From pascal.jakobi at gmail.com Thu Feb 13 11:30:28 2020 From: pascal.jakobi at gmail.com (Pascal Jakobi) Date: Thu, 13 Feb 2020 12:30:28 +0100 Subject: [Pki-users] Publishing In-Reply-To: <20200129011641.GF28885@T470s> References: <20200129011641.GF28885@T470s> Message-ID: <5affa616-b1c8-1283-53ba-683699d2afc1@gmail.com> I am running Dogtag 10.5 on CentOS7. Basic setup is OK, but I need to publish the generated certificates towards an external Directory. Once upon a time, I would use pkiconsole to set-up LDAP publishing, but the program seems to have disappeared. Therefore, I have 2 questions : 1/ Are there instructions to set-up publishers without GUI somewhere (apologies if I missed them) ? 2/ What is the tool I should use to administer Dogtag ? Thxs P From dmoluguw at redhat.com Thu Feb 13 16:09:24 2020 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Thu, 13 Feb 2020 11:09:24 -0500 Subject: [Pki-users] Publishing In-Reply-To: <5affa616-b1c8-1283-53ba-683699d2afc1@gmail.com> References: <20200129011641.GF28885@T470s> <5affa616-b1c8-1283-53ba-683699d2afc1@gmail.com> Message-ID: Hello Pascal, please find my replies inline.. On Thu, 2020-02-13 at 12:30 +0100, Pascal Jakobi wrote: > I am running Dogtag 10.5 on CentOS7. Basic setup is OK, but I need > to > publish the generated certificates towards an external Directory. > > Once upon a time, I would use pkiconsole to set-up LDAP publishing, > but > the program seems to have disappeared. > > Therefore, I have 2 questions : > > 1/ Are there instructions to set-up publishers without GUI somewhere > (apologies if I missed them) ? You can install pkiconsole using `yum install pki-console` Doc: https://www.dogtagpki.org/wiki/PKI_Console > > 2/ What is the tool I should use to administer Dogtag ? In PKI 10.5, there are 3 ways to interact: - Web UI - CLI - pkiconsole You can use the admin guide from RH documentation: https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/ Regards, --Dinesh > > Thxs > > P > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From ascheel at redhat.com Thu Feb 13 16:25:01 2020 From: ascheel at redhat.com (Alex Scheel) Date: Thu, 13 Feb 2020 11:25:01 -0500 (EST) Subject: [Pki-users] Publishing In-Reply-To: References: <20200129011641.GF28885@T470s> <5affa616-b1c8-1283-53ba-683699d2afc1@gmail.com> Message-ID: <1463116216.5559165.1581611101452.JavaMail.zimbra@redhat.com> Hi Dinesh, ----- Original Message ----- > From: "Dinesh Prasanth Moluguwan Krishnamoorthy" > To: "Pascal Jakobi" , pki-users at redhat.com > Sent: Thursday, February 13, 2020 11:09:24 AM > Subject: Re: [Pki-users] Publishing > > Hello Pascal, > > please find my replies inline.. > > > On Thu, 2020-02-13 at 12:30 +0100, Pascal Jakobi wrote: > > I am running Dogtag 10.5 on CentOS7. Basic setup is OK, but I need > > to > > publish the generated certificates towards an external Directory. > > > > Once upon a time, I would use pkiconsole to set-up LDAP publishing, > > but > > the program seems to have disappeared. > > > > Therefore, I have 2 questions : > > > > 1/ Are there instructions to set-up publishers without GUI somewhere > > (apologies if I missed them) ? > You can install pkiconsole using `yum install pki-console` > Doc: https://www.dogtagpki.org/wiki/PKI_Console This isn't strictly correct. Due to the quick of how Dogtag is shipped on RHEL, CentOS lacks the packages in the RHCS Layered Product. Fedora doesn't. This is one of the reasons we've historically built them in the EPEL branch in COPR. However, the 10.5 branch hasn't been enabled for COPR automatic builds (and the versions in COPR would exceed those in CentOS at any rate). - Alex > > > > > 2/ What is the tool I should use to administer Dogtag ? > In PKI 10.5, there are 3 ways to interact: > - Web UI > - CLI > - pkiconsole > > You can use the admin guide from RH documentation: > https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/ > > > Regards, > --Dinesh > > > > > Thxs > > > > P > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From Brian.Wolf at risd.org Mon Feb 17 17:41:05 2020 From: Brian.Wolf at risd.org (Wolf, Brian) Date: Mon, 17 Feb 2020 17:41:05 +0000 Subject: [Pki-users] pki 10.5 - Unable to log in to PKI console Message-ID: I installed PKI-CA several years ago on a Redhat 7 (actually Oracle Unbreakable Linux) server. I used it to create certificates for an application and have not really used it since. I had to renew the base certificates last year. That took some effort, but I got it to work. Now I am unable to connect to the web-based agent page. I copied the PKI Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and installed it under "Your Certificates and the signing certificate under Authorities in Firefox. When I try to connect to