[Pki-users] How to renew the admin certificate

Ha T. Lam hatlam at gmail.com
Tue Apr 26 17:58:52 UTC 2016 

Hi John,

Thank you for your continuous help. I've tried the commands that you showed
me, here are the results:

pk12util -i importfile ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -d
/etc/pki/nssdb/
pk12util: File Open failed: importfile: PR_FILE_NOT_FOUND_ERROR: File not
found

pk12util -l listfile -d /etc/pki/nssdb
pk12util: File Open failed: listfile: PR_FILE_NOT_FOUND_ERROR: File not
found
pk12util: PKCS12 decode not verified: PR_FILE_NOT_FOUND_ERROR: File not
found

I looked to see if there are any other nssdb directory out there, I have
one in /root/.pki/nssdb but it's empty and another one /root/.dogtag/nssdb
but this is the result of me running pki -c Secret123 client-init earlier.

Any other idea?

On Mon, Apr 25, 2016 at 6:45 PM, John Magne <jmagne at redhat.com> wrote:

> Hi:
>
> If you have access to the nss db and the pin, you can try the
> following command, preferably with the server shut down:
>
> pk12util
> Usage:   pk12util -i importfile [-d certdir] [-P dbprefix] [-h tokenname]
>                  [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W
> p12filepw]
>                  [-v]
> Usage:   pk12util -l listfile [-d certdir] [-P dbprefix] [-h tokenname]
>                  [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W
> p12filepw]
>                  [-v]
> Usage:   pk12util -o exportfile -n certname [-d certdir] [-P dbprefix]
>                  [-c key_cipher] [-C cert_cipher]
>                  [-m | --key_len keyLen] [--cert_key_len certKeyLen] [-v]
>                  [-k slotpwfile | -K slotpw]
>                  [-w p12filepwfile | -W p12filepw]
>
>
> ----- Original Message -----
> From: "Ha T. Lam" <hatlam at gmail.com>
> To: "John Magne" <jmagne at redhat.com>
> Cc: pki-users at redhat.com
> Sent: Monday, 25 April, 2016 5:18:59 PM
> Subject: Re: [Pki-users] How to renew the admin certificate
>
> Yes, I think the uid is caadmin too. I didn't do the installation, but I
> inherit the config file used during installation, whic​h lists among other
> things, the values of pki_admin_uid, pki_admin_password,
> and pki_client_pkcs12_password.
>
> After digging around some more, I found this page about how to setup a new
> CA admin:
>
> http://pki.fedoraproject.org/wiki/CA_Admin_Setup
>
> But when I execute the following command (replacing CA Admin password and
> nickname appropriately from the values in config file):
>
> pki -c <CA admin password> -n <CA admin nickname> ca-user-add newcaadmin
> --fullName "CA Admin"
>
> I got: ResteasyIOException: IOException
>
> I think it is because the default CA Admin certificate was not installed
> into a database. I tried to do that following:
>
> http://pki.fedoraproject.org/wiki/Default_CA_Admin
>
> but at the following command (replacing Secret123 with our secret)
>
> pki -c Secret123 client-cert-import --pkcs12
> ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password
> ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>
> I got:
>
> Error: Unrecognized option: --pkcs12
> usage: client-cert-import [OPTIONS]
>     --ca-cert <path>   Import CA certificate file
>     --ca-server        Import CA certificate from CA server
>     --cert <path>      Import certificate file
>
> I switched to
>
> pki -c Secret123 -n caadmin client-cert-import --cert
> ~/.dogtag/pki-tomcat/ca_admin_cert.p12
>
> to get "Import failed"
>
> I seem to get stuck at installing either the old cert or the new one. Do
> you know what the commands are to install cert?
>
> On Mon, Apr 25, 2016 at 4:17 PM, John Magne <jmagne at redhat.com> wrote:
>
> > I suspect the uid is probably caadmin, which is the default, if you left
> > it that way.
> >
> > ----- Original Message -----
> > From: "Ha T. Lam" <hatlam at gmail.com>
> > To: "John Magne" <jmagne at redhat.com>
> > Cc: pki-users at redhat.com
> > Sent: Monday, April 25, 2016 3:12:35 PM
> > Subject: Re: [Pki-users] How to renew the admin certificate
> >
> > Hi John,
> >
> > Thank you very much for your quick reply. I've managed to get ssh -X
> sorted
> > out because when I typed
> >
> > pkiconsole https://ca02.mycompany.com:8433/ca
> >
> > I get a dialog box asking for User ID and Password. From our conf file, I
> > put in the  pki_admin_uid and pki_admin_password, the dialog box went
> away,
> > but nothing else happened. I also tried using pki_client_pkcs12_password
> > but with the same result. Looking at the log
> > file /var/log/pki/pki-tomcat/localhost_access_log.2016-04-25.txt, I see
> >
> > "POST /ca/auths HTTP/1.0" 200 27
> >
> > At this point, I'm not sure if it's because I put in the wrong
> > authentication or if I'm still having problem with the pkiconsole. I've
> > been trying to setup vncserver as you recommended but haven't had much
> > luck.
> >
> > I stumbled on the pki commands and it looks like I can use them to
> install
> > client certificate, are they equivalent to the pkiconsole?
> >
> > Thanks,
> > Ha
> >
> >
> > On Mon, Apr 25, 2016 at 11:10 AM, John Magne <jmagne at redhat.com> wrote:
> >
> > > Hello:
> > >
> > > Your approach seems reasonable:
> > >
> > > Perhaps you might want to start a vncserver on there and
> > > come in that way. There has been issues with using the console over
> ssh.
> > >
> > >
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Ha T. Lam" <hatlam at gmail.com>
> > > > To: pki-users at redhat.com
> > > > Sent: Sunday, April 24, 2016 9:29:07 PM
> > > > Subject: [Pki-users] How to renew the admin certificate
> > > >
> > > > Hi all,
> > > >
> > > > We have a Dog Tag system hosted on Fedora inside a VirtualBox, our
> > admin
> > > > certificate has unfortunately expired, so the web interface complains
> > > that
> > > > the cert is invalid. I've managed to rewind the clock and authorized
> > > myself
> > > > a PKI Administrator certificate following this thread:
> > > >
> > > > https://www.redhat.com/archives/pki-users/2013-October/msg00008.html
> > > >
> > > > I'm now trying to import the new certificate into the system. The
> > thread
> > > > mentioned doing it through the pkiconsole, but I have not been able
> to
> > > get
> > > > it to work, when I typed:
> > > >
> > > > pkiconsole https://ca02.mycompany.com:8433/ca
> > > >
> > > > I don't get any error message, but I don't see any console either. I
> > > suspect
> > > > this is because I'm ssh-ing into a virtualbox and the display is not
> > set
> > > > correctly.
> > > >
> > > > My questions are:
> > > > 1. Does the process I mentioned above make sense? I'm new to dogtag
> and
> > > still
> > > > learning about it.
> > > > 2. If I'm on the right track, is there a command line option for
> > > pkiconsole?
> > > >
> > > > Thank you for your help,
> > > > Ha
> > > >
> > > > _______________________________________________
> > > > Pki-users mailing list
> > > > Pki-users at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/pki-users
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160426/f69e10d3/attachment.htm>

More information about the Pki-users mailing list