On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <[email protected]> wrote:
> > It's hard to say, it may in fact not be a problem. > > It is really a matter of what service the certificate(s) are related to. > I'd look at the serial numbers and then correlate those to the issued > certificates. > > I'd also do a service-find on the hostname to see if any services have > certificates issued and with what serial numbers. > I agree, it could be that. But just for testing I have created a vm, joined it to the domain and resubmitted the certificate. Now there are two valid host certificates with the same subject: $ ipa cert-find --subject=throwaway.unix.iriszorg.nl ---------------------- 2 certificates matched ---------------------- Serial number (hex): 0x3FFE0002 Serial number: 1073610754 Status: VALID Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL Serial number (hex): 0x3FFE0003 Serial number: 1073610755 Status: VALID Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL ---------------------------- Number of entries returned 2 ---------------------------- So it certmonger in this centos 6.8 32bit host is renewing but not having the old certificate revoked. -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
