Monday, August 24, 2020

[389-users] Re: Trying to renew a certificate - nss error 8168

I had a similar experience. Any modification to the database with certutil suddenly made the legacy database error pop up. I assumed it was some change in the underlying system or certutil utility. The cleanest way I was able to get it to resolve it was to create a new, empty database in another location and then use the --merge option to merge the original db into the empty one. Then I could delete the old cert and add the new one without issue.

-- 
Paul Engle
IAM Architect
Identity & Access Management
pengle@rice.edu 713-348-4702


On Mon, Aug 24, 2020 at 9:32 AM <rainer@ultra-secure.de> wrote:
Am 2020-08-24 16:13, schrieb Rob Crittenden:
> Mark Reynolds wrote:
>> I think the issue was that the new certificate "might" have had the
>> same
>> name as the old one?
>
> I suspect it's because a new private key was generated there are two
> certs with the same name but different keys.
>
> To re-use the existing private key the easiest way is to simply retain
> the original CSR and resubmit it when you need renewal. Or you can
> regenerate it and specify -k <key_id> when you do so to re-use the key
> rather than generating a new one.
>
> certutil -K -d /path/to/db to get list of keys.



Ah, OK - thank you.


I really just followed the documentation here - but I'll try that next
time.



Best Regards
Rainer
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

No comments:

Post a Comment