[Pki-users] Replace default caadmin key

Tue May 10 19:18:11 UTC 2016

On Tue, 2016-05-10 at 15:01 -0400, John Hogenmiller (yt) wrote:
> It turned out that that ca-agent.p12 in /root did have the key I
> need.
> So I guess I'm good. That's getting backed up and we'll make new
> users
> for our config management system.
> 
> For academic purposes, I am still curious as to how one would go
> about
> this. I did update the admin user with a self-signed key, and I even
> went as far as to use the CA to sign a key.  I tried creating a new
> user and updating the admin user with certificates via ldapmodify.
> 
> In both cases, I got that I could not map certificate to any user.
> 
> [10/May/2016:18:27:27][http-bio-8443-exec-11]:
> CertUserDBAuthentication: cannot map certificate to any user
> [10/May/2016:18:27:27][http-bio-8443-exec-11]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C
> OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa
> -ca-agent,
> O=EXAMPLE.COM] authentication failure

What you were probably missing was updating the description field in
the user entry.  Not only does the cert have to match, but the
description needs to as well.

That description has the format:

description: 2;<cert serial number>;<issuer DN>;<cert subject name>

Ade

> On Tue, May 10, 2016 at 12:47 PM, John Hogenmiller (yt)
> <john at yourtech.us> wrote:
> > To follow up on my own message, I can definitely view the user cert
> > with ldap search.
> > 
> > ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin'
> > 
> > The contents of userCertificate attribute do match the
> > ca_admin.cert
> > file. That certificate is signed by the freeipa cacert. The key is
> > if
> > I can replace the userCertificate attribute and if that new one
> > needs
> > to be signed.
> > 
> > -John
> > 
> > On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt)
> > <john at yourtech.us> wrote:
> > > Hello,
> > > 
> > > I've been recently learning a good bit about dogtag pki.  I've
> > > setup a
> > > standalone dogtag instance for development, I've written some
> > > code to
> > > generate CSRs and get a cert from dogtag.  I then went to try and
> > > get this
> > > working against our FreeIPA instances. While trying to create a
> > > user
> > > certificate, I found that none of my pki -n caadmin commands
> > > would work.
> > > 
> > > I eventually discovered this page
> > > http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to
> > > the
> > > master/first freeipa server.  While I did have the .cert and .der
> > > files, I
> > > did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It
> > > turns out this
> > > server was rebuilt at one point, and no one was aware of the need
> > > to back up
> > > this directory.
> > > 
> > > I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't
> > > believe
> > > either of these contain the private key that would have been in
> > > ca_admin_cert.p12.  I do have the pkcs12 password conf files
> > > (these seem to
> > > be replicated to every freeipa replica).
> > > 
> > > My question at this point is if I can regain control of the
> > > dogtag CA
> > > system. I believe I would have to create a new key/cert pair
> > > locally, and
> > > then update an ldap entry with the new cert. Or maybe I can
> > > create a new
> > > user entirely to manage dogtag. I would probably have to sign the
> > > user cert
> > > using cacert.p12 as well.  Since I'm unfamiliar with dogtag
> > > internals,
> > > looking for guidance.  If my guesses are correct, a series of
> > > openssl
> > > commands, followed by some work with ldif files and ldapmodify.
> > > 
> > > Thanks in advance,
> > > John
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users