Red Hat SummitChapter 9. Verifying system certificates by using IdM Healthcheck
You can identify issues with system certificates on an Identity Management (IdM) server by using the Healthcheck tool.
9.1. System certificates Healthcheck tests
The Healthcheck tool includes several tests for verifying system, or Dogtag, certificates.
You can find all certificate-related tests under the ipahealthcheck.dogtag.ca source in the output of the ipa-healthcheck --list-sources command.
- DogtagCertsConfigCheck
This test compares the CA (Certificate Authority) certificates in its NSS database to the same values stored in
CS.cfg. If they do not match, the CA fails to start.Specifically, it checks:
-
auditSigningCert cert-pki-caagainstca.audit_signing.cert -
ocspSigningCert cert-pki-caagainstca.ocsp_signing.cert -
caSigningCert cert-pki-caagainstca.signing.cert -
subsystemCert cert-pki-caagainstca.subsystem.cert -
Server-Cert cert-pki-caagainstca.sslserver.cert
If Key Recovery Authority (KRA) is installed, it also checks:
-
transportCert cert-pki-kraagainstca.connector.KRA.transportCert
-
- DogtagCertsConnectivityCheck
This test verifies connectivity. This test is equivalent to the
ipa cert-show 1command which checks the following:- The PKI proxy configuration in Apache
- IdM being able to find a CA
- The RA agent client certificate
- The correctness of CA replies to requests
The test verifies that the
ipa cert-showcommand can be executed and that an expected response is returned from the IdM CA - either the certificate itself or anot foundresponse.
9.2. Screening system certificates by using Healthcheck
You can run a standalone manual test to check system certificates on an Identity Management (IdM) server by using the Healthcheck tool.
Procedure
To run the system certificates test, enter:
ipa-healthcheck --source=ipahealthcheck.dogtag.ca
# ipa-healthcheck --source=ipahealthcheck.dogtag.caCopy to Clipboard Copied! Toggle word wrap Toggle overflow The
--source=ipahealthcheck.dogtag.caoption ensures that Healthcheck only performs the certificate tests.An example of a successful test:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow An example of a failed test:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteRun the certificate tests on all IdM servers when trying to find an issue.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}