[Pki-users] Replace default caadmin key

John Hogenmiller (yt) john at yourtech.us
Tue May 10 16:47:52 UTC 2016 

To follow up on my own message, I can definitely view the user cert
with ldap search.

ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin'

The contents of userCertificate attribute do match the ca_admin.cert
file. That certificate is signed by the freeipa cacert. The key is if
I can replace the userCertificate attribute and if that new one needs
to be signed.

-John

On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt)
<john at yourtech.us> wrote:
> Hello,
>
> I've been recently learning a good bit about dogtag pki.  I've setup a
> standalone dogtag instance for development, I've written some code to
> generate CSRs and get a cert from dogtag.  I then went to try and get this
> working against our FreeIPA instances. While trying to create a user
> certificate, I found that none of my pki -n caadmin commands would work.
>
> I eventually discovered this page
> http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the
> master/first freeipa server.  While I did have the .cert and .der files, I
> did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out this
> server was rebuilt at one point, and no one was aware of the need to back up
> this directory.
>
> I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe
> either of these contain the private key that would have been in
> ca_admin_cert.p12.  I do have the pkcs12 password conf files (these seem to
> be replicated to every freeipa replica).
>
> My question at this point is if I can regain control of the dogtag CA
> system. I believe I would have to create a new key/cert pair locally, and
> then update an ldap entry with the new cert. Or maybe I can create a new
> user entirely to manage dogtag. I would probably have to sign the user cert
> using cacert.p12 as well.  Since I'm unfamiliar with dogtag internals,
> looking for guidance.  If my guesses are correct, a series of openssl
> commands, followed by some work with ldif files and ldapmodify.
>
> Thanks in advance,
> John

More information about the Pki-users mailing list