[Freeipa-users] Running pki commands on fresh IPA server -- authentication

Jan Pazdziora jpazdziora at redhat.com
Wed May 20 15:16:48 UTC 2015 

Hello,

TL;DR: how should I authenticate for pki command line commands on
stock IPA installation?

Longer context: I try to setup new IPA server (1) with --external-ca
and I'd like to sign the CSR which gets generated on IPA 1 using
CA at my other IPA server (2).

The CSR as produced by IPA 1 is for

        Subject: O=SUB.EXAMPLE.TEST, CN=Certificate Authority
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign

Jan Ch. hints that I cannot use ipa cert-request because the certificate
request does not have hostname CN and besides, IPA and ipa command only
support server certificates and here I am attempting to create CA
certificate.

Hence my understanding is I need to use Dogtag directly and I'd like
to use the pki commands. I believe I need start by getting the XML
template -- I've used

	pki cert-request-profile-show caInstallCACert --output template

Then I took the Base64 content of the /root/ipa.csr from IPA 2, put it
to <value> child element of

	/CertEnrollmentRequest/Input[@id="11"]/Attribute[@name="cert_request"]

and attempted to run

	# pki cert-request-submit template 
	UnauthorizedException: AuthCredentials.set()

Reading man pki(1) suggests I should authenticate using certificate
nickname, and reading other documentation suggests that using
ca-agent's certificate could be a good option. So I do

	# openssl pkcs12 -out /root/ca-agent.pem < /root/ca-agent.p12
	Enter Import Password:
	MAC verified OK
	Enter PEM pass phrase:
	# pki -n ca-agent client-cert-import --cert /root/ca-agent.pem
	-------------------------------
	Imported certificate "ca-agent"
	-------------------------------
	# pki -n ca-agent cert-request-submit template
	WARNING: UNTRUSTED ISSUER encountered on 'CN=ipa.example.test,O=EXAMPLE.TEST' indicates a non-trusted CA cert 'CN=Certificate Authority,O=EXAMPLE.TEST'
	Import CA certificate (Y/n)? n
	ClientResponseFailure: Error status 401 Unauthorized returned

Even if I allow that CA certificate to be imported, the results is
the same:

	Import CA certificate (Y/n)? 
	CA server URI [http://mgmt9.rhq.lab.eng.bos.redhat.com:8080/ca]: 
	ClientResponseFailure: Error status 401 Unauthorized returned

What am I doing wrong? This is with ipa-server-4.1.0-18.el7.x86_64
and pki-server-10.1.2-7.el7.noarch.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Freeipa-users mailing list