[Freeipa-users] KDC Self Signed Certificate Creation

[Mark Selby via FreeIPA-users]

My company has 6 FreeIPA servers across 3 different locations. Five of the six 
servers are ok, but one we could not login to. The error messages pointed to 
the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt`

My question is how do I "properly" renew or recreate this certificate. I have 
been able to renew it with the command listed below - but the renewed cert does 
not have the same characteristics as the other certs. The existing ones all see 
to be self signed with the specified profile while my new one does not have 
these features. It seems to be working Ok but it would great to understand how 
to generate this cert correctly. All is any help is greatly appreciated. 

The servers that work all display the following with using getcert list -f 
/var/kerberos/krb5kdc/kdc.crt

Request ID '20191003181545':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: SelfSign
        issuer: CN=ipa01.sub1.acme.org,O=ACME.ORG
        subject: CN=ipa01.sub1.acme.org,O=ACME.ORG
        expires: 2022-08-09 22:06:33 UTC
        principal name: krbtgt/acme....@acme.org
        certificate template/profile: KDCs_PKINIT_Certs
        pre-save command: 
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes

Using the local-getcert start-tracking command below gets me an updated cert 
but it is not self signed and does not have the specified profile.

local-getcert start-tracking \
    -k /var/kerberos/krb5kdc/kdc.key \
    -f /var/kerberos/krb5kdc/kdc.crt \
    -T KDCs_PKINIT_Certs \
    -C /usr/libexec/ipa/certmonger/renew_kdc_cert

Request ID '20220117193849':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: local
        issuer: CN=Certificate Authority,O=ACME.ORG
        subject: CN=vipa06.sub3.acme.org,O=ACME.ORG
        expires: 2024-01-18 17:32:20 UTC
        principal name: krbtgt/acme....@acme.org
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        pre-save command: 
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure