Re: [Pki-users] expired pki-server 10.3.3 certificates

Thanks Dinesh, I misread that argument for ca-cert-request-review is serial number, but as you said it has to be request ID. Indeed, I made progress, and can retrieve renewed Cert: [root@ca-ldap04 tmp]# pki ca-cert-show 0x8fff0090 --output ipacert.crt ------------------------ Certificate "0x8fff0090" ------------------------ Serial Number: 0x8fff0090 Issuer: CN=Certificate Authority,O=DOMAIN.COM Subject: CN=IPA RA,O=DOMIAN.COM Status: VALID Not Before: Fri Aug 10 01:08:19 PDT 2018 Not After: Thu Jul 30 01:08:19 PDT 2020 I also stopped PKI server, removed old cert from NSS database, and installed new one. This is all for ipaCert. But before I start renewing other ones (audit, ocsp, subsystem), I have to ask next [1] how to properly convert cert (.crt file) into one line? I believe I need this in order to update below lines in CS.cfg file. ca.audit_signing.cert=... ca.ocsp_signing.cert=... ca.subsystem.cert=... Thanks a lot for your support. Zarko ________________________________ From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw(a)redhat.com&gt; Sent: Tuesday, November 27, 2018 9:56 AM To: Z D; John Magne; pki-users(a)redhat.com Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates ZD, Regards, Dinesh On Thu, 2018-11-22 at 06:17 +0000, Z D wrote: [6] Submit cert request, it's pending # pki ca-cert-request-submit caManualRenewal.xml ----------------------------- Submitted certificate request ----------------------------- Request ID: 89990160 Type: renewal Request Status: pending Operation Result: success [7] This fails with message "BadRequestException: Request Not In Pending State", as per [6] it should be in pending state # pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve