Re: [Pki-users] Replace default caadmin key

On Tue, 2016-05-10 at 15:01 -0400, John Hogenmiller (yt) wrote: > It turned out that that ca-agent.p12 in /root did have the key I > need. > So I guess I'm good. That's getting backed up and we'll make new > users > for our config management system. > > For academic purposes, I am still curious as to how one would go > about > this. I did update the admin user with a self-signed key, and I even > went as far as to use the CA to sign a key. I tried creating a new > user and updating the admin user with certificates via ldapmodify. > > In both cases, I got that I could not map certificate to any user. > > [10/May/2016:18:27:27][http-bio-8443-exec-11]: > CertUserDBAuthentication: cannot map certificate to any user > [10/May/2016:18:27:27][http-bio-8443-exec-11]: > SignedAuditEventFactory: create() > message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C > OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa > -ca-agent, > O=EXAMPLE.COM] authentication failure What you were probably missing was updating the description field in the user entry. Not only does the cert have to match, but the description needs to as well. That description has the format: description: 2;<cert serial number>;<issuer DN>;<cert subject name> Ade