I also looked at RUVs and here is what I found. I do not know if anything
here is helpful.
ldapsearch -ZZ -h ipa11.mgmt.crosschx.com -D "cn=Directory Manager" -W -b
"o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"
nsDS5ReplicaId: 1095
nsds50ruv: {replicageneration} 58344598000000600000
nsds50ruv: {replica 1095 ldap://ipa11.mgmt.crosschx.com:389}
5865323f000004470
nsds50ruv: {replica 86 ldap://ipa13.mgmt.crosschx.com:389}
58651fdb00000056000
nsds50ruv: {replica 96 ldap://ipa11.mgmt.crosschx.com:389}
5834459c00000060000
nsds50ruv: {replica 91 ldap://ipa13.mgmt.crosschx.com:389}
583449970000005b000
nsds50ruv: {replica 97 ldap://ipa12.mgmt.crosschx.com:389}
583445c300000061000
nsds50ruv: {replica 81 ldap://ipa12.mgmt.crosschx.com:389}
5865295600000051000
IPA12 - this is the problem node.
ldapsearch -ZZ -h ipa12.mgmt.crosschx.com -D "cn=Directory Manager" -W -b
"o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"
nsDS5ReplicaId: 81
nsds50ruv: {replicageneration} 58344598000000600000
nsds50ruv: {replica 81 ldap://ipa12.mgmt.crosschx.com:389}
5865295600000051000
nsds50ruv: {replica 96 ldap://ipa11.mgmt.crosschx.com:389}
5834459c00000060000
nsds50ruv: {replica 86 ldap://ipa13.mgmt.crosschx.com:389}
58651fdb00000056000
nsds50ruv: {replica 91 ldap://ipa13.mgmt.crosschx.com:389}
583449970000005b000
nsds50ruv: {replica 97 ldap://ipa12.mgmt.crosschx.com:389}
583445c300000061000
ldapsearch -ZZ -h ipa13.mgmt.crosschx.com -D "cn=Directory Manager" -W -b
"o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"
nsDS5ReplicaId: 86
nsds50ruv: {replicageneration} 58344598000000600000
nsds50ruv: {replica 86 ldap://ipa13.mgmt.crosschx.com:389}
58651fdb00000056000
nsds50ruv: {replica 1095 ldap://ipa11.mgmt.crosschx.com:389}
5865323f000004470
nsds50ruv: {replica 96 ldap://ipa11.mgmt.crosschx.com:389}
5834459c00000060000
nsds50ruv: {replica 91 ldap://ipa13.mgmt.crosschx.com:389}
583449970000005b000
nsds50ruv: {replica 97 ldap://ipa12.mgmt.crosschx.com:389}
583445c300000061000
nsds50ruv: {replica 81 ldap://ipa12.mgmt.crosschx.com:389}
5865295600000051000
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com
On Wed, May 3, 2017 at 10:52 PM, Michael Plemmons <
michael.plemm...@crosschx.com> wrote:
> I ran another test. I started IPA with the ignore service failure option
> and I tired doing ldap searches like this.
>
> ldapsearch -H ldaps://ipa12.mgmt.crosschx.com
>
> from both my laptop and from ipa11.mgmt and I get successful returns when
> logging in as the admin user and as the directory manager.
>
> I then looked closer at the LDAP access logs for the last time I tried to
> start up PKI and got the auth failure and i see this.
>
>
> [04/May/2017:02:22:45.859021005 +0000] conn=12 fd=101 slot=101 SSL
> connection from 10.71.100.92 to 10.71.100.92
> [04/May/2017:02:22:45.875672450 +0000] conn=12 TLS1.2 256-bit AES
> [04/May/2017:02:22:45.940908536 +0000] conn=12 op=0 BIND dn=""
> method=sasl version=3 mech=EXTERNAL
> [04/May/2017:02:22:45.942441120 +0000] conn=12 op=0 RESULT err=48 tag=97
> nentries=0 etime=0
>
> Is dn="" supposed to be empty?
