Re: [Pki-users] Replace default caadmin key
It turned out that that ca-agent.p12 in /root did have the key I need.
So I guess I'm good. That's getting backed up and we'll make new users
for our config management system.
For academic purposes, I am still curious as to how one would go about
this. I did update the admin user with a self-signed key, and I even
went as far as to use the CA to sign a key. I tried creating a new
user and updating the admin user with certificates via ldapmodify.
In both cases, I got that I could not map certificate to any user.
[10/May/2016:18:27:27][http-bio-8443-exec-11]:
CertUserDBAuthentication: cannot map certificate to any user
[10/May/2016:18:27:27][http-bio-8443-exec-11]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C
OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa-ca-agent,
O=EXAMPLE.COM] authentication failure
On Tue, May 10, 2016 at 12:47 PM, John Hogenmiller (yt)
<john(a)yourtech.us> wrote:
To follow up on my own message, I can definitely view the user cert
with ldap search.
ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin'
The contents of userCertificate attribute do match the ca_admin.cert
file. That certificate is signed by the freeipa cacert. The key is if
I can replace the userCertificate attribute and if that new one needs
to be signed.
-John
On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt)
<john(a)yourtech.us> wrote:
> Hello,
>
> I've been recently learning a good bit about dogtag pki. I've setup a
> standalone dogtag instance for development, I've written some code to
> generate CSRs and get a cert from dogtag. I then went to try and get this
> working against our FreeIPA instances. While trying to create a user
> certificate, I found that none of my pki -n caadmin commands would work.
>
> I eventually discovered this page
> http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the
> master/first freeipa server. While I did have the .cert and .der files, I
> did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out
this
> server was rebuilt at one point, and no one was aware of the need to back up
> this directory.
>
> I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe
> either of these contain the private key that would have been in
> ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to
> be replicated to every freeipa replica).
>
> My question at this point is if I can regain control of the dogtag CA
> system. I believe I would have to create a new key/cert pair locally, and
> then update an ldap entry with the new cert. Or maybe I can create a new
> user entirely to manage dogtag. I would probably have to sign the user cert
> using cacert.p12 as well. Since I'm unfamiliar with dogtag internals,
> looking for guidance. If my guesses are correct, a series of openssl
> commands, followed by some work with ldif files and ldapmodify.
>
> Thanks in advance,
> John