Reissuing a certificate with FreeIPA

When reinstalling FreeIPA, you often get browser errors complaining of reissued certificates. Here is how you can deal with them:

The Errors have the string “sec_error_reused_issuer_and_serial” in them and I’ve written about fixing them before.

It turns out there is a one line fix. On your IPA server, as root, execute:

ipa-getcert  resubmit -d /etc/httpd/alias -n 'Server-Cert' -t 'NSS Certificate DB'

I was able to figure out the values to substitute by using the man page for ipa-getcert and:

ipa-getcert list

Which produces output for all the certs tracked. You can find exactly the line like this:

ipa-getcert list | awk '/key pair storage/ && /httpd/ {print $0} '

Leave a Reply

Your email address will not be published. Required fields are marked *