[Pki-users] Authorize Sub-CA to be created

Tue Aug 23 16:45:20 UTC 2016

Hi,

It worked !!
Only the Subordinate CA has a certificate valid only for 2 years. Now I'm
looking for how to increase it.

Many thanks!

On Mon, Aug 22, 2016 at 11:03 AM, Ade Lee <alee at redhat.com> wrote:

> See inline below --
>
> On Fri, 2016-08-19 at 07:28 -0300, Leonardo Bacha Abrantes wrote:
>
> Hi guys,
>
> I'm trying to configure a subordinate CA, but am receiving the message
> "ERROR:  Unable to access security domain: 401 Client Error: Unauthorized".
>
>
> I follow these steps:
>
>
>
>
> ===>> On Server01 (root-ca):
>
>
> setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \
> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
> slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
>
>
>
> > myconfig.txt
>
>
> [DEFAULT]
> pki_admin_password=Root-CA_pwd
> pki_client_database_password=Root-CA_pwd
> pki_client_pkcs12_password=Root-CA_pwd
> pki_ds_password=Root-CA_pwd
> pki_security_domain_password=Root-CA_pwd
> pki_admin_password=Root-CA_pwd
> pki_client_database_password=Root-CA_pwd
> pki_client_pkcs12_password=Root-CA_pwd
> pki_ds_bind_dn=cn=ldapadmin
> pki_ds_password=Root-CA_pwd
> pki_security_domain_password=Root-CA_pwd
> pki_instance_name=pki-RootCA
>
> [CA]
> pki_ca_signing_subject_dn=cn=EXAMLE Root Certification
> Authority,o=XXXXXXXXXXX,c=BR
> pki_admin_nickname=PKI Administrator for EXAMPLE
> pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin at XXXXX.XXX.xx,o=
> XXXXXXXXXX,c=BR
> pki_admin_email=admin at XXXXXX.xxx.xx
>
>
>
>
>
> ===>> On Server02 (Sub-ca):
>
>
> setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \
> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
> slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
>
>
>
> > myconfig.txt
>
> [DEFAULT]
> pki_admin_password=SUB-CA_Passord
> pki_client_database_password=SUB-CA_Passord
> pki_client_pkcs12_password=SUB-CA_Passord
> pki_ds_password=SUB-CA_Passord
> pki_security_domain_password=SUB-CA_Passord
> pki_admin_password=SUB-CA_Passord
> pki_client_database_password=SUB-CA_Passord
> pki_client_pkcs12_password=SUB-CA_Passord
> pki_ds_bind_dn=cn=ldapadmin
> pki_ds_password=SUB-CA_Passord
> pki_security_domain_password=SUB-CA_Passord
>
>
> This is incorrect.  The security domain  password -- which for some reason
> you have listed twice
> in this section -- should be the password for the admin user in the root
> CA.
>
> The subCA is contacting the rootCA - which hosts the secruity domain to
> register the new subsystem
> with the domain.
>
> pki_instance_name=pki-SubCA
> pki_security_domain_hostname=root-ca.xxxx.xxx.xx
> pki_security_domain_https_port=8443
> pki_security_domain_user=caadmin
>
> [CA]
> pki_subordinate=True
> pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443
> pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority
> L2,o=XXXXXXXXXXX,c=BR
> pki_subordinate_create_new_security_domain=True
> pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2
> pki_admin_nickname=PKI Administrator for Example Sub-CA L2
> pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin at xxxxx.xxx.xx,o=
> XXXXXXXXXXX,c=BR
> pki_admin_email=admin at xxxx.xxx.xx
>
>
>
>
> when I run pkispawn -v -s CA -f myconfig.txt on Server02:
>
>
> ERROR:  Unable to access security domain: 401 Client Error: Unauthorized
>
>
>
> ===
>
>
>
> I tried to use the same passwords on myconfig.txt in both servers just to
> test, but I receive the same message.
>
>
> Can you help me please ?
>
> many thanks!
>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160823/b82b2181/attachment.htm>