[Pki-users] pki cli default CA Admin Unauthorized

[Endi Sukma Dewata]

On 12/22/2015 6:57 AM, Alex Harrison wrote:
> Thanks for the help. All I really need to do is to use the default
admin to approve certificate requests. These are the steps I am
attempting to use to accomplish that goal:
>
> First, I import the admin cert: pki -c Secret123 client-cert-import
> --pkcs12
~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123

Before that, make sure you delete the old admin cert from previous 
installation (if any), or just re-initialize the client database with 
pki -c Secret123 client-init. Then import the new admin cert with the 
above command.

Verify the admin cert is added with this command:
pki client-cert-find

Also see the nickname of the certificate in the above output. The 
nickname is configurable using pki_admin_nickname parameter in the 
pkispawn deployment configuration.

> Then I find a request: pki ca-cert-request-show 7

You can find pending requests with this command:
pki -c Secret123 -n caadmin ca-cert-request-find --status pending

> Then I try to approve it:
>
> pki ca-cert-request-review 7 --action approve

This will not work since the operation requires agent credentials (i.e. 
the default admin user).

> So then I try to use the database that I initiated and imported the
admin certificate into:pki -c Secret123 -n caadmin
ca-cert-request-review 7 --action approve
> ProcessingException: Unable to invoke request

This should work assuming the nickname and the cert is correct. If it 
still doesn't work, try running it in verbose mode:
pki -v -c Secret123 -n caadmin ca-cert-request-review 7 --action approve

Also check the debug log (/var/log/pki/pki-tomcat/ca/debug) to see if 
there's a problem on the server.

> It seems as if these are the steps I need to take, but I must have a
detail incorrect. Thanks for you help.

-- 
Endi S. Dewata