NOW, I still have an issue with the rest of the 'stuck' certs that NEED_CSR_GEN_PIN—I've tried restarting certmonger and getcert resubmit individually, but still no luck...
Any advice now?
I'd suggest stopping certmonger and looking for the actual request file in /var/lib/certmonger/request (grep for id=<request id>).
Make sure that the value in key_pin matches the value in /etc/pki/pki-tomcat/alias/pwdfile.txt
If it doesn't fix it, then restart certmonger.
It wasn't and I did fix it (I think). The pin is in a file: /var/lib/ipa/passwords/ipa01.mydomain.com-443-RSA
Assuming this is for the associated key, I copied that value into /etc/pki/pki-tomcat/alias/pwdfile.txt — that did not work. I did the opposite (copied pwdfile.txt to the pin file) just for good measure. Also did not work.
Restarted ipa after each change before restarting certmonger.
Also I failed to notice that that there's only one that is NEED_CSR_GEN_PIN and the rest are NEED_CSR_GEN_TOKEN
Thanks again,
Sean