the agent page (https://.../ca/agent/ca), the padlock goes green, but I get an "Invalid Credential" error. /var/log/pki/risd-ise/ca/system contains Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain. Error: User not found The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are actually two entries- the current one and the previous expired one. It is also in /etc/pki/ca-trust/source/anchors What it is looking for and where? - Brian # certutil -L -d ~/.dogtag/MyInstance/ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - MyDomain CT,c, caadmin u,u,u caadmin u,u,u # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin Certificate: Data: Version: 3 (0x2) Serial Number: 51 (0x33) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Tue Feb 26 04:20:43 2019 Not After : Wed Feb 26 04:20:43 2020 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Fri Mar 10 22:38:25 2017 Not After : Thu Feb 28 22:38:25 2019 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomainr,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - MyDomain" Certificate: Data: Version: 3 (0x2) Serial Number: 51 (0x33) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Tue Feb 26 04:20:43 2019 Not After : Wed Feb 26 04:20:43 2020 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: Current versions: Current versions: Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM pki-base-10.5.16-6 pki-base-java-10.5.16-6.el7_7.noarch java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Mon Feb 17 19:50:34 2020 From: msauton at redhat.com (Marc Sauton) Date: Mon, 17 Feb 2020 11:50:34 -0800 Subject: [Pki-users] pki 10.5 - Unable to log in to PKI console In-Reply-To: References: Message-ID: Hello, Probably either there is no caadmin (uid=admin may set from the older environment), or the SSL client certificate is simply missing from the administrator or agent groups. Try for example: locate the LDAP base DN of the PKI repository: ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts output example: dn: namingcontexts: dc=example,dc=test namingcontexts: o=rootca1-CA namingcontexts: o=subca1-CA note it could be also in the form of namingcontexts: dc=ca1.example.test-pki-ca1 and in your case it may be similar to o=risd-ise-CA then search into that LDAP backend to verify the values of the attribute uniquemember of the entries, like as this example but by replacing the string o=subca1-CA to match your environment: either for the agent users: ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Agents dn uniqueMember or the administrators (admin or caadmin is the default one, like a "root" user): ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember then verify the uniqueMember value correspond to a valid existing LDAP entry, like for example: dn: uid=caadmin,ou=people,o=subca1-CA and then verify that admin or agent user entry has a corresponding user certificate, like for example: ldapsearch -LLLx -D "cn=directory manager" -W -b ou=people,o=subca1-CA uid=caadmin userCertificate you may have to update the value of the userCertificate with ldapmodify to match the certificate with serial number 0x33 and subject DN CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain from the NSS db at ~/.dogtag/risd-ise/ca/alias/ Note this can be done using the pkiconsole. Thanks, M. On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian wrote: > I installed PKI-CA several years ago on a Redhat 7 (actually Oracle > Unbreakable Linux) server. I used it to create certificates for an > application and have not really used it since. I had to renew the base > certificates last year. That took some effort, but I got it to work. Now I > am unable to connect to the web-based agent page. I copied the PKI > Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and > installed it under ?Your Certificates and the signing certificate under > Authorities in Firefox. When I try to connect to the agent page ( > https://.../ca/agent/ca), the padlock goes green, but I get an ?Invalid > Credential? error. /var/log/pki/risd-ise/ca/system contains > > > > Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI > Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain. > Error: User not found > > > > The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are > actually two entries- the current one and the previous expired one. It is > also in /etc/pki/ca-trust/source/anchors > > > > > > What it is looking for and where? > > > > > > - Brian > > > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > CA Signing Certificate - MyDomain CT,c, > > caadmin u,u,u > > caadmin u,u,u > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > > > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 6 (0x6) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Fri