>
>
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614.427.2411
> mike.plemm...@crosschx.com
> www.crosschx.com
>
> On Wed, May 3, 2017 at 10:16 PM, Michael Plemmons <
> michael.plemm...@crosschx.com> wrote:
>
>> I realized that I was not very clear in my statement about testing with
>> ldapsearch. I had initially run it without logging in with a DN. I was
>> just running the local ldapsearch -x command. I then tested on ipa12.mgmt
>> and ipa11.mgmt logging in with a full DN for the admin and "cn=Directory
>> Manager" from ipa12.mgmt (broken server) and ipa11.mgmt and both ldapsearch
>> command succeeded.
>>
>> I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user. I
>> also ran the command showing a line count for the output and the line
>> counts for each were the same when run from ipa12.mgmt and ipa11.mgmt.
>>
>> ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "DN" -w PASSWORD -b
>> "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn
>>
>> ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "cn=directory manager" -w
>> PASSWORD dn
>>
>>
>>
>>
>>
>>
>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
>> 614.427.2411
>> mike.plemm...@crosschx.com
>> www.crosschx.com
>>
>> On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons <
>> michael.plemm...@crosschx.com> wrote:
>>
>>> I have a three node IPA cluster.
>>>
>>> ipa11.mgmt - was a master over 6 months ago
>>> ipa13.mgmt - current master
>>> ipa12.mgmt
>>>
>>> ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have
>>> agreements between each other.
>>>
>>> It appears that either ipa12.mgmt lost some level of its replication
>>> agreement with ipa13. I saw some level because users / hosts were
>>> replicated between all systems but we started seeing DNS was not resolving
>>> properly from ipa12. I do not know when this started.
>>>
>>> When looking at replication agreements on ipa12 I did not see any
>>> agreement with ipa13.
>>>
>>> When I run ipa-replica-manage list all three hosts show has master.
>>>
>>> When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica.
>>>
>>> When I run ipa-replica-manage ipa12.mgmt nothing returned.
>>>
>>> I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt
>>> ipa12.mgmt.crosschx.com ipa13.mgmt.crosschx.com on ipa12.mgmt
>>>
>>> I then ran the following
>>>
>>> ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com
>>>
>>> ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com
>>>
>>> I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. I
>>> was able to create user and DNS records and see the information replicated
>>> properly across all three nodes.
>>>
>>> I then ran ipactl stop on ipa12.mgmt and then ipactl start on ipa12.mgmt
>>> because I wanted to make sure everything was running fresh after the
>>> changes above. While IPA was staring up (DNS started) we were able to see
>>> valid DNS queries returned but pki-tomcat would not start.
>>>
>>> I am not sure what I need to do in order to get this working. I have
>>> included the output of certutil and getcert below from all three servers as
>>> well as the debug output for pki.
>>>
>>>
>>> While the IPA system is coming up I am able to successfully run
>>> ldapsearch -x as the root user and see results. I am also able to login
>>> with the "cn=Directory Manager" account and see results.
>>>
>>>
>>> The debug log shows the following error.
>>>
>>>
>>> [03/May/2017:21:22:01][localhost-startStop-1]:
>>> ============================================
>>> [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG SUBSYSTEM
>>> INITIALIZED =======
>>> [03/May/2017:21:22:01][localhost-startStop-1]:
>>> ============================================
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
>>> autoShutdown? false
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown
>>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look
>>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
>>> cert:auditSigningCert cert-pki-ca
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init
>>> id=debug
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized
>>> debug
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem
>>> id=log
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init
>>> id=log
>>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
>>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
>>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
>>> autoShutdown? false
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown
>>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look
>>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
>>> cert:auditSigningCert cert-pki-ca
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init
>>> id=log
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized
>>> log
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem
>>> id=jss
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init
>>> id=jss
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
>>> autoShutdown? false
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown
>>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look
>>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
>>> cert:auditSigningCert cert-pki-ca
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init
>>> id=jss
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized
>>> jss
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem
>>> id=dbs
>>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init
>>> id=dbs
>>> [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init()
>>> mEnableSerialMgmt=true
>>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>> LdapBoundConnFactor(DBSubsystem)
>>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory:
>>> init
>>> [03/May/2017:21:22:01][localhost-startStop-1]:
>>> LdapBoundConnFactory:doCloning true
>>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init()
>>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins
>>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends
>>> [03/May/2017:21:22:01][localhost-startStop-1]: init: before
>>> makeConnection errorIfDown is true
>>> [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection:
>>> errorIfDown true
>>> [03/May/2017:21:22:02][localhost-startStop-1]:
>>> SSLClientCertificateSelectionCB: Setting desired cert nickname to:
>>> subsystemCert cert-pki-ca
>>> [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set
>>> client auth cert nickname subsystemCert cert-pki-ca
>>> [03/May/2017:21:22:02][localhost-startStop-1]:
>>> SSLClientCertificatSelectionCB: Entering!
