Re: [Pki-users] Replace default caadmin key

Hello, I've been recently learning a good bit about dogtag pki. I've setup a standalone dogtag instance for development, I've written some code to generate CSRs and get a cert from dogtag. I then went to try and get this working against our FreeIPA instances. While trying to create a user certificate, I found that none of my pki -n caadmin commands would work. I eventually discovered this page http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the master/first freeipa server. While I did have the .cert and .der files, I did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out this server was rebuilt at one point, and no one was aware of the need to back up this directory. I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe either of these contain the private key that would have been in ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to be replicated to every freeipa replica). My question at this point is if I can regain control of the dogtag CA system. I believe I would have to create a new key/cert pair locally, and then update an ldap entry with the new cert. Or maybe I can create a new user entirely to manage dogtag. I would probably have to sign the user cert using cacert.p12 as well. Since I'm unfamiliar with dogtag internals, looking for guidance. If my guesses are correct, a series of openssl commands, followed by some work with ldif files and ldapmodify. Thanks in advance, John