[Pki-users] How to setup PKI Administrator user

Jain, Mahendra Majain at verisign.com
Tue Mar 31 18:15:42 UTC 2015 

Hi Nalinda,

I requested the certificate using 'Manual User Dual-Use Certificate Enrollment’ option.

However, when I tried to import the generated certificate into Firefox browser, I get following error:
'This personal certificate can't be installed because you don't own the corresponding private key which was created when the certificate was requested.'

To work around this, I manually created private key and CSR on the client machine using following steps:

1. Generate a new private key and Certificate Signing Request:
$ openssl req -out operator.csr -new -newkey rsa:2048 -nodes -keyout operator.key

2. Submit a CSR using ‘Manual Administrator Certificate Enrollment’ option via end user interface
(Note: Ensure that the Subject Name field is populated with the exact value as it appears in the Subject attribute of CSR)

3. Create a pkcs#12 file once the above CSR is approved:
$ openssl pkcs12 -export -out operator.p12 -inkey operator.key -in operator.cert -certfile ca.cert

4. Using PKIConsole, create a new user, add that user to the "Certificate Manager Agents” group and associate the certificate (operator.cert) obtained in the step#3 above

5. Launch Firefox browser and import pkcs#12 file (operator.p12) under 'Your Certificates’ section

With these steps, I can now successfully access agent interface.

So, I would like to know when and how 'Manual User Dual-Use Certificate Enrollment’ option is useful in overall solution.


Thanks,
Mahendra

From: Nalinda Herath <nali.mrt at gmail.com<mailto:nali.mrt at gmail.com>>
Date: Monday, March 30, 2015 at 10:22 PM
To: "Jain, Mahendra" <majain at verisign.com<mailto:majain at verisign.com>>
Cc: "pki-users at redhat.com<mailto:pki-users at redhat.com>" <pki-users at redhat.com<mailto:pki-users at redhat.com>>
Subject: Re: [Pki-users] How to setup PKI Administrator user


Yes mahendra

On Mar 30, 2015 11:07 PM, "Jain, Mahendra" <Majain at verisign.com<mailto:Majain at verisign.com>> wrote:
Hi Nalinda,

Thanks for the quick response.

How do I create a new user via the web interface?
Do you mean submit a 'Manual User Dual-Use Certificate Enrollment’ request via end user interface and once the request is approved, use that certificate when creating user via PKIConsole?

Thanks,
Mahendra

From: Nalinda Herath <nali.mrt at gmail.com<mailto:nali.mrt at gmail.com>>
Date: Monday, March 30, 2015 at 12:24 PM
To: "Jain, Mahendra" <majain at verisign.com<mailto:majain at verisign.com>>
Cc: "pki-users at redhat.com<mailto:pki-users at redhat.com>" <pki-users at redhat.com<mailto:pki-users at redhat.com>>
Subject: Re: [Pki-users] How to setup PKI Administrator user

Dear Mahendra,

You can get it done through the pkiconsole.

first create a new user via the web interface.

Then open the pkiconsole, go to users and groups and add a new user for the system. Set the required attributes and add that user to the "Certificate Manager Agents" group. use the certificate of the new user created via the web interface.

hope this will help

Regards,
Nalinda

On Mon, Mar 30, 2015 at 9:16 PM, Jain, Mahendra <Majain at verisign.com<mailto:Majain at verisign.com>> wrote:
Hello All,

When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin).
What is the procedure to setup additional PKI Administrator users so that they can also access agent interface?

Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.”

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com<mailto:Pki-users at redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users



--
Best Regards,
Nalinda

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150331/a969a86c/attachment.htm>

More information about the Pki-users mailing list