OSCP Certificate is Expired and pki-tomcatd Will Not Start

Solution In Progress - Updated -

Issue

The IPA ocspSigningCert cert-pki-ca subsystem certificate has expired and performing the getcert resubmit command for that certificate does not extend its expiration date. This occurs even if certmonger seems to track requests, because the IPA CA is down.

For example, you may see something like this when performing getcert list:

[root@ipamaster ~]# getcert list
...
Request ID '20160527152807':
    status: CA_UNREACHABLE
    ca-error: Internal error
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=CA.EXAMPLE.COM
    subject: CN=OCSP Subsystem,O=CA.EXAMPLE.COM
--> expires: 2016-07-10 17:19:56 UTC    <--  This date is in the past
    key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
    eku: id-kp-OCSPSigning
    pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
    post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes

Environment

  • Red Hat Enterprise Linux 7
  • Identity Management
  • Certmonger

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.