Hello,

it turns out that something was wrong with my test environment because I was receiving random errors when launching the instance and everything has been working great after moving to a new, clean virtual machine. Also, your response pointed me to look at the config file and I realized there was no default admin certificate path defined so I added the following line:

    pki_client_admin_cert = /tmp/ca_admin.cert

However, regardless of the path I define there it always gets saved to the default /root/.dogtag/intca/ca_admin.cert so I'm not sure to be using the option properly. Its not a big deal, but I think it worth metioning anyway.

Other than that everything has been working great so far so thanks again for pointing me in the right direction.

Regards!


On 07/01/2016 04:47 AM, Endi Sukma Dewata wrote:
On 6/29/2016 5:10 AM, Carlos Barrabes wrote:
Hello,

Im trying to create an intermediate CA so I can issue certificates with
a trust path pointing to our RootCA but I'm facing some issues while
following the documentation in the project's site.

Once I'm done  with step two, you import the external and ca-signing
certificates into a users NSS db and then the wiki says you have to
import the CA admin certificate and key but the problem is there is no
such thing after starting the instance via custom config file or I
simply cannot find them.

Any suggestions?

Thanks for your time!

I am running Dogtag 10.2.6-12 on a Fedora 22 server machine and the
prodecure Im following is this one:
http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate

Hi,

At the end of the PKI server installation the admin certificate and key will be stored in a PKCS #12 file and the location should be displayed in the final installation message. Usually it is stored in this location:

  /root/.dogtag/pki-tomcat/ca_admin_cert.p12

But that could change depending on your deployment configuration that you supplied to pkispawn.

After the PKI server installation you can set up the PKI client to manage CA services. First initialize the client:

$ pki -c Secret123 client-init

Then import the root CA certificate:

$ pki -c Secret123 client-cert-import "Root CA Certificate" --ca-cert root-ca.crt

Then import the PKI CA certificate:

$ pki -c Secret123 client-cert-import "PKI CA Certificate" --ca-cert ca_signing.crt

Then import the CA admin certificate & key:

$ pki -c Secret123 client-cert-import caadmin --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf

Then you should be able to access CA services as the admin, for example:

$ pki -c Secret123 -n caadmin ca-user-find

Just let me know if you have any question.