Dear all,

I have been trying to regain my PKI system after a root certificate renewal with a NEW ROOT KEY PAIR. but still failing to start the CA instance.

I'm using DogTag 9.0 over Fedora 15 with two tier local PKI hierarchy with root CA and one subordinate CA.

Steps followed;

1. renew the caSigningCert via the pkiconsole with a new key pair and same DN as earlier

2. restart the CA instance

Then the ca instance is not starting and returns the followings

[root@root admin]# /sbin/service pki-cad restart pki-ca
Stopping pki-ca:                                           [FAILED]
Starting pki-ca:                                           [  OK  ]

[root@root admin]# /sbin/service pki-cad status
pki-ca dead but subsys locked                              [WARNING]

I do understand that the subsystem certs and other system certificates need to be renewed after the root key renewal. I did try that out by renewing all the system certs via pkiconsole after the root key renewal without restarting the CA instance. but it was a blind guess and got the following hits in the debug log.

[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert tag=signing
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname(): calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname() failed:caSigningCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate verification

[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert tag=ocsp_signing
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname(): calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate verification

[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert tag=sslserver
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname(): calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname() failed:Server-Cert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=Server-Cert cert-pki-ca] CIMC certificate verification

[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert tag=subsystem
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname(): calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname() failed:subsystemCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=subsystemCert cert-pki-ca] CIMC certificate verification

[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert tag=audit_signing
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname(): calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname() failed:auditSigningCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate verification



It will be a great if someone could help me out to update the rest of the system certificates after the root key renewal and restore the CA functionality.


Thanks