After installing a replica, only the main CA cert is tracked by certmonger:
# getcert list | grep 'certificate:.*caSigningCert' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
One has to run ipa-certupdate for lightweight sub-CA certs to be tracked by certmonger as well:
ipa-certupdate
# getcert list | grep 'certificate:.*caSigningCert' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB'
Fix ipa-replica-install to do this automatically.
ipa-replica-install
This could be quite tricky... Dogtag LWCA key replication happens in the background, and we would have to wait for keys to be replciated and added to NSSDB before tracking them. Still, a "best effort" approach would be better than nothing, and perhaps reporting which CAs, if any, were not successfully tracked due to key being unavailable at replica-install time.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1356101
master:
ipa-4-4:
Metadata Update from @jcholast: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.4.1
Login to comment on this ticket.