4:52 p.m.
I've set up a new installation of the dogtag CA and I'm trying to approve requests
using the default ca admin created at install using the commands from the wiki:
http://pki.fedoraproject.org/wiki/CA_Admin_Setup
When I try to approve, I simply get an "Unauthorized" response. It seems I
receive this any time I perform either an admin or agent command. Any idea what steps I
am missing?
Thanks
6:41 p.m.
On 12/21/2015 4:52 PM, Alex Harrison wrote:
I've set up a new installation of the dogtag CA and I'm
trying to
approve requests using the default ca admin created at install using the
commands from the wiki:
http://pki.fedoraproject.org/wiki/CA_Admin_Setup
When I try to approve, I simply get an "Unauthorized" response. It
seems
I receive this any time I perform either an admin or agent
command. Any idea what steps I am missing?
Hi,
The above wiki page is actually used to create a new CA admin user,
which requires an existing CA admin to approve it. When you install CA
subsystem it will have a default CA admin user which you can use
directly. It's not necessary to create another CA admin user unless you
want to give admin access to someone else.
To use the default CA admin user please take a look at this page:
http://pki.fedoraproject.org/wiki/Default_CA_Admin
You can either import the CA admin cert into ~/.dogtag/nssdb first, or
use it directly from ~/.dogtag/pki-tomcat/ca/alias if you created the CA
with pki_client_database_purge=False.
If you're still having issues, could you post the exact commands you're
trying to execute? Thanks.
--
Endi S. Dewata
6:57 a.m.
Thanks for the help. All I really need to do is to use the default admin to approve
certificate requests. These are the steps I am attempting to use to accomplish that
goal:
First, I import the admin cert:
pki -c Secret123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12
--pkcs12-password secret123
----------------------------------------
Imported certificates from PKCS #12 file
----------------------------------------
Then I find a request:
pki ca-cert-request-show 7
-----------------------
Certificate request "7"
-----------------------
Request ID: 7
Type: enrollment
Request Status: pending
Operation Result: success
Then I try to approve it:
pki ca-cert-request-review 7 --action approve
Unauthorized
So then I try to use the database that I initiated and imported the admin certificate
into:pki -c Secret123 -n caadmin ca-cert-request-review 7 --action approve
ProcessingException: Unable to invoke request
It seems as if these are the steps I need to take, but I must have a detail incorrect.
Thanks for you help.
On Monday, December 21, 2015 7:41 PM, Endi Sukma Dewata <edewata(a)redhat.com> wrote:
On 12/21/2015 4:52 PM, Alex Harrison wrote:
I've set up a new installation of the dogtag CA and I'm
trying to
approve requests using the default ca admin created at install using the
commands from the wiki:
http://pki.fedoraproject.org/wiki/CA_Admin_Setup
When I try to approve, I simply get an "Unauthorized" response. It
seems
I receive this any time I perform either an admin or agent
command. Any idea what steps I am missing?
Hi,
The above wiki page is actually used to create a new CA admin user,
which requires an existing CA admin to approve it. When you install CA
subsystem it will have a default CA admin user which you can use
directly. It's not necessary to create another CA admin user unless you
want to give admin access to someone else.
To use the default CA admin user please take a look at this page:
http://pki.fedoraproject.org/wiki/Default_CA_Admin
You can either import the CA admin cert into ~/.dogtag/nssdb first, or
use it directly from ~/.dogtag/pki-tomcat/ca/alias if you created the CA
with pki_client_database_purge=False.
If you're still having issues, could you post the exact commands you're
trying to execute? Thanks.
--
Endi S. Dewata
10:35 a.m.
On 12/22/2015 6:57 AM, Alex Harrison wrote:
Thanks for the help. All I really need to do is to use the default
admin to approve certificate requests. These are the steps I am
attempting to use to accomplish that goal:
First, I import the admin cert: pki -c Secret123 client-cert-import
--pkcs12
~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123
Before that, make sure you delete the old admin cert from previous
installation (if any), or just re-initialize the client database with
pki -c Secret123 client-init. Then import the new admin cert with the
above command.
Verify the admin cert is added with this command:
pki client-cert-find
Also see the nickname of the certificate in the above output. The
nickname is configurable using pki_admin_nickname parameter in the
pkispawn deployment configuration.
Then I find a request: pki ca-cert-request-show 7
You can find pending requests with this command:
pki -c Secret123 -n caadmin ca-cert-request-find --status pending
Then I try to approve it:
pki ca-cert-request-review 7 --action approve
This will not work since the operation requires agent credentials (i.e.
the default admin user).
