Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 30. Verifying certificates by using IdM Healthcheck

You can identify issues with certificates maintained by the certmonger utility on an Identity Management (IdM) server by using the Healthcheck tool.

30.1. IdM certificates Healthcheck tests
Copiar o link

The Healthcheck tool includes several tests for verifying the status of certificates maintained by certmonger in Identity Management (IdM).

For details about certmonger, see Obtaining an IdM certificate for a service using certmonger.

This suite of tests checks certificate expiration, validation, trust, and other configuration. Healthcheck can report multiple errors for the same underlying issue.

You can find these certificate tests under the ipahealthcheck.ipa.certs source in the output of the ipa-healthcheck --list-sources command.

IPACertmongerExpirationCheck

This test checks expirations in certmonger.

If an error is reported, the certificate has expired.

If a warning appears, the certificate expires soon. By default, a warning appears if the test is run 28 days or fewer before certificate expiration.

You can configure the number of days in the /etc/ipahealthcheck/ipahealthcheck.conf file. After opening the file, change the cert_expiration_days option located in the default section.

Note

Certmonger loads and maintains its own view of the certificate expiration. This check does not validate the on-disk certificate.

IPACertfileExpirationCheck

This test checks if the certificate file or NSS database have correct access rights configured. This test also checks expiration. Therefore, carefully read the msg attribute in the error or warning output. The message specifies the problem.

Note

This test checks the on-disk certificate. If a certificate is missing or unreadable, Healthcheck returns an error.

IPACertNSSTrust
This test analyzes the trust for certificates stored in the NSS databases. For the expected tracked certificates in the NSS databases, Healthcheck compares the trust to an expected value and raises an error on a non-match.
IPANSSChainValidation
This test validates the certificate chain of the NSS certificates. The test executes the certutil -V -u V -e -d [dbdir] -n command.
IPAOpenSSLChainValidation

This test validates the certificate chain of the OpenSSL certificates. Specifically, Healthcheck executes the following OpenSSL command: 

openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt [cert file]
Copy to Clipboard Toggle word wrap
IPARAAgent
This test compares the certificate on disk with the equivalent record in LDAP in uid=ipara,ou=People,o=ipaca.
IPACertRevocation
This test verifies that certificates that are maintained by certmonger have not been revoked.
IPACertmongerCA

This test verifies the certmonger Certificate Authority (CA) configuration. IdM cannot issue certificates without a CA.

Certmonger maintains a set of CA helpers. A CA named IPA issues certificates for hosts or services through IdM, authenticating as a host or user principal.

There are also dogtag-ipa-ca-renew-agent and dogtag-ipa-ca-renew-agent-reuse that renew the CA subsystem certificates.

30.2. Screening certificates by using the Healthcheck tool
Copiar o link

You can run a standalone manual test to check certificates on an Identity Management (IdM) server by using the Healthcheck tool.

Prerequisites

  • You have root privileges.

Procedure

  • To run the certificates test, enter: 

    # ipa-healthcheck --source=ipahealthcheck.ipa.certs
    Copy to Clipboard Toggle word wrap

    • The --source=ipahealthcheck.ipa.certs option ensures that IdM Healthcheck only performs the certmonger certificate tests.

      A successful test displays empty brackets: 

      []
      Copy to Clipboard Toggle word wrap

      Failed test shows you the following output: 

      {
  "source": "ipahealthcheck.ipa.certs",
  "check": "IPACertfileExpirationCheck",
  "result": "ERROR",
  "kw": {
    "key": 1234,
    "dbdir": "/path/to/nssdb",
    "error": [error],
    "msg": "Unable to open NSS database '/path/to/nssdb': [error]"
  }
}
      Copy to Clipboard Toggle word wrap

      This IPACertfileExpirationCheck test failed on opening the NSS database.

    Note

    Run this suite of Healthcheck tests on all IdM servers when trying to check for issues.

Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2026 Red HatVoltar ao topo