.COM, CN = Certificate Authority
Validity
Not Before: Nov 21 21:11:50 2020 GMT
Not After : Nov 11 21:11:50 2022 GMT
Subject: CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
How do we replace that one?