>>> [03/May/2017:21:22:02][localhost-startStop-1]:
>>> SSLClientCertificateSelectionCB: returning: null
>>> [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened
>>> Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636
>>> Error netscape.ldap.LDAPException: Authentication failed (48)
>>> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne
>>> ction(LdapBoundConnFactory.java:205)
>>> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap
>>> BoundConnFactory.java:166)
>>> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap
>>> BoundConnFactory.java:130)
>>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
>>> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>>> java:1169)
>>> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>>> .java:1075)
>>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>>> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>>> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>>> ervlet.java:114)
>>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>> .java:288)
>>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>> .java:285)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>>> il.java:320)
>>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>> rityUtil.java:175)
>>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>> rityUtil.java:124)
>>> at org.apache.catalina.core.StandardWrapper.initServlet(Standar
>>> dWrapper.java:1270)
>>> at org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>>> dWrapper.java:1195)
>>> at org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>>> r.java:1085)
>>> at org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>>> ardContext.java:5318)
>>> at org.apache.catalina.core.StandardContext.startInternal(Stand
>>> ardContext.java:5610)
>>> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j
>>> ava:147)
>>> at org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>>> ainerBase.java:899)
>>> at org.apache.catalina.core.ContainerBase.access$000(ContainerB
>>> ase.java:133)
>>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>> n(ContainerBase.java:156)
>>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>> n(ContainerBase.java:145)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>>> e.java:873)
>>> at org.apache.catalina.core.StandardHost.addChild(StandardHost.
>>> java:652)
>>> at org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>>> Config.java:679)
>>> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>>> HostConfig.java:1966)
>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor
>>> s.java:511)
>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:745)
>>> Internal Database Error encountered: Could not connect to LDAP server
>>> host ipa12.mgmt.crosschx.com port 636 Error
>>> netscape.ldap.LDAPException: Authentication failed (48)
>>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
>>> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>>> java:1169)
>>> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>>> .java:1075)
>>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>>> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>>> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>>> ervlet.java:114)
>>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>> .java:288)
>>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>> .java:285)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>>> il.java:320)
>>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>> rityUtil.java:175)
>>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>> rityUtil.java:124)
>>> at org.apache.catalina.core.StandardWrapper.initServlet(Standar
>>> dWrapper.java:1270)
>>> at org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>>> dWrapper.java:1195)
>>> at org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>>> r.java:1085)
>>> at org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>>> ardContext.java:5318)
>>> at org.apache.catalina.core.StandardContext.startInternal(Stand
>>> ardContext.java:5610)
>>> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j
>>> ava:147)
>>> at org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>>> ainerBase.java:899)
>>> at org.apache.catalina.core.ContainerBase.access$000(ContainerB
>>> ase.java:133)
>>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>> n(ContainerBase.java:156)
>>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>> n(ContainerBase.java:145)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>>> e.java:873)
>>> at org.apache.catalina.core.StandardHost.addChild(StandardHost.
