[Pki-users] pki cli default CA Admin Unauthorized
Alex Harrison
exharrison at yahoo.com
Tue Dec 22 12:57:52 UTC 2015
Thanks for the help. All I really need to do is to use the default admin to approve certificate requests. These are the steps I am attempting to use to accomplish that goal:
First, I import the admin cert:
pki -c Secret123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123
----------------------------------------
Imported certificates from PKCS #12 file
----------------------------------------
Then I find a request:
pki ca-cert-request-show 7
-----------------------
Certificate request "7"
-----------------------
Request ID: 7
Type: enrollment
Request Status: pending
Operation Result: success
Then I try to approve it:
pki ca-cert-request-review 7 --action approve
Unauthorized
So then I try to use the database that I initiated and imported the admin certificate into:pki -c Secret123 -n caadmin ca-cert-request-review 7 --action approve
ProcessingException: Unable to invoke request
It seems as if these are the steps I need to take, but I must have a detail incorrect. Thanks for you help.
On Monday, December 21, 2015 7:41 PM, Endi Sukma Dewata <edewata at redhat.com> wrote:
On 12/21/2015 4:52 PM, Alex Harrison wrote:
> I've set up a new installation of the dogtag CA and I'm trying to
approve requests using the default ca admin created at install using the
commands from the wiki:
> http://pki.fedoraproject.org/wiki/CA_Admin_Setup
>
> When I try to approve, I simply get an "Unauthorized" response. It
seems I receive this any time I perform either an admin or agent
command. Any idea what steps I am missing?
Hi,
The above wiki page is actually used to create a new CA admin user,
which requires an existing CA admin to approve it. When you install CA
subsystem it will have a default CA admin user which you can use
directly. It's not necessary to create another CA admin user unless you
want to give admin access to someone else.
To use the default CA admin user please take a look at this page:
http://pki.fedoraproject.org/wiki/Default_CA_Admin
You can either import the CA admin cert into ~/.dogtag/nssdb first, or
use it directly from ~/.dogtag/pki-tomcat/ca/alias if you created the CA
with pki_client_database_purge=False.
If you're still having issues, could you post the exact commands you're
trying to execute? Thanks.
--
Endi S. Dewata
More information about the Pki-users
mailing list