[Pki-users] Replace default caadmin key
John Hogenmiller (yt)
john at yourtech.us
Tue May 10 15:58:05 UTC 2016
Hello,
I've been recently learning a good bit about dogtag pki. I've setup a
standalone dogtag instance for development, I've written some code to
generate CSRs and get a cert from dogtag. I then went to try and get this
working against our FreeIPA instances. While trying to create a user
certificate, I found that none of my pki -n caadmin commands would work.
I eventually discovered this page
http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the
master/first freeipa server. While I did have the .cert and .der files, I
did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out
this server was rebuilt at one point, and no one was aware of the need to
back up this directory.
I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe
either of these contain the private key that would have been in
ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to
be replicated to every freeipa replica).
My question at this point is if I can regain control of the dogtag CA
system. I believe I would have to create a new key/cert pair locally, and
then update an ldap entry with the new cert. Or maybe I can create a new
user entirely to manage dogtag. I would probably have to sign the user cert
using cacert.p12 as well. Since I'm unfamiliar with dogtag internals,
looking for guidance. If my guesses are correct, a series of openssl
commands, followed by some work with ldif files and ldapmodify.
Thanks in advance,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160510/7bd93e95/attachment.htm>
More information about the Pki-users
mailing list