So then I try to use the database that I initiated and imported the
admin certificate into:pki -c Secret123 -n caadmin
ca-cert-request-review 7 --action approve
ProcessingException: Unable to invoke request
This should work assuming the nickname and the cert is correct. If it
still doesn't work, try running it in verbose mode:
pki -v -c Secret123 -n caadmin ca-cert-request-review 7 --action approve
Also check the debug log (/var/log/pki/pki-tomcat/ca/debug) to see if
there's a problem on the server.
It seems as if these are the steps I need to take, but I must have a
detail incorrect. Thanks for you help.
--
Endi S. Dewata
2:03 p.m.
Verify the admin cert is added with this command:
pki client-cert-find
Also see the nickname of the certificate in the above output. The
nickname is configurable using pki_admin_nickname parameter in the
pkispawn deployment configuration.
I think you've found my problem. When I issue that command I see:
----------------------
2 certificate(s) found
----------------------
Serial Number: 0x6
Nickname: PKI Administrator for localdomain
Subject DN: CN=PKI Administrator,E=caadmin@localdomain,O=localdomain Security
Domain
Issuer DN: CN=CA Signing Certificate,O=localdomain Security Domain
"E=caadmin@localdomain" is telling me that the nickname is
"caadmin@localdomain", right? So I need to put the whole string in my command
authentication with the -n parameter, not just "caadmin". Is that correct? If
so, that explains my problems. When I use the entire string with the domain, the commands
all work as I expect.
Thanks for your help.
On Tuesday, December 22, 2015 11:35 AM, Endi Sukma Dewata <edewata(a)redhat.com>
wrote:
On 12/22/2015 6:57 AM, Alex Harrison wrote:
Thanks for the help. All I really need to do is to use the default
admin to approve certificate requests. These are the steps I am
attempting to use to accomplish that goal:
First, I import the admin cert: pki -c Secret123 client-cert-import
--pkcs12
~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123
Before that, make sure you delete the old admin cert from previous
installation (if any), or just re-initialize the client database with
pki -c Secret123 client-init. Then import the new admin cert with the
above command.
Verify the admin cert is added with this command:
pki client-cert-find
Also see the nickname of the certificate in the above output. The
nickname is configurable using pki_admin_nickname parameter in the
pkispawn deployment configuration.
Then I find a request: pki ca-cert-request-show 7
You can find pending requests with this command:
pki -c Secret123 -n caadmin ca-cert-request-find --status pending
Then I try to approve it:
pki ca-cert-request-review 7 --action approve
This will not work since the operation requires agent credentials (i.e.
the default admin user).
So then I try to use the database that I initiated and imported the
admin certificate into:pki -c Secret123 -n caadmin
ca-cert-request-review 7 --action approve
ProcessingException: Unable to invoke request
This should work assuming the nickname and the cert is correct. If it
still doesn't work, try running it in verbose mode:
pki -v -c Secret123 -n caadmin ca-cert-request-review 7 --action approve
Also check the debug log (/var/log/pki/pki-tomcat/ca/debug) to see if
there's a problem on the server.
It seems as if these are the steps I need to take, but I must have a
detail incorrect. Thanks for you help.
--
Endi S. Dewata
3:33 p.m.
On 12/22/2015 2:03 PM, Alex Harrison wrote:
> Verify the admin cert is added with this command:
> pki client-cert-find
> Also see the nickname of the certificate in the above output. The
> nickname is configurable using pki_admin_nickname parameter in the
> pkispawn deployment configuration.
I think you've found my problem. When I issue that command I see:
----------------------
2 certificate(s) found
----------------------
Serial Number: 0x6
Nickname: PKI Administrator for localdomain
Subject DN: CN=PKI Administrator,E=caadmin@localdomain,O=localdomain Security
Domain
Issuer DN: CN=CA Signing Certificate,O=localdomain Security Domain
"E=caadmin@localdomain" is telling me that the nickname is
"caadmin@localdomain", right? So I need to put the whole string in my
command authentication with the -n parameter, not just "caadmin". Is
that correct? If so, that explains my problems. When I use the entire
string with the domain, the commands all work as I expect.
Thanks for your help.
Actually, the "E=..." specifies the email address used to construct the
certificate subject DN. The nickname of the above certificate is "PKI
Administrator for localdomain". If "caadmin@localdomain" works, you
probably have another certificate added with that as a nickname. To
avoid confusions I'd suggest you re-initialize the client database using
pki client-init and reimport the admin certificate. Just let me know if
you still have a problem.
--
Endi S. Dewata
3601
days inactive
3602
days old
5 comments
2 participants
participants (2)
-
Alex Harrison -
Endi Sukma Dewata