[Pki-users] Adding a signing certificate to an existing Dogtag instance

Fraser Tweedale ftweedal at redhat.com
Wed Jun 12 05:03:37 UTC 2019 

Hi Allyson,

pkispawn is not the right approach.  You can't "add" a signing
certificate to an existing IPA / Dogtag deployment in that way.

You could create Certmonger tracking requests for the end-entity
certs, configuring them to use the IPA CA when renewal is needed.
It is fine for a end-entity certificate to be renewed with a
different issuer.  As a transitional measure the current issuer
certificate can be added to the IPA trust store so that IPA-enrolled
machines will trust it.

If you wish to continue issing those EE certs with a dedicated
sub-CA, create one with the 'ipa ca-add' command and use the
Certmonger `--issuer' option to refer to it.

Cheers,
Fraser

On Tue, Jun 11, 2019 at 02:53:57PM -0500, Allyson Bowles wrote:
> Hey folks,
> 
> Awhile back, I set up an internal CA signing certificate for the purpose
> of issuing certificates used for RabbitMQ connections, Sensu, Consul,
> etc. I would now like to add that signing certificate to my existing
> Dogtag instance (created as part of an IPA server installation), so that
> I can configure clients to automatically renew these certificates using
> Certmonger. This signing certificate would not be used for anything IPA
> related, only the abovementioned third-party utilities requiring an
> internally trusted SSL certificate for authentication.
> 
> I have managed to perform the pkispawn step using a PKCS12 file
> containing the signing certificate and key as well as a pkispawn config
> file that looks something like this:
> 
> ####
> [DEFAULT]
> pki_instance_name=pki-tomcat
> pki_admin_password=secret
> pki_client_pkcs12_password=secret
> pki_ds_password=secret
> pki_ds_ldap_port=389
> pki_existing=True
> 
> [CA]
> pki_ca_signing_nickname=MyInternalCA
> pki_ca_signing_csr_path=req/ca.csr
> pki_pkcs12_path=ca.p12
> pki_pkcs12_password=secret
> pki_serial_number_range_start=90
> pki_request_number_range_start=90
> pki_master_crl_enable=False
> pki_external_step_one=False
> pki_external_step_two=True
> ###
> 
> The output I get is as follows:
> 
> ```
> # pkispawn -s CA -f pkispawn.cfg
> Log file: /var/log/pki/pki-ca-spawn.20190611180347.log
> Loading deployment configuration from pkispawn.cfg.
> Installing CA into /var/lib/pki/pki-tomcat.
> ---------------
> Import complete
> ---------------
> 
> Installation failed:
> com.netscape.certsrv.base.BadRequestException: System is already
> configured
> 
> Please check the CA logs in /var/log/pki/pki-tomcat/ca.
> ```
> 
> The pki-ca-spawn logfile doesn't contain anything interesting, and
> neither could I find anything terribly noteworthy in either
> /var/log/pki/pki-tomcat/ca/{debug,system}.
> 
> The certificate and key do show up in certutil -L and -K, so my plan was
> to try carrying on with getting a client to use Certmonger to renew its
> certificate against this signing certificate. To do /that/, it looks
> like I need to create or modify an existing CA profile per
> https://www.dogtagpki.org/wiki/PKI_CA_Profile_CLI. However, this doc
> expects the operator to have a user certificate with the nickname
> 'caadmin' and a password. I don't seem to have a certificate with that
> nickname and I'm not sure which certificate to look for. Further
> documentation
> https://www.dogtagpki.org/wiki/CA_Admin_Setup#Retrieving_CA_Admin_Certificate
> suggests that I could create a new CA admin user...but this requires
> having access to the existing one.
> 
> Which brings us to my actual questions.
> 
> 1) Am I trying to do a reasonable thing by importing an existing signing
> certificate into an existing Dogtag instance? If not, what's a better
> way to achieve the ability to autorenew client certificates?
> 
> 2) How can I either reset the existing CA admin credentials (given that
> I have system root) or force creation of a new user without nuking my
> current instance? Ideas about where I could look for the existing CA
> admin credentials would work as well but I understand this is highly
> dependent on how the system was set up initially.
> 
> 3) Is there something else I should be doing, after the pkispawn partial
> failure, to troubleshoot? I figured attempting to carry on with an
> autorenew might at least get me more information about what's happening,
> but I'm very open to other approaches as well.
> 
> Thank you for your time,
> Ally
> 
> --
> Allyson Bowles | Senior Site Reliability Engineer
> e: abowles at hireology.com | 7C2D 671B 08A2 0D8A AD52  540E 1FB2 B534 ECD5 4608
> http://www.hireology.com



> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list