Yes, I think the uid is caadmin too. I didn't do the installation, but I inherit the config file used during installation, which lists among other things, the values of pki_admin_uid, pki_admin_password, and pki_client_pkcs12_password.

After digging around some more, I found this page about how to setup a new CA admin:

http://pki.fedoraproject.org/wiki/CA_Admin_Setup

But when I execute the following command (replacing CA Admin password and nickname appropriately from the values in config file):

pki -c <CA admin password> -n <CA admin nickname> ca-user-add newcaadmin --fullName "CA Admin"

I got: ResteasyIOException: IOException

I think it is because the default CA Admin certificate was not installed into a database. I tried to do that following:

http://pki.fedoraproject.org/wiki/Default_CA_Admin

but at the following command (replacing Secret123 with our secret)

pki -c Secret123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf

I got:

Error: Unrecognized option: --pkcs12

usage: client-cert-import [OPTIONS]

--ca-cert <path> Import CA certificate file

--ca-server Import CA certificate from CA server

--cert <path> Import certificate file

I switched to

pki -c Secret123 -n caadmin client-cert-import --cert ~/.dogtag/pki-tomcat/ca_admin_cert.p12

to get "Import failed"

I seem to get stuck at installing either the old cert or the new one. Do you know what the commands are to install cert?

On Mon, Apr 25, 2016 at 4:17 PM, John Magne <jmagne@redhat.com> wrote:

I suspect the uid is probably caadmin, which is the default, if you left it that way.

----- Original Message -----
From: "Ha T. Lam" <hatlam@gmail.com>

To: "John Magne" <jmagne@redhat.com>
Cc: pki-users@redhat.com
Sent: Monday, April 25, 2016 3:12:35 PM
Subject: Re: [Pki-users] How to renew the admin certificate

Hi John,

Thank you very much for your quick reply. I've managed to get ssh -X sorted
out because when I typed

pkiconsole https://ca02.mycompany.com:8433/ca

I get a dialog box asking for User ID and Password. From our conf file, I
put in the pki_admin_uid and pki_admin_password, the dialog box went away,
but nothing else happened. I also tried using pki_client_pkcs12_password
but with the same result. Looking at the log
file /var/log/pki/pki-tomcat/localhost_access_log.2016-04-25.txt, I see

"POST /ca/auths HTTP/1.0" 200 27

At this point, I'm not sure if it's because I put in the wrong
authentication or if I'm still having problem with the pkiconsole. I've
been trying to setup vncserver as you recommended but haven't had much luck.

I stumbled on the pki commands and it looks like I can use them to install
client certificate, are they equivalent to the pkiconsole?

Thanks,
Ha

On Mon, Apr 25, 2016 at 11:10 AM, John Magne <jmagne@redhat.com> wrote:

> Hello:
>
> Your approach seems reasonable:
>
> Perhaps you might want to start a vncserver on there and
> come in that way. There has been issues with using the console over ssh.
>
>
>
>
>
> ----- Original Message -----
> > From: "Ha T. Lam" <hatlam@gmail.com>
> > To: pki-users@redhat.com
> > Sent: Sunday, April 24, 2016 9:29:07 PM
> > Subject: [Pki-users] How to renew the admin certificate
> >
> > Hi all,
> >
> > We have a Dog Tag system hosted on Fedora inside a VirtualBox, our admin
> > certificate has unfortunately expired, so the web interface complains
> that
> > the cert is invalid. I've managed to rewind the clock and authorized
> myself
> > a PKI Administrator certificate following this thread:
> >
> > https://www.redhat.com/archives/pki-users/2013-October/msg00008.html
> >
> > I'm now trying to import the new certificate into the system. The thread
> > mentioned doing it through the pkiconsole, but I have not been able to
> get
> > it to work, when I typed:
> >
> > pkiconsole https://ca02.mycompany.com:8433/ca
> >
> > I don't get any error message, but I don't see any console either. I
> suspect
> > this is because I'm ssh-ing into a virtualbox and the display is not set
> > correctly.
> >
> > My questions are:
> > 1. Does the process I mentioned above make sense? I'm new to dogtag and
> still
> > learning about it.
> > 2. If I'm on the right track, is there a command line option for
> pkiconsole?
> >
> > Thank you for your help,
> > Ha
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>