Last Friday several internal certificates in my production IPA directory expired, apparently because they were not automatically renewed. The "CA Subsystem", "OCSP Subsystem", and "IPA RA" certificates are no longer usable. (The "CA Audit" certificate had the same expiration date as all of those, but was renewed on schedule last month. Not sure what to make of that.)

I discovered this problem when pki-tomcatd would not come online on one of my IPA servers after a routine reboot. The error message from the logs is "javax.ws.rs.ServiceUnavailableException: Subsystem unavailable". IPA certificate functions don't work at all on this server. On the remaining IPA servers, certificate functions are impaired; ipa cert-find works but ipa cert-show does not, due to SSL handshake failure (makes sense, pki-tomcatd's server certificate has expired).

I have other copies of the CA certificate and private key, and after a lot of swearing at OpenSSL i was able to manually renew the affected certificates, with the same private key and the same X.509 extensions. I hoped that adding the renewed certificates to pki-tomcatd's certificate database in /etc/pki/pki-tomcat/alias would clear the way for pki-tomcatd to start, and then I could either make IPA renew the certificates, or upload the manually-renewed certs. No soap; pki-tomcatd still won't start. So it seems that I have to replace the certificates in Dogtag. But IPA can't communicate with Dogtag because of the expired certificates, so I suppose that would have to be done with manual curl requests to Dogtag, or by editing the LDAP directory?

To sum up: Dogtag internal certificates were not renewed on schedule, and now Dogtag is mostly or completely unusable on all production IPA servers. I have manually renewed the certificates but can't put them where they need to be because Dogtag is unusable. How can I get out of this??