Mar 10 22:38:25 2017 > > Not After : Thu Feb 28 22:38:25 2019 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomainr > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > > > > > > > > > # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - > MyDomain" > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > Modulus: > > > > Current versions: > > > > Current versions: > > > > Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM > > > > pki-base-10.5.16-6 > > pki-base-java-10.5.16-6.el7_7.noarch > > java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Mon Feb 17 19:59:43 2020 From: msauton at redhat.com (Marc Sauton) Date: Mon, 17 Feb 2020 11:59:43 -0800 Subject: [Pki-users] pki 10.5 - Unable to log in to PKI console In-Reply-To: References: Message-ID: The entry CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain likely has the older cert with serial 6, it just needs the newer one with serial 0x33 / 51 It may be easier to use the pkiconsole to add it, under" "Configuration | Users and Groups | Users | admin | Certificates | Import" Thanks, M. On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton wrote: > Hello, > Probably either there is no caadmin (uid=admin may set from the older > environment), or the SSL client certificate is simply missing from the > administrator or agent groups. > Try for example: > > locate the LDAP base DN of the PKI repository: > ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts > > > > > output example: > dn: > namingcontexts: dc=example,dc=test > namingcontexts: o=rootca1-CA > namingcontexts: o=subca1-CA > > note it could be also in the form of namingcontexts: > dc=ca1.example.test-pki-ca1 > and in your case it may be similar to o=risd-ise-CA > > then search into that LDAP backend to verify the values of the attribute > uniquemember of the entries, like as this example but by replacing the > string o=subca1-CA to match your environment: > either for the agent users: > ldapsearch -xLLL -D "cn=directory manager" -w password -b > ou=groups,o=subca1-CA cn=*Agents dn uniqueMember > or the administrators (admin or caadmin is the default one, like a "root" > user): > ldapsearch -xLLL -D "cn=directory manager" -w password -b > ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember > > then verify the uniqueMember value correspond to a valid existing LDAP > entry, like for example: > dn: uid=caadmin,ou=people,o=subca1-CA > > and then verify that admin or agent user entry has a corresponding user > certificate, like for example: > ldapsearch -LLLx -D "cn=directory manager" -W -b > ou=people,o=subca1-CA uid=caadmin userCertificate > > you may have to update the value of the userCertificate with ldapmodify to > match the certificate with serial number 0x33 and subject DN > CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain > from the NSS db at ~/.dogtag/risd-ise/ca/alias/ > > Note this can be done using the pkiconsole. > > Thanks, > M. > > On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian wrote: > >> I installed PKI-CA several years ago on a Redhat 7 (actually Oracle >> Unbreakable Linux) server. I used it to create certificates for an >> application and have not really used it since. I had to renew the base >> certificates last year. That took some effort, but I got it to work. Now I >> am unable to connect to the web-based agent page. I copied the PKI >> Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and >> installed it under ?Your Certificates and the signing certificate under >> Authorities in Firefox. When I try to connect to the agent page ( >> https://.../ca/agent/ca), the padlock goes green, but I get an ?Invalid >> Credential? error. /var/log/pki/risd-ise/ca/system contains >> >> >> >> Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI >> Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain. >> Error: User not found >> >> >> >> The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are >> actually two entries- the current one and the previous expired one. It is >> also in /etc/pki/ca-trust/source/anchors >> >> >> >> >> >> What it is looking for and where? >> >> >> >> >> >> - Brian >> >> >> >> >> >> >> >> # certutil -L -d ~/.dogtag/MyInstance/ca/alias >> >> >> >> Certificate Nickname Trust >> Attributes >> >> >> SSL,S/MIME,JAR/XPI >> >> >> >> CA Signing Certificate - MyDomain CT,c, >> >> caadmin u,u,u >> >> caadmin u,u,u >> >> >> >> >> >> # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin >> >> Certificate: >> >> Data: >> >> Version: 3 (0x2) >> >> Serial Number: 51 (0x33) >> >> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption >> >> Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" >> >> Validity: >> >> Not Before: Tue Feb 26 04:20:43 2019 >> >> Not After : Wed Feb 26 04:20:43 2020 >> >> Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain >> ,OU=MyInstance >> >> ,O=MyDomain" >> >> Subject Public Key Info: >> >> >> >> >> >> Certificate: >> >> Data: >> >> Version: 3 (0x2) >> >> Serial Number: 6 (0x6) >> >> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption >> >> Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" >> >> Validity: >> >> Not Before: Fri Mar 10 22:38:25 2017 >> >> Not After : Thu Feb 28 22:38:25 2019 >> >> Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomainr >> ,OU=MyInstance >> >> ,O=MyDomain" >> >> Subject Public Key Info: >> >> Public Key Algorithm: PKCS #1 RSA Encryption >> >> RSA Public Key: >> >> >> >> >> >> >> >> >> >> # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - >> MyDomain" >> >> Certificate: >> >> Data: >> >> Version: 3 (0x2) >> >> Serial Number: 51 (0x33) >> >> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption >> >> Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" >> >> Validity: >> >> Not Before: Tue Feb 26 04:20:43 2019 >> >> Not After : Wed Feb 26 04:20:43 2020 >> >> Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain >> ,OU=MyInstance >> >> ,O=MyDomain" >> >> Subject Public Key Info: >> >> Public Key Algorithm: PKCS #1 RSA Encryption >> >> RSA Public Key: >> >> Modulus: >> >> >> >> Current versions: >> >> >> >> Current versions: >> >> >> >> Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM >> >> >> >> pki-base-10.5.16-6 >> >> pki-base-java-10.5.16-6.el7_7.noarch >> >> java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.Wolf at risd.org Mon Feb 17 23:13:31 2020 From: Brian.Wolf at risd.org (Wolf, Brian) Date: Mon, 17 Feb 2020 23:13:31 +0000 Subject: [Pki-users] pki 10.5 - Unable to log in to PKI console In-Reply-To: References: Message-ID: Marc- You were correct that the directory manager had the serial #6 version. I tried to replace it with the #33 version, but now when I try to connect, I get the error ?You did not provide a valid certificate for this operation.? Instead of ?Invalid credential.? First, you mentioned using pkiconsole. I don?t have pkiconsole installed. I think we found that that was part of RHCS, and we don?t have a subscription for RHCS. So I?m just wading through the CLI commands. Also, I didn?t find any naming contexts specifically referencing the instance. Caadmin showed up in the Agents and Administrators queries for dc=ca,dc=risd,dc=org. And there is no CN=PKI Administrator entry in the list of Administrators. # ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base namingcontexts Enter LDAP Password: dn: namingcontexts: dc=ca,dc=risd,dc=org namingcontexts: dc=risd,dc=org # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=risd,dc=org cn=*Agents dn uniqueMember Enter LDAP Password: [root at risdca1 tmp]# # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Agents dn uniqueMember Enter LDAP Password: dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=pkidbuser,ou=People,dc=ca,dc=risd,dc=org dn: cn=Registration Manager Agents,ou=groups,dc=ca,dc=risd,dc=org # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember Enter LDAP Password: dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=or The user certificate appeared to be in X509 format. I copied that to a file and verified that it was the expired #6 version. # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate Enter LDAP Password: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate:: MII******************************************************** S*************************************************************************** G*************************************************************************** ? **********************************************************************M7nQ== I didn?t find any examples of multi-line values in the ldapmodify file, so I tried using the same format as the search used, with the second and subsequent lines beginning with a space and a ?-? on the last line. $ cat ldapmodify.caadmin.txt dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify replace: userCertificate userCertificate: MII********************************************************* S**************************************************************************** ? P***********************************************************************mDw== - # ldapmodify -x -D "cn=directory manager" -W -f /tmp/ldapmodify.caadmin.txt Enter LDAP Password: modifying entry "uid=caadmin,ou=people,dc=ca,dc=risd,dc=org" # # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate Enter LDAP Password: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate: MII**************************************************************************** V****************************************************************************************** ?. K***********************************************************************************mdw== So it took what I gave it. I noticed that for the old cert, ldapsearch displayed ?userCertificate::? (two colons), and now it only has ?userCertificate:? (one colon). Is that significant? I tried changing the input file to read userCertificate::, and then ldapsearch showed both colons again, but I still got the ?you did not provide a valid credential?? error when I tried to connect from my laptop. I verified that Firefox on my laptop is using PKI Administrator [33] for identification. - Brian From: Marc Sauton Sent: Monday, February 17, 2020 2:00 PM To: Wolf, Brian Cc: pki-users at redhat.com Subject: Re: [Pki-users] pki 10.5 - Unable to log in to PKI console The entry CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain likely has the older cert with serial 6, it just needs the newer one with serial 0x33 / 51 It may be easier to use the pkiconsole to add it, under" "Configuration | Users and Groups | Users | admin | Certificates | Import" Thanks, M. On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton > wrote: Hello, Probably either there is no caadmin (uid=admin may set from the older environment), or the SSL client certificate is simply missing from the administrator or agent groups. Try for example: locate the LDAP base DN of the PKI repository: ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts output example: dn: namingcontexts: dc=example,dc=test namingcontexts: o=rootca1-CA namingcontexts: o=subca1-CA note it could be also in the form of namingcontexts: dc=ca1.example.test-pki-ca1 and in your case it may be similar to o=risd-ise-CA then search into that LDAP backend to verify the values of the attribute uniquemember of the entries, like as this example but by replacing the string o=subca1-CA to match your environment: either for the agent users: ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Agents dn uniqueMember or the administrators (admin or caadmin is the default one, like a "root" user): ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember then verify the uniqueMember value correspond to a valid existing LDAP entry, like for example: dn: uid=caadmin,ou=people,o=subca1-CA and then verify that admin or agent user entry has a corresponding user certificate, like for example: ldapsearch -LLLx -D "cn=directory manager" -W -b ou=people,o=subca1-CA uid=caadmin userCertificate you may have to update the value of the userCertificate with ldapmodify to match the certificate with serial number 0x33 and subject DN CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain from the NSS db at ~/.dogtag/risd-ise/ca/alias/ Note this can be done using the pkiconsole. Thanks, M. On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian > wrote: I installed PKI-CA several years ago on a Redhat 7 (actually Oracle Unbreakable Linux) server. I used it to create certificates for an application and have not really used it since. I had to renew the base certificates last year. That took some effort, but I got it to work. Now I am unable to connect to the web-based agent page. I copied the PKI Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and installed it under ?Your Certificates and the signing certificate under Authorities in Firefox. When I try to connect to the agent page (https://.../ca/agent/ca), the padlock goes green, but I get an ?Invalid Credential? error. /var/log/pki/risd-ise/ca/system contains Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain. Error: User not found The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are actually two entries- the current one and the previous expired one. It is also in /etc/pki/ca-trust/source/anchors What it is looking for and where? - Brian # certutil -L -d ~/.dogtag/MyInstance/ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - MyDomain CT,c, caadmin u,u,u caadmin u,u,u # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin Certificate: Data: Version: 3 (0x2) Serial Number: 51 (0x33) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Tue Feb 26 04:20:43 2019 Not After : Wed Feb 26 04:20:43 2020 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Fri Mar 10 22:38:25 2017 Not After : Thu Feb 28 22:38:25 2019 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomainr,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - MyDomain" Certificate: Data: Version: 3 (0x2) Serial Number: 51 (0x33) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Tue Feb 26 04:20:43 2019 Not After : Wed Feb 26 04:20:43 2020 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: Current versions: Current versions: Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM