Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 19. Renewing expired system certificates when IdM is offline

Expired system certificates prevent Identity Management (IdM) services from starting. Administrators use the ipa-cert-fix tool to renew these credentials when the system is offline, ensuring the LDAP service is active before initiating the repair.

19.1. Prerequisites
Copy link

  • Ensure that the LDAP service is running by entering the ipactl start --ignore-service-failures command on the host.

The ipa-cert-fix utility analyzes and renews expired certificates preventing system startup. Create a full system backup before proceeding, as this tool modifies the LDAP database and NSS databases irreversibly.

Important

If you run the ipa-cert-fix tool on a CA (Certificate Authority) host that is not the CA renewal server, and the utility renews shared certificates, that host automatically becomes the new CA renewal server in the domain. There must always be only one CA renewal server in the domain to avoid inconsistencies.

Prerequisites

  • You must be logged in to the server as the administrator. .Procedure

    1. Optional: Backup the system. This is heavily recommended, as ipa-cert-fix makes irreversible changes to nssdbs. Because ipa-cert-fix also makes changes to the LDAP, it is recommended to backup the entire cluster as well.

    2. Start the ipa-cert-fix tool to analyze the system and list expired certificates that require renewal: 

      # ipa-cert-fix
      Copy to Clipboard Toggle word wrap 
      ...
The following certificates will be renewed:

Dogtag sslserver certificate:
  Subject: CN=ca1.example.com,O=EXAMPLE.COM 201905222205
  Serial:  13
  Expires: 2019-05-12 05:55:47
...
Enter "yes" to proceed:
      Copy to Clipboard Toggle word wrap

    3. Enter yes to start the renewal process: 

      Enter "yes" to proceed: true
      Copy to Clipboard Toggle word wrap 
      Proceeding.
Renewed Dogtag sslserver certificate:
  Subject: CN=ca1.example.com,O=EXAMPLE.COM 201905222205
  Serial:  268369925
  Expires: 2021-08-14 02:19:33
...

Becoming renewal master.
The ipa-cert-fix command was successful
      Copy to Clipboard Toggle word wrap

      It can take up to one minute before ipa-cert-fix renews all expired certificates.

Verification

  • Verify that all services are now running: 

    # ipactl status
    Copy to Clipboard Toggle word wrap 
    Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
    Copy to Clipboard Toggle word wrap

At this point, certificates have been renewed and services are running. The next step is to check other servers in the IdM domain.

Next steps

If you need to repair certificates across multiple CA servers:

  1. After ensuring that LDAP replication is working across the topology, first run ipa-cert-fix on one CA server, according to the above procedure.
  2. Before you run ipa-cert-fix on another CA server, trigger Certmonger renewals for shared certificates via getcert-resubmit (on the other CA server), to avoid unnecessary renewal of shared certificates.

After restoring the renewal server, force a restart of all other domain replicas. Verify that certmonger successfully retrieved the new certificates. If specific replicas remain unreachable, execute ipa-cert-fix locally on those hosts.

Prerequisites

  • You must be logged in to the server as the administrator.

Procedure

  1. Restart IdM with the --force parameter: 

    # ipactl restart --force
    Copy to Clipboard Toggle word wrap

    With the --force parameter, the ipactl utility ignores individual service startup failures. For example, if the server is also a CA with expired certificates, the pki-tomcat service fails to start. This is expected and ignored because of using the --force parameter.

  2. After the restart, verify that the certmonger service renewed the certificates (certificate status says MONITORING): 

    # getcert list | egrep '^Request|status:|subject:'
    Copy to Clipboard Toggle word wrap 
    # ipactl restart --force
    Copy to Clipboard Toggle word wrap 
    Request ID '20190522120745':
        status: MONITORING
        subject: CN=IPA RA,O=EXAMPLE.COM 201905222205
Request ID '20190522120834':
        status: MONITORING
        subject: CN=Certificate Authority,O=EXAMPLE.COM 201905222205
...
    Copy to Clipboard Toggle word wrap

    It can take some time before certmonger renews the shared certificates on the replica.

  3. If the server is also a CA, the previous command reports CA_UNREACHABLE for the certificate the pki-tomcat service uses: 

    Request ID '20190522120835':
        status: CA_UNREACHABLE
        subject: CN=ca2.example.com,O=EXAMPLE.COM 201905222205
...
    Copy to Clipboard Toggle word wrap

  4. To renew this certificate, use the ipa-cert-fix utility: 

    # ipa-cert-fix
    Copy to Clipboard Toggle word wrap 
    # ipactl restart --force
    Copy to Clipboard Toggle word wrap 
    Dogtag sslserver certificate:
  Subject: CN=ca2.example.com,O=EXAMPLE.COM
  Serial:  3
  Expires: 2019-05-11 12:07:11

Enter "yes" to proceed: true
Proceeding.
Renewed Dogtag sslserver certificate:
  Subject: CN=ca2.example.com,O=EXAMPLE.COM 201905222205
  Serial:  15
  Expires: 2019-08-14 04:25:05

The ipa-cert-fix command was successful
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top