Certmonger tracking requests for IdM internal certificates in RHEL 6

Solution Verified - Updated 23 Jul 2025

Environment

Red Hat Enterprise Linux 6
IDM (IPA) with CA

Issue

When running the getcert list command, the results show zero certs are being tracked:

[root@ipaserver ~]# getcert list
Number of certificates and requests being tracked: 0.

or, on CA-enabled replica, we get less than 8 certificates tracked.

Resolution

The certmonger utility can monitor the expiration date of a certificate and automatically renew the certificate at the end of its validity period. For IdM internal certificates those tracking requests are created automatically but in some rare cases it might be necessary to re-create some of those requests manually.

NOTE: The exact filenames and helper scripts to be used in the tracking requests are different between the various releases of Red Hat Enterprise Linux (RHEL). The examples below are all based on a RHEL 6.10 setup.

For certmonger requests in RHEL 7 please refer to this article.
For certmonger requests in RHEL 8 please refer to the official RHEL 8 documentation.
For certmonger requests in RHEL 9 please refer to the official RHEL 9 documentation.

IMPORTANT: More detailed instructions how to manually renew IdM internal certificates are available on the following page: How do I manually renew Identity Management (IPA) certificates on RHEL6 after they have expired? (Master IPA Server)

PKI certificates

First we need to obtain the internal PIN to access the PKI NSS database (used in the below getcert start-tracking commands) and put it into an environmental variable::

# export NSSDB_PIN=$(sed -n 's/^internal=//p' /var/lib/pki/pki-ca/conf/password.conf)

Next create the missing tracking requests for the corresponding certificates:

Audit certificate

# getcert start-tracking -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" -c dogtag-ipa-renew-agent -P $NSSDB_PIN -B /usr/lib64/ipa/certmonger/stop_pkicad  -C '/usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"' -w -v

OCSP certificate

# getcert start-tracking -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca" -c dogtag-ipa-renew-agent -P $NSSDB_PIN -B /usr/lib64/ipa/certmonger/stop_pkicad -C '/usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"' -w -v

Subsystem certificate

# getcert start-tracking -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" -c dogtag-ipa-renew-agent -P $NSSDB_PIN -B /usr/lib64/ipa/certmonger/stop_pkicad  -C '/usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"' -w -v

Tomcat servlet certificate

# getcert start-tracking -d /var/lib/pki-ca/alias -n "Server-Cert cert-pki-ca" -c dogtag-ipa-renew-agent -P $NSSDB_PIN -w -v

IPA certificates

Next create the missing tracking requests for the corresponding certificates:

Renewal agent certificate

# getcert start-tracking -d /etc/httpd/alias -n ipaCert -c dogtag-ipa-renew-agent -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd -w -v

NOTE
IPA replicas use the 'dogtag-ipa-retrieve-agent-submit' helper, which retrieves the updated certificates from LDAP (via replication from the master).

Dirsrv server certificate (domain instance)

# getcert start-tracking -d /etc/dirsrv/slapd-EXAMPLE-COM -n "Server-Cert" -c IPA -p /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv "EXAMPLE-COM"' -w -v

Dirsrv server certificate (CA instance)

# getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n "Server-Cert" -c IPA -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv "PKI-IPA"' -w -v

HTTPD server certificate

# getcert start-tracking -d /etc/httpd/alias -n "Server-Cert" -c IPA -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd -w -v

After the tracking is restored

Restart the certmonger:

# service certmonger restart

Restart the IPA services:

# ipactl stop ; ipactl start

Wait 1 minute after the IPA services have started and check the new cert status:

# getcert list

Root Cause

If certmonger doesn't track at least some of the system certificates, those will fail to renew. In order to ensure the IPA's PKI performance, we need to track the certificates properly.

Diagnostic Steps

Run

# getcert list

to get the list of all the certificates tracked by the certmonger.

SBR

Identity Management

Product(s)

Red Hat Identity Management

Components

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.