pki-base-10.5.16-6 pki-base-java-10.5.16-6.el7_7.noarch java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Tue Feb 18 01:05:11 2020 From: msauton at redhat.com (Marc Sauton) Date: Mon, 17 Feb 2020 17:05:11 -0800 Subject: [Pki-users] pki 10.5 - Unable to log in to PKI console In-Reply-To: References: Message-ID: For the pkiconsole: correct for RHEL, would need the RHCS subscription. but it is available from Fedora: pki-console-10.7.3-3.fc31.noarch : PKI Console Package Repo : fedora I do not think we have the pkiconsole in CentOS ( http://mirror.centos.org/centos/7.7.1908/ ) For the ldapmodify, add the colon char twice because the value is already base-64 encoded, like for example: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify delete: userCertificate - add: userCertificate userCertificate:: MII... That should solve the issue! Thanks, M. On Mon, Feb 17, 2020 at 3:13 PM Wolf, Brian wrote: > Marc- > > > > You were correct that the directory manager had the serial #6 version. I > tried to replace it with the #33 version, but now when I try to connect, I > get the error ?You did not provide a valid certificate for this operation.? > Instead of ?Invalid credential.? > > > > First, you mentioned using pkiconsole. I don?t have pkiconsole installed. > I think we found that that was part of RHCS, and we don?t have a > subscription for RHCS. So I?m just wading through the CLI commands. > > > > Also, I didn?t find any naming contexts specifically referencing the > instance. Caadmin showed up in the Agents and Administrators queries for > dc=ca,dc=risd,dc=org. > > > > And there is no CN=PKI Administrator entry in the list of Administrators. > > > > > > # ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base > namingcontexts > > Enter LDAP Password: > > dn: > > namingcontexts: dc=ca,dc=risd,dc=org > > namingcontexts: dc=risd,dc=org > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=risd,dc=org cn=*Agents dn uniqueMember > > Enter LDAP Password: > > [root at risdca1 tmp]# > > > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Agents dn uniqueMember > > Enter LDAP Password: > > dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=pkidbuser,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Registration Manager Agents,ou=groups,dc=ca,dc=risd,dc=org > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember > > Enter LDAP Password: > > dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=or > > > > > > > > The user certificate appeared to be in X509 format. I copied that to a > file and verified that it was the expired #6 version. > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate > > Enter LDAP Password: > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate:: > MII******************************************************** > > > S*************************************************************************** > > > G*************************************************************************** > > ? > > > **********************************************************************M7nQ== > > > > I didn?t find any examples of multi-line values in the ldapmodify file, so > I tried using the same format as the search used, with the second and > subsequent lines beginning with a space and a ?-? on the last line. > > > > > > $ cat ldapmodify.caadmin.txt > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > changetype: modify > > replace: userCertificate > > userCertificate: > MII********************************************************* > > > S**************************************************************************** > > ? > > > P***********************************************************************mDw== > > - > > > > # ldapmodify -x -D "cn=directory manager" -W -f /tmp/ldapmodify.caadmin.txt > > Enter LDAP Password: > > modifying entry "uid=caadmin,ou=people,dc=ca,dc=risd,dc=org" > > # > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate > > Enter LDAP Password: > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate: > MII**************************************************************************** > > > V****************************************************************************************** > > ?. > > > K***********************************************************************************mdw== > > > > > > So it took what I gave it. I noticed that for the old cert, ldapsearch > displayed ?userCertificate::? (two colons), and now it only has > ?userCertificate:? (one colon). Is that significant? I tried changing the > input file to read userCertificate::, and then ldapsearch showed both > colons again, but I still got the ?you did not provide a valid credential?? > error when I tried to connect from my laptop. > > > > > > I verified that Firefox