10:58 a.m.
Hello,
I've been recently learning a good bit about dogtag pki. I've setup a
standalone dogtag instance for development, I've written some code to
generate CSRs and get a cert from dogtag. I then went to try and get this
working against our FreeIPA instances. While trying to create a user
certificate, I found that none of my pki -n caadmin commands would work.
I eventually discovered this page
http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the
master/first freeipa server. While I did have the .cert and .der files, I
did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out
this server was rebuilt at one point, and no one was aware of the need to
back up this directory.
I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe
either of these contain the private key that would have been in
ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to
be replicated to every freeipa replica).
My question at this point is if I can regain control of the dogtag CA
system. I believe I would have to create a new key/cert pair locally, and
then update an ldap entry with the new cert. Or maybe I can create a new
user entirely to manage dogtag. I would probably have to sign the user cert
using cacert.p12 as well. Since I'm unfamiliar with dogtag internals,
looking for guidance. If my guesses are correct, a series of openssl
commands, followed by some work with ldif files and ldapmodify.
Thanks in advance,
John
11:47 a.m.
To follow up on my own message, I can definitely view the user cert
with ldap search.
ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin'
The contents of userCertificate attribute do match the ca_admin.cert
file. That certificate is signed by the freeipa cacert. The key is if
I can replace the userCertificate attribute and if that new one needs
to be signed.
-John
On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt)
<john(a)yourtech.us> wrote:
Hello,
I've been recently learning a good bit about dogtag pki. I've setup a
standalone dogtag instance for development, I've written some code to
generate CSRs and get a cert from dogtag. I then went to try and get this
working against our FreeIPA instances. While trying to create a user
certificate, I found that none of my pki -n caadmin commands would work.
I eventually discovered this page
http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the
master/first freeipa server. While I did have the .cert and .der files, I
did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out this
server was rebuilt at one point, and no one was aware of the need to back up
this directory.
I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe
either of these contain the private key that would have been in
ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to
be replicated to every freeipa replica).
My question at this point is if I can regain control of the dogtag CA
system. I believe I would have to create a new key/cert pair locally, and
then update an ldap entry with the new cert. Or maybe I can create a new
user entirely to manage dogtag. I would probably have to sign the user cert
using cacert.p12 as well. Since I'm unfamiliar with dogtag internals,
looking for guidance. If my guesses are correct, a series of openssl
commands, followed by some work with ldif files and ldapmodify.
Thanks in advance,
John
2:01 p.m.
It turned out that that ca-agent.p12 in /root did have the key I need.
So I guess I'm good. That's getting backed up and we'll make new users
for our config management system.
For academic purposes, I am still curious as to how one would go about
this. I did update the admin user with a self-signed key, and I even
went as far as to use the CA to sign a key. I tried creating a new
user and updating the admin user with certificates via ldapmodify.
In both cases, I got that I could not map certificate to any user.
[10/May/2016:18:27:27][http-bio-8443-exec-11]:
CertUserDBAuthentication: cannot map certificate to any user
[10/May/2016:18:27:27][http-bio-8443-exec-11]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C
OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa-ca-agent,
O=EXAMPLE.COM] authentication failure
On Tue, May 10, 2016 at 12:47 PM, John Hogenmiller (yt)
<john(a)yourtech.us> wrote:
To follow up on my own message, I can definitely view the user cert
with ldap search.
ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin'
The contents of userCertificate attribute do match the ca_admin.cert
file. That certificate is signed by the freeipa cacert. The key is if
I can replace the userCertificate attribute and if that new one needs
to be signed.
-John
On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt)
<john(a)yourtech.us> wrote:
> Hello,
>
> I've been recently learning a good bit about dogtag pki. I've setup a
> standalone dogtag instance for development, I've written some code to
> generate CSRs and get a cert from dogtag. I then went to try and get this
> working against our FreeIPA instances. While trying to create a user
> certificate, I found that none of my pki -n caadmin commands would work.
>
> I eventually discovered this page
> http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the
> master/first freeipa server. While I did have the .cert and .der files, I
> did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out
this
> server was rebuilt at one point, and no one was aware of the need to back up
> this directory.
>
> I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe
> either of these contain the private key that would have been in
> ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to
> be replicated to every freeipa replica).
>
> My question at this point is if I can regain control of the dogtag CA
> system. I believe I would have to create a new key/cert pair locally, and
> then update an ldap entry with the new cert. Or maybe I can create a new
> user entirely to manage dogtag. I would probably have to sign the user cert
> using cacert.p12 as well. Since I'm unfamiliar with dogtag internals,
> looking for guidance. If my guesses are correct, a series of openssl
> commands, followed by some work with ldif files and ldapmodify.
>
> Thanks in advance,
> John
2:18 p.m.
On Tue, 2016-05-10 at 15:01 -0400, John Hogenmiller (yt) wrote:
It turned out that that ca-agent.p12 in /root did have the key I
need.
