[Freeipa-users] Running pki commands on fresh IPA server -- authentication
Jan Pazdziora
jpazdziora at redhat.com
Wed May 20 15:16:48 UTC 2015
Hello,
TL;DR: how should I authenticate for pki command line commands on
stock IPA installation?
Longer context: I try to setup new IPA server (1) with --external-ca
and I'd like to sign the CSR which gets generated on IPA 1 using
CA at my other IPA server (2).
The CSR as produced by IPA 1 is for
Subject: O=SUB.EXAMPLE.TEST, CN=Certificate Authority
Requested Extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
Jan Ch. hints that I cannot use ipa cert-request because the certificate
request does not have hostname CN and besides, IPA and ipa command only
support server certificates and here I am attempting to create CA
certificate.
Hence my understanding is I need to use Dogtag directly and I'd like
to use the pki commands. I believe I need start by getting the XML
template -- I've used
pki cert-request-profile-show caInstallCACert --output template
Then I took the Base64 content of the /root/ipa.csr from IPA 2, put it
to <value> child element of
/CertEnrollmentRequest/Input[@id="11"]/Attribute[@name="cert_request"]
and attempted to run
# pki cert-request-submit template
UnauthorizedException: AuthCredentials.set()
Reading man pki(1) suggests I should authenticate using certificate
nickname, and reading other documentation suggests that using
ca-agent's certificate could be a good option. So I do
# openssl pkcs12 -out /root/ca-agent.pem < /root/ca-agent.p12
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
# pki -n ca-agent client-cert-import --cert /root/ca-agent.pem
-------------------------------
Imported certificate "ca-agent"
-------------------------------
# pki -n ca-agent cert-request-submit template
WARNING: UNTRUSTED ISSUER encountered on 'CN=ipa.example.test,O=EXAMPLE.TEST' indicates a non-trusted CA cert 'CN=Certificate Authority,O=EXAMPLE.TEST'
Import CA certificate (Y/n)? n
ClientResponseFailure: Error status 401 Unauthorized returned
Even if I allow that CA certificate to be imported, the results is
the same:
Import CA certificate (Y/n)?
CA server URI [http://mgmt9.rhq.lab.eng.bos.redhat.com:8080/ca]:
ClientResponseFailure: Error status 401 Unauthorized returned
What am I doing wrong? This is with ipa-server-4.1.0-18.el7.x86_64
and pki-server-10.1.2-7.el7.noarch.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list