Re: [Pki-users] pki cli default CA Admin Unauthorized
Verify the admin cert is added with this command:
pki client-cert-find
Also see the nickname of the certificate in the above output. The
nickname is configurable using pki_admin_nickname parameter in the
pkispawn deployment configuration.
I think you've found my problem. When I issue that command I see:
----------------------
2 certificate(s) found
----------------------
Serial Number: 0x6
Nickname: PKI Administrator for localdomain
Subject DN: CN=PKI Administrator,E=caadmin@localdomain,O=localdomain Security
Domain
Issuer DN: CN=CA Signing Certificate,O=localdomain Security Domain
"E=caadmin@localdomain" is telling me that the nickname is
"caadmin@localdomain", right? So I need to put the whole string in my command
authentication with the -n parameter, not just "caadmin". Is that correct? If
so, that explains my problems. When I use the entire string with the domain, the commands
all work as I expect.
Thanks for your help.
On Tuesday, December 22, 2015 11:35 AM, Endi Sukma Dewata <edewata(a)redhat.com>
wrote:
On 12/22/2015 6:57 AM, Alex Harrison wrote:
Thanks for the help. All I really need to do is to use the default
admin to approve certificate requests. These are the steps I am
attempting to use to accomplish that goal:
First, I import the admin cert: pki -c Secret123 client-cert-import
--pkcs12
~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123
Before that, make sure you delete the old admin cert from previous
installation (if any), or just re-initialize the client database with
pki -c Secret123 client-init. Then import the new admin cert with the
above command.
Verify the admin cert is added with this command:
pki client-cert-find
Also see the nickname of the certificate in the above output. The
nickname is configurable using pki_admin_nickname parameter in the
pkispawn deployment configuration.
Then I find a request: pki ca-cert-request-show 7
You can find pending requests with this command:
pki -c Secret123 -n caadmin ca-cert-request-find --status pending
Then I try to approve it:
pki ca-cert-request-review 7 --action approve
This will not work since the operation requires agent credentials (i.e.
the default admin user).
So then I try to use the database that I initiated and imported the
admin certificate into:pki -c Secret123 -n caadmin
ca-cert-request-review 7 --action approve
ProcessingException: Unable to invoke request
This should work assuming the nickname and the cert is correct. If it
still doesn't work, try running it in verbose mode:
pki -v -c Secret123 -n caadmin ca-cert-request-review 7 --action approve
Also check the debug log (/var/log/pki/pki-tomcat/ca/debug) to see if
there's a problem on the server.
It seems as if these are the steps I need to take, but I must have a
detail incorrect. Thanks for you help.
--
Endi S. Dewata