#4618 ipa-getcert no longer prints service certificates
Closed: Fixed None Opened 9 years ago by mkosek.

This is a follow up to #4280. We now start tracking certificates certmonger DBUS API, however we do not set the CA to be IPA for the selected certificates and these certificates are then not shown in ipa-getcert lists:

# ipa-getcert list
Number of certificates and requests being tracked: 8.

With FreeIPA 3.3.3 I get:

# ipa-getcert list
Number of certificates and requests being tracked: 7.
Request ID '20140925071112':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
    certificate: type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
    subject: CN=vm-067.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
    expires: 2016-09-25 07:11:11 UTC
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command: 
    post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IDM-LAB-BOS-REDHAT-COM
    track: yes
    auto-renew: yes
Request ID '20140925071516':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
    subject: CN=vm-067.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
    expires: 2016-09-25 07:15:15 UTC
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command: 
    post-save command: /usr/lib64/ipa/certmonger/restart_httpd
    track: yes
    auto-renew: yes

The difference is in the

    CA: IPA

field setting.


master:

  • c8f7cb0 Set IPA CA for freeipa certificates.

ipa-4-1:

  • eea9da2 Set IPA CA for freeipa certificates.

ipa-4-0:

  • 2e7f8da Set IPA CA for freeipa certificates.

Metadata Update from @mkosek:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.0.4

7 years ago

Login to comment on this ticket.

Metadata