Re: [Pki-users] Authorize Sub-CA to be created
See inline below --
On Fri, 2016-08-19 at 07:28 -0300, Leonardo Bacha Abrantes wrote:
Hi guys,
I'm trying to configure a subordinate CA, but am receiving the
message "ERROR: Unable to access security domain: 401 Client Error:
Unauthorized".
I follow these steps:
===>> On Server01 (root-ca):
setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
> myconfig.txt
[DEFAULT]
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_instance_name=pki-RootCA
[CA]
pki_ca_signing_subject_dn=cn=EXAMLE Root Certification
Authority,o=XXXXXXXXXXX,c=BR
pki_admin_nickname=PKI Administrator for EXAMPLE
pki_admin_subject_dn=cn=PKI Administrator Root CA,
e=admin(a)XXXXX.XXX.xx,o=XXXXXXXXXX,c=BR
pki_admin_email=admin(a)XXXXXX.xxx.xx
===>> On Server02 (Sub-ca):
setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
> myconfig.txt
[DEFAULT]
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
This is incorrect. The security domain
password -- which for some
reason you have listed twice
in this section -- should be the password for the admin user in the
root CA.
The subCA is contacting the rootCA - which hosts the secruity domain to
register the new subsystem
with the domain.
pki_instance_name=pki-SubCA
pki_security_domain_hostname=root-ca.xxxx.xxx.xx
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
> [CA]
pki_subordinate=True
pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443
pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority L2,o=XXXXXXXXXXX,c=BR
pki_subordinate_create_new_security_domain=True
pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2
pki_admin_nickname=PKI Administrator for Example Sub-CA L2
pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin(a)xxxxx.xxx.xx,o=XXXXXXXXXXX,c=BR
pki_admin_email=admin(a)xxxx.xxx.xx
> > > > when I run pkispawn -v -s CA -f myconfig.txt on Server02:
> > > ERROR: Unable to access security domain: 401 Client Error: Unauthorized
> > > ===
> > > I tried to use the same passwords on myconfig.txt in both servers just to
test, but I receive the same message.
> > Can you help me please ?
> many thanks!
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
Attachments:
- attachment.html (text/html — 5.1 KB)