[Pki-users] Replace default caadmin key

[Endi Sukma Dewata]

On 5/10/2016 2:18 PM, Ade Lee wrote:
> On Tue, 2016-05-10 at 15:01 -0400, John Hogenmiller (yt) wrote:
>> It turned out that that ca-agent.p12 in /root did have the key I
>> need.
>> So I guess I'm good. That's getting backed up and we'll make new
>> users
>> for our config management system.
>>
>> For academic purposes, I am still curious as to how one would go
>> about
>> this. I did update the admin user with a self-signed key, and I even
>> went as far as to use the CA to sign a key.  I tried creating a new
>> user and updating the admin user with certificates via ldapmodify.
>>
>> In both cases, I got that I could not map certificate to any user.
>>
>> [10/May/2016:18:27:27][http-bio-8443-exec-11]:
>> CertUserDBAuthentication: cannot map certificate to any user
>> [10/May/2016:18:27:27][http-bio-8443-exec-11]:
>> SignedAuditEventFactory: create()
>> message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C
>> OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa
>> -ca-agent,
>> O=EXAMPLE.COM] authentication failure
>
> What you were probably missing was updating the description field in
> the user entry.  Not only does the cert have to match, but the
> description needs to as well.
>
> That description has the format:
>
> description: 2;<cert serial number>;<issuer DN>;<cert subject name>
>
> Ade

I believe IPA moves /root/.dogtag/pki-tomcat/ca_admin_cert.p12 to 
/root/ca-agent.p12 right after installation. The file name is a bit 
misleading, so feel free to open an IPA ticket.

Please take a look at this page:
http://pki.fedoraproject.org/wiki/IPA_PKI_Admin_Setup

I haven't tried it recently though, but supposedly you can just use -n 
ipa-ca-agent instead of -n caadmin to access PKI services in IPA.

Which commands are you trying to execute?

We have some docs about IPA from PKI's perspective:
http://pki.fedoraproject.org/wiki/IPA

If you have any feedback for the wiki pages just let us know. Thanks!

-- 
Endi S. Dewata