From john at yourtech.us Tue May 10 15:58:05 2016 From: john at yourtech.us (John Hogenmiller (yt)) Date: Tue, 10 May 2016 11:58:05 -0400 Subject: [Pki-users] Replace default caadmin key Message-ID: Hello, I've been recently learning a good bit about dogtag pki. I've setup a standalone dogtag instance for development, I've written some code to generate CSRs and get a cert from dogtag. I then went to try and get this working against our FreeIPA instances. While trying to create a user certificate, I found that none of my pki -n caadmin commands would work. I eventually discovered this page http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the master/first freeipa server. While I did have the .cert and .der files, I did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out this server was rebuilt at one point, and no one was aware of the need to back up this directory. I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe either of these contain the private key that would have been in ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to be replicated to every freeipa replica). My question at this point is if I can regain control of the dogtag CA system. I believe I would have to create a new key/cert pair locally, and then update an ldap entry with the new cert. Or maybe I can create a new user entirely to manage dogtag. I would probably have to sign the user cert using cacert.p12 as well. Since I'm unfamiliar with dogtag internals, looking for guidance. If my guesses are correct, a series of openssl commands, followed by some work with ldif files and ldapmodify. Thanks in advance, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at yourtech.us Tue May 10 16:47:52 2016 From: john at yourtech.us (John Hogenmiller (yt)) Date: Tue, 10 May 2016 12:47:52 -0400 Subject: [Pki-users] Replace default caadmin key In-Reply-To: References: Message-ID: To follow up on my own message, I can definitely view the user cert with ldap search. ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin' The contents of userCertificate attribute do match the ca_admin.cert file. That certificate is signed by the freeipa cacert. The key is if I can replace the userCertificate attribute and if that new one needs to be signed. -John On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt) wrote: > Hello, > > I've been recently learning a good bit about dogtag pki. I've setup a > standalone dogtag instance for development, I've written some code to > generate CSRs and get a cert from dogtag. I then went to try and get this > working against our FreeIPA instances. While trying to create a user > certificate, I found that none of my pki -n caadmin commands would work. > > I eventually discovered this page > http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the > master/first freeipa server. While I did have the .cert and .der files, I > did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out this > server was rebuilt at one point, and no one was aware of the need to back up > this directory. > > I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe > either of these contain the private key that would have been in > ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to > be replicated to every freeipa replica). > > My question at this point is if I can regain control of the dogtag CA > system. I believe I would have to create a new key/cert pair locally, and > then update an ldap entry with the new cert. Or maybe I can create a new > user entirely to manage dogtag. I would probably have to sign the user cert > using cacert.p12 as well. Since I'm unfamiliar with dogtag internals, > looking for guidance. If my guesses are correct, a series of openssl > commands, followed by some work with ldif files and ldapmodify. > > Thanks in advance, > John From john at yourtech.us Tue May 10 19:01:13 2016 From: john at yourtech.us (John Hogenmiller (yt)) Date: Tue, 10 May 2016 15:01:13 -0400 Subject: [Pki-users] Replace default caadmin key In-Reply-To: References: Message-ID: It turned out that that ca-agent.p12 in /root did have the key I need. So I guess I'm good. That's getting backed up and we'll make new users for our config management system. For academic purposes, I am still curious as to how one would go about this. I did update the admin user with a self-signed key, and I even went as far as to use the CA to sign a key. I tried creating a new user and updating the admin user with certificates via ldapmodify. In both cases, I got that I could not map certificate to any user. [10/May/2016:18:27:27][http-bio-8443-exec-11]: CertUserDBAuthentication: cannot map certificate to any user [10/May/2016:18:27:27][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa-ca-agent, O=EXAMPLE.COM] authentication failure On Tue, May 10, 2016 at 12:47 PM, John Hogenmiller (yt) wrote: > To follow up on my own message, I can definitely view the user cert > with ldap search. > > ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin' > > The contents of userCertificate attribute do match the ca_admin.cert > file. That certificate is signed by the freeipa cacert. The key is if > I can replace the userCertificate attribute and if that new one needs > to be signed. > > -John > > On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt) > wrote: >> Hello, >> >> I've