Thanks Dinesh,
I misread that argument for ca-cert-request-review is serial number, but as you said it has to be request ID. Indeed, I made progress, and can retrieve renewed Cert:
[root@ca-ldap04 tmp]# pki ca-cert-show 0x8fff0090 --output ipacert.crt
------------------------
Certificate "0x8fff0090"
------------------------
Serial Number: 0x8fff0090
Issuer: CN=Certificate Authority,O=DOMAIN.COM
Subject: CN=IPA RA,O=DOMIAN.COM
Status: VALID
Not Before: Fri Aug 10 01:08:19 PDT 2018
Not After: Thu Jul 30 01:08:19 PDT 2020
I also stopped PKI server, removed old cert from NSS database, and installed new one. This is all for ipaCert. But before I start renewing other ones (audit, ocsp, subsystem), I have to ask next
[1] how to properly convert cert (.crt file) into one line?
I believe I need this in order to update below lines in CS.cfg file.
ca.audit_signing.cert=...
ca.ocsp_signing.cert=...
ca.subsystem.cert=...
Thanks a lot for your support. Zarko
From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@redhat.com>
Sent: Tuesday, November 27, 2018 9:56 AM
To: Z D; John Magne; pki-users@redhat.com
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificatesZD,
From [6], your request ID is 89990160. But, you are passing request ID as 7
Regards,Dinesh
On Thu, 2018-11-22 at 06:17 +0000, Z D wrote:[6] Submit cert request, it's pending
# pki ca-cert-request-submit caManualRenewal.xml
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 89990160
Type: renewal
Request Status: pending
Operation Result: success
[7] This fails with message "BadRequestException: Request Not In Pending State", as per [6] it should be in pending state
# pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve