OSCP Certificate is Expired and pki-tomcatd Will Not Start
Issue
The IPA ocspSigningCert cert-pki-ca subsystem certificate has expired and performing the getcert resubmit command for that certificate does not extend its expiration date. This occurs even if certmonger seems to track requests, because the IPA CA is down.
For example, you may see something like this when performing getcert list:
[root@ipamaster ~]# getcert list
...
Request ID '20160527152807':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CA.EXAMPLE.COM
subject: CN=OCSP Subsystem,O=CA.EXAMPLE.COM
--> expires: 2016-07-10 17:19:56 UTC <-- This date is in the past
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Environment
- Red Hat Enterprise Linux 7
- Identity Management
- Certmonger
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