on my laptop is using PKI Administrator [33] for > identification. > > > > - Brian > > > > > > *From:* Marc Sauton > *Sent:* Monday, February 17, 2020 2:00 PM > *To:* Wolf, Brian > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console > > > > The entry > > CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain > > likely has the older cert with serial 6, it just needs the newer one with > serial 0x33 / 51 > > It may be easier to use the pkiconsole to add it, under" > > "Configuration | Users and Groups | Users | admin | Certificates | Import" > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton wrote: > > Hello, > > Probably either there is no caadmin (uid=admin may set from the older > environment), or the SSL client certificate is simply missing from the > administrator or agent groups. > > Try for example: > > > > locate the LDAP base DN of the PKI repository: > > ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts > > > > > output example: > > dn: > namingcontexts: dc=example,dc=test > namingcontexts: o=rootca1-CA > > namingcontexts: o=subca1-CA > > > > note it could be also in the form of namingcontexts: > dc=ca1.example.test-pki-ca1 > > and in your case it may be similar to o=risd-ise-CA > > > > then search into that LDAP backend to verify the values of the attribute > uniquemember of the entries, like as this example but by replacing the > string o=subca1-CA to match your environment: > > either for the agent users: > > ldapsearch -xLLL -D "cn=directory manager" -w password -b > ou=groups,o=subca1-CA cn=*Agents dn uniqueMember > > or the administrators (admin or caadmin is the default one, like a "root" > user): > > ldapsearch -xLLL -D "cn=directory manager" -w password -b > ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember > > > > then verify the uniqueMember value correspond to a valid existing LDAP > entry, like for example: > > dn: uid=caadmin,ou=people,o=subca1-CA > > > > and then verify that admin or agent user entry has a corresponding user > certificate, like for example: > > ldapsearch -LLLx -D "cn=directory manager" -W -b > ou=people,o=subca1-CA uid=caadmin userCertificate > > > > you may have to update the value of the userCertificate with ldapmodify to > match the certificate with serial number 0x33 and subject DN > > CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain > > from the NSS db at ~/.dogtag/risd-ise/ca/alias/ > > > > Note this can be done using the pkiconsole. > > > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian wrote: > > I installed PKI-CA several years ago on a Redhat 7 (actually Oracle > Unbreakable Linux) server. I used it to create certificates for an > application and have not really used it since. I had to renew the base > certificates last year. That took some effort, but I got it to work. Now I > am unable to connect to the web-based agent page. I copied the PKI > Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and > installed it under ?Your Certificates and the signing certificate under > Authorities in Firefox. When I try to connect to the agent page ( > https://.../ca/agent/ca), the padlock goes green, but I get an ?Invalid > Credential? error. /var/log/pki/risd-ise/ca/system contains > > > > Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI > Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain. > Error: User not found > > > > The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are > actually two entries- the current one and the previous expired one. It is > also in /etc/pki/ca-trust/source/anchors > > > > > > What it is looking for and where? > > > > > > - Brian > > > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > CA Signing Certificate - MyDomain CT,c, > > caadmin u,u,u > > caadmin u,u,u > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > > > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 6 (0x6) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Fri Mar 10 22:38:25 2017 > > Not After : Thu Feb 28 22:38:25 2019 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomainr > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > > > > > > > > > # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - > MyDomain" > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > Modulus: > > > > Current versions: > > > > Current versions: > > > > Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM > > > > pki-base-10.5.16-6 > > pki-base-java-10.5.16-6.el7_7.noarch > > java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Tue Feb 18 01:11:46 2020 From: msauton at redhat.com (Marc Sauton) Date: Mon, 17 Feb 2020 17:11:46 -0800 Subject: [Pki-users] pki 10.5 - Unable to log in to PKI console In-Reply-To: References: Message-ID: Extra note, a ldapmodify "replace" should