been recently learning a good bit about dogtag pki. I've setup a >> standalone dogtag instance for development, I've written some code to >> generate CSRs and get a cert from dogtag. I then went to try and get this >> working against our FreeIPA instances. While trying to create a user >> certificate, I found that none of my pki -n caadmin commands would work. >> >> I eventually discovered this page >> http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the >> master/first freeipa server. While I did have the .cert and .der files, I >> did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out this >> server was rebuilt at one point, and no one was aware of the need to back up >> this directory. >> >> I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe >> either of these contain the private key that would have been in >> ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to >> be replicated to every freeipa replica). >> >> My question at this point is if I can regain control of the dogtag CA >> system. I believe I would have to create a new key/cert pair locally, and >> then update an ldap entry with the new cert. Or maybe I can create a new >> user entirely to manage dogtag. I would probably have to sign the user cert >> using cacert.p12 as well. Since I'm unfamiliar with dogtag internals, >> looking for guidance. If my guesses are correct, a series of openssl >> commands, followed by some work with ldif files and ldapmodify. >> >> Thanks in advance, >> John From john at yourtech.us Tue May 10 19:14:17 2016 From: john at yourtech.us (John Hogenmiller (yt)) Date: Tue, 10 May 2016 15:14:17 -0400 Subject: [Pki-users] wiki update Message-ID: On http://pki.fedoraproject.org/wiki/Default_CA_Admin The following command: $ pki -c Secret123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf should read: $ pki -c Secret123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf From alee at redhat.com Tue May 10 19:18:11 2016 From: alee at redhat.com (Ade Lee) Date: Tue, 10 May 2016 15:18:11 -0400 Subject: [Pki-users] Replace default caadmin key In-Reply-To: References: Message-ID: <1462907891.30774.52.camel@redhat.com> On Tue, 2016-05-10 at 15:01 -0400, John Hogenmiller (yt) wrote: > It turned out that that ca-agent.p12 in /root did have the key I > need. > So I guess I'm good. That's getting backed up and we'll make new > users > for our config management system. > > For academic purposes, I am still curious as to how one would go > about > this. I did update the admin user with a self-signed key, and I even > went as far as to use the CA to sign a key. I tried creating a new > user and updating the admin user with certificates via ldapmodify. > > In both cases, I got that I could not map certificate to any user. > > [10/May/2016:18:27:27][http-bio-8443-exec-11]: > CertUserDBAuthentication: cannot map certificate to any user > [10/May/2016:18:27:27][http-bio-8443-exec-11]: > SignedAuditEventFactory: create() > message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C > OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa > -ca-agent, > O=EXAMPLE.COM] authentication failure What you were probably missing was updating the description field in the user entry. Not only does the cert have to match, but the description needs to as well. That description has the format: description: 2;;; Ade > On Tue, May 10, 2016 at 12:47 PM, John Hogenmiller (yt) > wrote: > > To follow up on my own message, I can definitely view the user cert > > with ldap search. > > > > ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin' > > > > The contents of userCertificate attribute do match the > > ca_admin.cert > > file. That certificate is signed by the freeipa cacert. The key is > > if > > I can replace the userCertificate attribute and if that new one > > needs > > to be signed. > > > > -John > > > > On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt) > > wrote: > > > Hello, > > > > > > I've been recently learning a good bit about dogtag pki. I've > > > setup a > > > standalone dogtag instance for development, I've written some > > > code to > > > generate CSRs and get a cert from dogtag. I then went to try and > > > get this > > > working against our FreeIPA instances. While trying to create a > > > user > > > certificate, I found that none of my pki -n caadmin commands > > > would work. > > > > > > I eventually discovered this page > > > http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to > > > the > > > master/first freeipa server. While I did have the .cert and .der > > > files, I > > > did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It > > > turns out this > > > server was rebuilt at one point, and no one was aware of the need > > > to back up > > > this directory. > > > > > > I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't > > > believe > > > either of these contain the private key that would have been in > > > ca_admin_cert.p12. I do have the pkcs12 password conf files > > > (these seem to > > > be replicated to every freeipa replica). > > > > > > My question at this point is if I can regain control of the > > > dogtag CA > > > system. I believe I would have to create a new key/cert pair > > > locally, and > > > then update an ldap entry with the new cert. Or maybe I can > > > create a new > > > user entirely to manage dogtag. I would probably have to sign the > > > user cert > > > using cacert.p12 as well. Since I'm unfamiliar with dogtag > > > internals, > > > looking for guidance. If my guesses are correct, a series of > > > openssl > > > commands, followed by some work with ldif files and ldapmodify. > > > > > > Thanks in advance, > > > John > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From ghostetl at cisco.com Tue May 10 19:38:59 2016 From: ghostetl at cisco.com (Gary Hostetler (ghostetl)) Date: Tue, 10 May 2016 19:38:59 +0000 Subject: [Pki-users] Dogtag support of CA certificate rollover Message-ID: <6a9fee2d62554a038d67a04c77731b8a@XCH-ALN-013.cisco.com> Good day, I am trying to understand if Dogtag supports the ability to create a chain of trust certificates that support CA certificate rollover. There would be transition certs from the old existing certificate/key to a new certificate and key. The transition certs OldWithNew and NewWithOld are used for the transition from the old CA cert (OldWithOld) to the new one (NewWithNew). Thank you - Gary Hostetler -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue May 10 20:17:26 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 10 May 2016 15:17:26 -0500 Subject: [Pki-users] wiki update In-Reply-To: References: Message-ID: On 5/10/2016 2:14 PM, John Hogenmiller (yt) wrote: > On http://pki.fedoraproject.org/wiki/Default_CA_Admin > > The following command: > > $ pki -c Secret123 client-cert-import --pkcs12 > ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password > ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf > > should read: > $ pki -c Secret123 client-cert-import --pkcs12 > ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password-file > ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf Thanks! It's been updated. -- Endi S. Dewata From edewata at redhat.com Tue May 10 20:37:57 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 10 May 2016 15:37:57 -0500 Subject: [Pki-users] Replace default caadmin key In-Reply-To: <1462907891.30774.52.camel@redhat.com> References: <1462907891.30774.52.camel@redhat.com> Message-ID: <35aac262-1026-f122-7dc9-16a373aca918@redhat.com> On 5/10/2016 2:18 PM, Ade Lee wrote: > On Tue, 2016-05-10 at 15:01 -0400, John Hogenmiller (yt) wrote: >> It turned out that that ca-agent.p12 in /root did have the key I >> need. >> So I guess I'm good. That's getting backed up and we'll make new >> users >> for our config management system. >> >> For academic purposes, I am still curious as to how one would go >> about >> this. I did update the admin user with a self-signed key, and I even >> went as far as to use the CA to sign a key. I tried creating a new >> user and updating the admin user with certificates via ldapmodify. >> >> In both cases, I got that I could not map certificate to any user. >> >> [10/May/2016:18:27:27][http-bio-8443-exec-11]: >> CertUserDBAuthentication: cannot map certificate to any user >> [10/May/2016:18:27:27][http-bio-8443-exec-11]: >> SignedAuditEventFactory: create() >> message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C >> OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa >> -ca-agent, >> O=EXAMPLE.COM] authentication failure > > What you were probably missing was updating the description field in > the user entry. Not only does the cert have to match, but the > description needs to as well. > > That description has the format: > > description: 2;;; > > Ade I believe IPA moves /root/.dogtag/pki-tomcat/ca_admin_cert.p12 to /root/ca-agent.p12 right after installation. The file name is a bit misleading, so feel free to open an IPA ticket. Please take a look at this page: http://pki.fedoraproject.org/wiki/IPA_PKI_Admin_Setup I haven't tried it recently though, but supposedly you can just use -n ipa-ca-agent instead of -n caadmin to access PKI services in IPA. Which commands are you trying to execute? We have some docs about IPA from PKI's perspective: http://pki.fedoraproject.org/wiki/IPA If you have any feedback for the wiki pages just let us know. Thanks! -- Endi S. Dewata From mharmsen at redhat.com Tue May 24 16:23:29 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 24 May 2016 09:23:29 -0700 Subject: [Pki-users] Announcing the Release of Dogtag 10.3.1 Message-ID: <7b706232-14e4-4953-47f1-32a428d4c594@redhat.com> The Dogtag team is proud to announce the release of Dogtag 10.3.1. Builds are available for Fedora 24. == Build Versions == * dogtag-pki-10.3.1-1 * dogtag-pki-theme-10.3.1-1 * pki-console-10.3.1-1 * pki-core-10.3.1-1 == Upgrade Notes == Simply use dnf to update existing packages. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pascal.jakobi at gmail.com Wed May 25 19:09:29 2016 From: pascal.jakobi at gmail.com (Pascal Jakobi) Date: Wed, 25 May 2016 21:09:29 +0200 Subject: [Pki-users] Registration Authority Message-ID: <8c9adbc1-38f4-a4e8-69c7-eed80a5f9e9d@gmail.com> As far as I can see, there is currently no RA in dogtag (no such choice in pkispawn, no rpm). However, this is frequently required by customers. Is there a document that discusses this topic ? Thanks in advance -- Pascal Jakobi 116 rue de Stalingrad 93100 Montreuil, France Tel : +33 6 87 47 58 19 -------------- next part -------------- An HTML attachment was scrubbed... URL: