felipevolpone
commented
7 years ago What was done:
The tool compares the Serial Number of the local certificate and the number stored at LDAP.
Since commit 2a1494c at freeipa, the RA cert is stored in the file /var/lib/ipa/ra-agent.pem instead of the NSS db /etc/httpd/alias. However, I think is a good idea we support both.
How to use:
python -m freeipa_health_checker ck_ra_cert [--config-file]The tool will get the paths, to check for the local file, in the YAML file and then get the serial number in LDAP. Finally, the tool compares both numbers and print if they are equal.
pvoborni
As an administrator (of a FreeIPA environment), I want to check PKI certificates in IPA NSS databases map correctly to PKI user in PKI LDAP DB. Check serial numbers and the actual certificates (mostly related to RA cert).