>>> java:652)
>>> at org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>>> Config.java:679)
>>> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>>> HostConfig.java:1966)
>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor
>>> s.java:511)
>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:745)
>>> [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown()
>>>
>>>
>>> =============================
>>>
>>>
>>> IPA11.MGMT
>>>
>>>
>>> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> Server-Cert
>>> u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C
>>>
>>> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> caSigningCert cert-pki-ca CTu,Cu,Cu
>>> auditSigningCert cert-pki-ca u,u,Pu
>>> ocspSigningCert cert-pki-ca u,u,u
>>> subsystemCert cert-pki-ca u,u,u
>>> Server-Cert cert-pki-ca u,u,u
>>>
>>>
>>>
>>>
>>>
>>> IPA13.MGMT
>>> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> Server-Cert
>>> u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C
>>>
>>> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> caSigningCert cert-pki-ca CTu,Cu,Cu
>>> auditSigningCert cert-pki-ca u,u,Pu
>>> ocspSigningCert cert-pki-ca u,u,u
>>> subsystemCert cert-pki-ca u,u,u
>>> Server-Cert cert-pki-ca u,u,u
>>>
>>>
>>>
>>>
>>> IPA12.MGMT
>>> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> Server-Cert
>>> u,u,uMGMT.CROSSCHX.COM IPA CA C,,
>>>
>>> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> caSigningCert cert-pki-ca CTu,Cu,Cu
>>> auditSigningCert cert-pki-ca u,u,Pu
>>> ocspSigningCert cert-pki-ca u,u,u
>>> subsystemCert cert-pki-ca u,u,u
>>> Server-Cert cert-pki-ca u,u,u
>>>
>>> =================================================
>>>
>>> IPA11.MGMT
>>> (root)>getcert list
>>> Number of certificates and requests being tracked: 8.
>>> Request ID '20161229155314':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>>> expires: 2018-12-30 15:52:43 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
>>> MGMT-CROSSCHX-COM
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229155652':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:00:29 UTC
>>> key usage: digitalSignature,nonRepudiation
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229155654':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:00:26 UTC
>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>> eku: id-kp-OCSPSigning
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229155655':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:00:28 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "subsystemCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229155657':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> expires: 2036-11-22 13:00:25 UTC
>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "caSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229155659':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>>> expires: 2018-12-19 15:56:20 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
>>> cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229155921':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>>> expires: 2018-12-30 15:52:46 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229160009':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:01:34 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>>
>>>
>>>
>>> ==================================
>>>
>>> IPA13.MGMT
>>>
>>> (root)>getcert list
>>> Number of certificates and requests being tracked: 8.
>>> Request ID '20161229143449':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>>> expires: 2018-12-30 14:34:20 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
>>> MGMT-CROSSCHX-COM
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229143826':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:00:29 UTC
>>> key usage: digitalSignature,nonRepudiation
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229143828':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:00:26 UTC
>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>> eku: id-kp-OCSPSigning
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229143831':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:00:28 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "subsystemCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229143833':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> expires: 2036-11-22 13:00:25 UTC
>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "caSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229143835':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>>> expires: 2018-12-19 14:37:54 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
>>> cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229144057':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>>> expires: 2018-12-30 14:34:23 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229144146':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:01:34 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>>
>>>
>>> ===========================
>>>
>>> IPA12.MGMT
>>>
>>> (root)>getcert list
>>> Number of certificates and requests being tracked: 8.
>>> Request ID '20161229151518':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>>> expires: 2018-12-30 15:14:51 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
>>> MGMT-CROSSCHX-COM
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229151850':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:00:29 UTC
>>> key usage: digitalSignature,nonRepudiation
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229151852':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:00:26 UTC
>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>> eku: id-kp-OCSPSigning
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229151854':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:00:28 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "subsystemCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229151856':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> expires: 2036-11-22 13:00:25 UTC
>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "caSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229151858':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>>> expires: 2018-12-19 15:18:16 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
>>> cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229152115':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>>> expires: 2018-12-30 15:14:54 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20161229152204':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM
>>> expires: 2018-11-12 13:01:34 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>>
>>>
>>>
>>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
>>> 614.427.2411
>>> mike.plemm...@crosschx.com
>>> www.crosschx.com
>>>
>>
>>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
