[Pki-users] Replace default caadmin key

Tue May 10 19:01:13 UTC 2016

It turned out that that ca-agent.p12 in /root did have the key I need.
So I guess I'm good. That's getting backed up and we'll make new users
for our config management system.

For academic purposes, I am still curious as to how one would go about
this. I did update the admin user with a self-signed key, and I even
went as far as to use the CA to sign a key.  I tried creating a new
user and updating the admin user with certificates via ldapmodify.

In both cases, I got that I could not map certificate to any user.

[10/May/2016:18:27:27][http-bio-8443-exec-11]:
CertUserDBAuthentication: cannot map certificate to any user
[10/May/2016:18:27:27][http-bio-8443-exec-11]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C
OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa-ca-agent,
O=EXAMPLE.COM] authentication failure

On Tue, May 10, 2016 at 12:47 PM, John Hogenmiller (yt)
<john at yourtech.us> wrote:
> To follow up on my own message, I can definitely view the user cert
> with ldap search.
>
> ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin'
>
> The contents of userCertificate attribute do match the ca_admin.cert
> file. That certificate is signed by the freeipa cacert. The key is if
> I can replace the userCertificate attribute and if that new one needs
> to be signed.
>
> -John
>
> On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt)
> <john at yourtech.us> wrote:
>> Hello,
>>
>> I've been recently learning a good bit about dogtag pki.  I've setup a
>> standalone dogtag instance for development, I've written some code to
>> generate CSRs and get a cert from dogtag.  I then went to try and get this
>> working against our FreeIPA instances. While trying to create a user
>> certificate, I found that none of my pki -n caadmin commands would work.
>>
>> I eventually discovered this page
>> http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the
>> master/first freeipa server.  While I did have the .cert and .der files, I
>> did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out this
>> server was rebuilt at one point, and no one was aware of the need to back up
>> this directory.
>>
>> I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe
>> either of these contain the private key that would have been in
>> ca_admin_cert.p12.  I do have the pkcs12 password conf files (these seem to
>> be replicated to every freeipa replica).
>>
>> My question at this point is if I can regain control of the dogtag CA
>> system. I believe I would have to create a new key/cert pair locally, and
>> then update an ldap entry with the new cert. Or maybe I can create a new
>> user entirely to manage dogtag. I would probably have to sign the user cert
>> using cacert.p12 as well.  Since I'm unfamiliar with dogtag internals,
>> looking for guidance.  If my guesses are correct, a series of openssl
>> commands, followed by some work with ldif files and ldapmodify.
>>
>> Thanks in advance,
>> John