[Pki-users] pki cli default CA Admin Unauthorized

Alex Harrison exharrison at yahoo.com
Tue Dec 22 20:03:47 UTC 2015 


>Verify the admin cert is added with this command:
>pki client-cert-find

>Also see the nickname of the certificate in the above output. The 
>nickname is configurable using pki_admin_nickname parameter in the 
>pkispawn deployment configuration.

I think you've found my problem.  When I issue that command I see:
---------------------- 
2 certificate(s) found 
---------------------- 
Serial Number: 0x6 
Nickname: PKI Administrator for localdomain 
Subject DN: CN=PKI Administrator,E=caadmin at localdomain,O=localdomain Security 
Domain 
Issuer DN: CN=CA Signing Certificate,O=localdomain Security Domain 

"E=caadmin at localdomain" is telling me that the nickname is "caadmin at localdomain", right?  So I need to put the whole string in my command authentication with the -n parameter, not just "caadmin".  Is that correct?  If so, that explains my problems.  When I use the entire string with the domain, the commands all work as I expect.

Thanks for your help.


On Tuesday, December 22, 2015 11:35 AM, Endi Sukma Dewata <edewata at redhat.com> wrote:



On 12/22/2015 6:57 AM, Alex Harrison wrote:
> Thanks for the help. All I really need to do is to use the default
admin to approve certificate requests. These are the steps I am
attempting to use to accomplish that goal:
>
> First, I import the admin cert: pki -c Secret123 client-cert-import
> --pkcs12
~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123

Before that, make sure you delete the old admin cert from previous 
installation (if any), or just re-initialize the client database with 
pki -c Secret123 client-init. Then import the new admin cert with the 
above command.

Verify the admin cert is added with this command:
pki client-cert-find

Also see the nickname of the certificate in the above output. The 
nickname is configurable using pki_admin_nickname parameter in the 
pkispawn deployment configuration.

> Then I find a request: pki ca-cert-request-show 7

You can find pending requests with this command:
pki -c Secret123 -n caadmin ca-cert-request-find --status pending

> Then I try to approve it:
>
> pki ca-cert-request-review 7 --action approve

This will not work since the operation requires agent credentials (i.e. 
the default admin user).

> So then I try to use the database that I initiated and imported the
admin certificate into:pki -c Secret123 -n caadmin
ca-cert-request-review 7 --action approve
> ProcessingException: Unable to invoke request

This should work assuming the nickname and the cert is correct. If it 
still doesn't work, try running it in verbose mode:
pki -v -c Secret123 -n caadmin ca-cert-request-review 7 --action approve

Also check the debug log (/var/log/pki/pki-tomcat/ca/debug) to see if 
there's a problem on the server.


> It seems as if these are the steps I need to take, but I must have a
detail incorrect. Thanks for you help.

-- 
Endi S. Dewata

More information about the Pki-users mailing list