OSCP Certificate is Expired and pki-tomcatd Will Not Start

Solution In Progress - Updated -

Issue

The IPA ocspSigningCert cert-pki-ca subsystem certificate has expired and performing the getcert resubmit command for that certificate does not extend its expiration date. This occurs even if certmonger seems to track requests, because the IPA CA is down.

For example, you may see something like this when performing getcert list:

[root@ipamaster ~]# getcert list
...
Request ID '20160527152807':
    status: CA_UNREACHABLE
    ca-error: Internal error
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=CA.EXAMPLE.COM
    subject: CN=OCSP Subsystem,O=CA.EXAMPLE.COM
--> expires: 2016-07-10 17:19:56 UTC    <--  This date is in the past
    key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
    eku: id-kp-OCSPSigning
    pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
    post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes

Environment

  • Red Hat Enterprise Linux 7
  • Identity Management
  • Certmonger

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content