[Pki-users] pki cli default CA Admin Unauthorized
Endi Sukma Dewata
edewata at redhat.com
Tue Dec 22 16:35:26 UTC 2015
On 12/22/2015 6:57 AM, Alex Harrison wrote:
> Thanks for the help. All I really need to do is to use the default
admin to approve certificate requests. These are the steps I am
attempting to use to accomplish that goal:
>
> First, I import the admin cert: pki -c Secret123 client-cert-import
> --pkcs12
~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123
Before that, make sure you delete the old admin cert from previous
installation (if any), or just re-initialize the client database with
pki -c Secret123 client-init. Then import the new admin cert with the
above command.
Verify the admin cert is added with this command:
pki client-cert-find
Also see the nickname of the certificate in the above output. The
nickname is configurable using pki_admin_nickname parameter in the
pkispawn deployment configuration.
> Then I find a request: pki ca-cert-request-show 7
You can find pending requests with this command:
pki -c Secret123 -n caadmin ca-cert-request-find --status pending
> Then I try to approve it:
>
> pki ca-cert-request-review 7 --action approve
This will not work since the operation requires agent credentials (i.e.
the default admin user).
> So then I try to use the database that I initiated and imported the
admin certificate into:pki -c Secret123 -n caadmin
ca-cert-request-review 7 --action approve
> ProcessingException: Unable to invoke request
This should work assuming the nickname and the cert is correct. If it
still doesn't work, try running it in verbose mode:
pki -v -c Secret123 -n caadmin ca-cert-request-review 7 --action approve
Also check the debug log (/var/log/pki/pki-tomcat/ca/debug) to see if
there's a problem on the server.
> It seems as if these are the steps I need to take, but I must have a
detail incorrect. Thanks for you help.
--
Endi S. Dewata
More information about the Pki-users
mailing list