Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 31. Verifying system certificates by using IdM Healthcheck

You can identify issues with system certificates on an Identity Management (IdM) server by using the Healthcheck tool.

31.1. System certificates Healthcheck tests
Copy link

The Healthcheck tool includes several tests for verifying system, or Dogtag, certificates.

You can find all certificate-related tests under the ipahealthcheck.dogtag.ca source in the output of the ipa-healthcheck --list-sources command.

DogtagCertsConfigCheck

This test compares the CA (Certificate Authority) certificates in its NSS database to the same values stored in CS.cfg. If they do not match, the CA fails to start.

Specifically, it checks:

  • auditSigningCert cert-pki-ca against ca.audit_signing.cert
  • ocspSigningCert cert-pki-ca against ca.ocsp_signing.cert
  • caSigningCert cert-pki-ca against ca.signing.cert
  • subsystemCert cert-pki-ca against ca.subsystem.cert
  • Server-Cert cert-pki-ca against ca.sslserver.cert

If Key Recovery Authority (KRA) is installed, it also checks:

  • transportCert cert-pki-kra against ca.connector.KRA.transportCert
DogtagCertsConnectivityCheck

This test verifies connectivity. This test is equivalent to the ipa cert-show 1 command which checks the following:

  • The PKI proxy configuration in Apache
  • IdM being able to find a CA
  • The RA agent client certificate
  • The correctness of CA replies to requests

The test verifies that the ipa cert-show command can be executed and that an expected response is returned from the IdM CA - either the certificate itself or a not found response.

You can run a standalone manual test to check system certificates on an Identity Management (IdM) server by using the Healthcheck tool.

Procedure

  • To run the system certificates test, enter: 

    # ipa-healthcheck --source=ipahealthcheck.dogtag.ca
    Copy to Clipboard Toggle word wrap

    The --source=ipahealthcheck.dogtag.ca option ensures that Healthcheck only performs the certificate tests.

    An example of a successful test: 

    {
  "source: ipahealthcheck.dogtag.ca",
  "check: DogtagCertsConfigCheck",
  "result: SUCCESS",
  "uuid: 9b366200-9ec8-4bd9-bb5e-9a280c803a9c",
  "when: 20191008135826Z",
  "duration: 0.252280",
  "kw:" {
    "key": "Server-Cert cert-pki-ca",
    "configfile":  "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
    }
}
    Copy to Clipboard Toggle word wrap

    An example of a failed test: 

    {
  "source: ipahealthcheck.dogtag.ca",
  "check: DogtagCertsConfigCheck",
  "result: CRITICAL",
  "uuid: 59d66200-1447-4b3b-be01-89810c803a98",
  "when: 20191008135912Z",
  "duration: 0.002022",
  "kw:" {
    "exception": "NSDB /etc/pki/pki-tomcat/alias not initialized",
    }
}
    Copy to Clipboard Toggle word wrap
    Note

    Run the certificate tests on all IdM servers when trying to find an issue.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top