Re: [Pki-users] pki cli default CA Admin Unauthorized
On 12/22/2015 6:57 AM, Alex Harrison wrote:
Thanks for the help. All I really need to do is to use the default
admin to approve certificate requests. These are the steps I am
attempting to use to accomplish that goal:
First, I import the admin cert: pki -c Secret123 client-cert-import
--pkcs12
~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123
Before that, make sure you delete the old admin cert from previous
installation (if any), or just re-initialize the client database with
pki -c Secret123 client-init. Then import the new admin cert with the
above command.
Verify the admin cert is added with this command:
pki client-cert-find
Also see the nickname of the certificate in the above output. The
nickname is configurable using pki_admin_nickname parameter in the
pkispawn deployment configuration.
Then I find a request: pki ca-cert-request-show 7
You can find pending requests with this command:
pki -c Secret123 -n caadmin ca-cert-request-find --status pending
Then I try to approve it:
pki ca-cert-request-review 7 --action approve
This will not work since the operation requires agent credentials (i.e.
the default admin user).
So then I try to use the database that I initiated and imported the
admin certificate into:pki -c Secret123 -n caadmin
ca-cert-request-review 7 --action approve
ProcessingException: Unable to invoke request
This should work assuming the nickname and the cert is correct. If it
still doesn't work, try running it in verbose mode:
pki -v -c Secret123 -n caadmin ca-cert-request-review 7 --action approve
Also check the debug log (/var/log/pki/pki-tomcat/ca/debug) to see if
there's a problem on the server.
It seems as if these are the steps I need to take, but I must have a
detail incorrect. Thanks for you help.
--
Endi S. Dewata