Re: [Pki-users] Authorize Sub-CA to be created

See inline below -- On Fri, 2016-08-19 at 07:28 -0300, Leonardo Bacha Abrantes wrote: Hi guys, I'm trying to configure a subordinate CA, but am receiving the message "ERROR: Unable to access security domain: 401 Client Error: Unauthorized". I follow these steps: ===>> On Server01 (root-ca): setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \ General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \ slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD > myconfig.txt [DEFAULT] pki_admin_password=Root-CA_pwd pki_client_database_password=Root-CA_pwd pki_client_pkcs12_password=Root-CA_pwd pki_ds_password=Root-CA_pwd pki_security_domain_password=Root-CA_pwd pki_admin_password=Root-CA_pwd pki_client_database_password=Root-CA_pwd pki_client_pkcs12_password=Root-CA_pwd pki_ds_bind_dn=cn=ldapadmin pki_ds_password=Root-CA_pwd pki_security_domain_password=Root-CA_pwd pki_instance_name=pki-RootCA [CA] pki_ca_signing_subject_dn=cn=EXAMLE Root Certification Authority,o=XXXXXXXXXXX,c=BR pki_admin_nickname=PKI Administrator for EXAMPLE pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin(a)XXXXX.XXX.xx,o= XXXXXXXXXX,c=BR pki_admin_email=admin(a)XXXXXX.xxx.xx ===>> On Server02 (Sub-ca): setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \ General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \ slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD > myconfig.txt [DEFAULT] pki_admin_password=SUB-CA_Passord pki_client_database_password=SUB-CA_Passord pki_client_pkcs12_password=SUB-CA_Passord pki_ds_password=SUB-CA_Passord pki_security_domain_password=SUB-CA_Passord pki_admin_password=SUB-CA_Passord pki_client_database_password=SUB-CA_Passord pki_client_pkcs12_password=SUB-CA_Passord pki_ds_bind_dn=cn=ldapadmin pki_ds_password=SUB-CA_Passord pki_security_domain_password=SUB-CA_Passord This is incorrect. The security domain password -- which for some reason you have listed twice in this section -- should be the password for the admin user in the root CA. The subCA is contacting the rootCA - which hosts the secruity domain to register the new subsystem with the domain. pki_instance_name=pki-SubCA pki_security_domain_hostname=root-ca.xxxx.xxx.xx pki_security_domain_https_port=8443 pki_security_domain_user=caadmin [CA] pki_subordinate=True pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443 pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority L2,o=XXXXXXXXXXX,c=BR pki_subordinate_create_new_security_domain=True pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2 pki_admin_nickname=PKI Administrator for Example Sub-CA L2 pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin(a)xxxxx.xxx.xx,o= XXXXXXXXXXX,c=BR pki_admin_email=admin(a)xxxx.xxx.xx when I run pkispawn -v -s CA -f myconfig.txt on Server02: ERROR: Unable to access security domain: 401 Client Error: Unauthorized === I tried to use the same passwords on myconfig.txt in both servers just to test, but I receive the same message. Can you help me please ? many thanks! _______________________________________________ Pki-users mailing listPki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users