So I guess I'm good. That's getting backed up and we'll make new
users
for our config management system.
For academic purposes, I am still curious as to how one would go
about
this. I did update the admin user with a self-signed key, and I even
went as far as to use the CA to sign a key. I tried creating a new
user and updating the admin user with certificates via ldapmodify.
In both cases, I got that I could not map certificate to any user.
[10/May/2016:18:27:27][http-bio-8443-exec-11]:
CertUserDBAuthentication: cannot map certificate to any user
[10/May/2016:18:27:27][http-bio-8443-exec-11]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C
OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa
-ca-agent,
O=EXAMPLE.COM] authentication failure
What you were probably missing was updating the description field in
the user entry. Not only does the cert have to match, but the
description needs to as well.
That description has the format:
description: 2;<cert serial number>;<issuer DN>;<cert subject name>
Ade
On Tue, May 10, 2016 at 12:47 PM, John Hogenmiller (yt)
<john(a)yourtech.us> wrote:
> To follow up on my own message, I can definitely view the user cert
> with ldap search.
>
> ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin'
>
> The contents of userCertificate attribute do match the
> ca_admin.cert
> file. That certificate is signed by the freeipa cacert. The key is
> if
> I can replace the userCertificate attribute and if that new one
> needs
> to be signed.
>
> -John
>
> On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt)
> <john(a)yourtech.us> wrote:
> > Hello,
> >
> > I've been recently learning a good bit about dogtag pki. I've
> > setup a
> > standalone dogtag instance for development, I've written some
> > code to
> > generate CSRs and get a cert from dogtag. I then went to try and
> > get this
> > working against our FreeIPA instances. While trying to create a
> > user
> > certificate, I found that none of my pki -n caadmin commands
> > would work.
> >
> > I eventually discovered this page
> > http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to
> > the
> > master/first freeipa server. While I did have the .cert and .der
> > files, I
> > did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It
> > turns out this
> > server was rebuilt at one point, and no one was aware of the need
> > to back up
> > this directory.
> >
> > I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't
> > believe
> > either of these contain the private key that would have been in
> > ca_admin_cert.p12. I do have the pkcs12 password conf files
> > (these seem to
> > be replicated to every freeipa replica).
> >
> > My question at this point is if I can regain control of the
> > dogtag CA
> > system. I believe I would have to create a new key/cert pair
> > locally, and
> > then update an ldap entry with the new cert. Or maybe I can
> > create a new
> > user entirely to manage dogtag. I would probably have to sign the
> > user cert
> > using cacert.p12 as well. Since I'm unfamiliar with dogtag
> > internals,
> > looking for guidance. If my guesses are correct, a series of
> > openssl
> > commands, followed by some work with ldif files and ldapmodify.
> >
> > Thanks in advance,
> > John
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
3:37 p.m.
On 5/10/2016 2:18 PM, Ade Lee wrote:
On Tue, 2016-05-10 at 15:01 -0400, John Hogenmiller (yt) wrote:
> It turned out that that ca-agent.p12 in /root did have the key I
> need.
> So I guess I'm good. That's getting backed up and we'll make new
> users
> for our config management system.
>
> For academic purposes, I am still curious as to how one would go
> about
> this. I did update the admin user with a self-signed key, and I even
> went as far as to use the CA to sign a key. I tried creating a new
> user and updating the admin user with certificates via ldapmodify.
>
> In both cases, I got that I could not map certificate to any user.
>
> [10/May/2016:18:27:27][http-bio-8443-exec-11]:
> CertUserDBAuthentication: cannot map certificate to any user
> [10/May/2016:18:27:27][http-bio-8443-exec-11]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C
> OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa
> -ca-agent,
> O=EXAMPLE.COM] authentication failure
What you were probably missing was updating the description field in
the user entry. Not only does the cert have to match, but the
description needs to as well.
That description has the format:
description: 2;<cert serial number>;<issuer DN>;<cert subject name>
Ade
I believe IPA moves /root/.dogtag/pki-tomcat/ca_admin_cert.p12 to
/root/ca-agent.p12 right after installation. The file name is a bit
misleading, so feel free to open an IPA ticket.
Please take a look at this page:
http://pki.fedoraproject.org/wiki/IPA_PKI_Admin_Setup
I haven't tried it recently though, but supposedly you can just use -n
ipa-ca-agent instead of -n caadmin to access PKI services in IPA.
Which commands are you trying to execute?
We have some docs about IPA from PKI's perspective:
http://pki.fedoraproject.org/wiki/IPA
If you have any feedback for the wiki pages just let us know. Thanks!
--
Endi S. Dewata
3193
days inactive
3193
days old
4 comments
3 participants
participants (3)
-
Ade Lee -
Endi Sukma Dewata -
John Hogenmiller (yt)