[Pki-users] Adding a signing certificate to an existing Dogtag instance
Allyson Bowles
abowles at hireology.com
Tue Jun 11 19:53:57 UTC 2019
Hey folks,
Awhile back, I set up an internal CA signing certificate for the purpose
of issuing certificates used for RabbitMQ connections, Sensu, Consul,
etc. I would now like to add that signing certificate to my existing
Dogtag instance (created as part of an IPA server installation), so that
I can configure clients to automatically renew these certificates using
Certmonger. This signing certificate would not be used for anything IPA
related, only the abovementioned third-party utilities requiring an
internally trusted SSL certificate for authentication.
I have managed to perform the pkispawn step using a PKCS12 file
containing the signing certificate and key as well as a pkispawn config
file that looks something like this:
####
[DEFAULT]
pki_instance_name=pki-tomcat
pki_admin_password=secret
pki_client_pkcs12_password=secret
pki_ds_password=secret
pki_ds_ldap_port=389
pki_existing=True
[CA]
pki_ca_signing_nickname=MyInternalCA
pki_ca_signing_csr_path=req/ca.csr
pki_pkcs12_path=ca.p12
pki_pkcs12_password=secret
pki_serial_number_range_start=90
pki_request_number_range_start=90
pki_master_crl_enable=False
pki_external_step_one=False
pki_external_step_two=True
###
The output I get is as follows:
```
# pkispawn -s CA -f pkispawn.cfg
Log file: /var/log/pki/pki-ca-spawn.20190611180347.log
Loading deployment configuration from pkispawn.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
---------------
Import complete
---------------
Installation failed:
com.netscape.certsrv.base.BadRequestException: System is already
configured
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
```
The pki-ca-spawn logfile doesn't contain anything interesting, and
neither could I find anything terribly noteworthy in either
/var/log/pki/pki-tomcat/ca/{debug,system}.
The certificate and key do show up in certutil -L and -K, so my plan was
to try carrying on with getting a client to use Certmonger to renew its
certificate against this signing certificate. To do /that/, it looks
like I need to create or modify an existing CA profile per
https://www.dogtagpki.org/wiki/PKI_CA_Profile_CLI. However, this doc
expects the operator to have a user certificate with the nickname
'caadmin' and a password. I don't seem to have a certificate with that
nickname and I'm not sure which certificate to look for. Further
documentation
https://www.dogtagpki.org/wiki/CA_Admin_Setup#Retrieving_CA_Admin_Certificate
suggests that I could create a new CA admin user...but this requires
having access to the existing one.
Which brings us to my actual questions.
1) Am I trying to do a reasonable thing by importing an existing signing
certificate into an existing Dogtag instance? If not, what's a better
way to achieve the ability to autorenew client certificates?
2) How can I either reset the existing CA admin credentials (given that
I have system root) or force creation of a new user without nuking my
current instance? Ideas about where I could look for the existing CA
admin credentials would work as well but I understand this is highly
dependent on how the system was set up initially.
3) Is there something else I should be doing, after the pkispawn partial
failure, to troubleshoot? I figured attempting to carry on with an
autorenew might at least get me more information about what's happening,
but I'm very open to other approaches as well.
Thank you for your time,
Ally
--
Allyson Bowles | Senior Site Reliability Engineer
e: abowles at hireology.com | 7C2D 671B 08A2 0D8A AD52 540E 1FB2 B534 ECD5 4608
http://www.hireology.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20190611/2b0724c9/attachment.sig>
More information about the Pki-users
mailing list