be used as the userCertificate can be multi valued, and the first sample may be used from a LDAP search result set, which can be the older certificate, so it is better to either del/add or replace it to avoid confusion. Thanks, M. On Mon, Feb 17, 2020 at 5:05 PM Marc Sauton wrote: > For the pkiconsole: > correct for RHEL, would need the RHCS subscription. > but it is available from Fedora: > pki-console-10.7.3-3.fc31.noarch : PKI Console Package > Repo : fedora > > I do not think we have the pkiconsole in CentOS ( > http://mirror.centos.org/centos/7.7.1908/ ) > > For the ldapmodify, add the colon char twice because the value is already > base-64 encoded, like for example: > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > changetype: modify > delete: userCertificate > - > add: userCertificate > userCertificate:: MII... > > That should solve the issue! > > Thanks, > M. > > On Mon, Feb 17, 2020 at 3:13 PM Wolf, Brian wrote: > >> Marc- >> >> >> >> You were correct that the directory manager had the serial #6 version. I >> tried to replace it with the #33 version, but now when I try to connect, I >> get the error ?You did not provide a valid certificate for this operation.? >> Instead of ?Invalid credential.? >> >> >> >> First, you mentioned using pkiconsole. I don?t have pkiconsole installed. >> I think we found that that was part of RHCS, and we don?t have a >> subscription for RHCS. So I?m just wading through the CLI commands. >> >> >> >> Also, I didn?t find any naming contexts specifically referencing the >> instance. Caadmin showed up in the Agents and Administrators queries for >> dc=ca,dc=risd,dc=org. >> >> >> >> And there is no CN=PKI Administrator entry in the list of Administrators. >> >> >> >> >> >> # ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base >> namingcontexts >> >> Enter LDAP Password: >> >> dn: >> >> namingcontexts: dc=ca,dc=risd,dc=org >> >> namingcontexts: dc=risd,dc=org >> >> >> >> # ldapsearch -xLLL -D "cn=directory manager" -W -b >> ou=groups,dc=risd,dc=org cn=*Agents dn uniqueMember >> >> Enter LDAP Password: >> >> [root at risdca1 tmp]# >> >> >> >> >> >> # ldapsearch -xLLL -D "cn=directory manager" -W -b >> ou=groups,dc=ca,dc=risd,dc=org cn=*Agents dn uniqueMember >> >> Enter LDAP Password: >> >> dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=risd,dc=org >> >> uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org >> >> uniqueMember: uid=pkidbuser,ou=People,dc=ca,dc=risd,dc=org >> >> >> >> dn: cn=Registration Manager Agents,ou=groups,dc=ca,dc=risd,dc=org >> >> >> >> # ldapsearch -xLLL -D "cn=directory manager" -W -b >> ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember >> >> Enter LDAP Password: >> >> dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org >> >> uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org >> >> uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org >> >> >> >> dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org >> >> uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org >> >> >> >> dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org >> >> uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org >> >> uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org >> >> >> >> dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=risd,dc=org >> >> uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=or >> >> >> >> >> >> >> >> The user certificate appeared to be in X509 format. I copied that to a >> file and verified that it was the expired #6 version. >> >> >> >> # ldapsearch -xLLL -D "cn=directory manager" -W -b >> ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate >> >> Enter LDAP Password: >> >> dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org >> >> userCertificate:: >> MII******************************************************** >> >> >> S*************************************************************************** >> >> >> G*************************************************************************** >> >> ? >> >> >> **********************************************************************M7nQ== >> >> >> >> I didn?t find any examples of multi-line values in the ldapmodify file, >> so I tried using the same format as the search used, with the second and >> subsequent lines beginning with a space and a ?-? on the last line. >> >> >> >> >> >> $ cat ldapmodify.caadmin.txt >> >> dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org >> >> changetype: modify >> >> replace: userCertificate >> >> userCertificate: >> MII********************************************************* >> >> >> S**************************************************************************** >> >> ? >> >> >> P***********************************************************************mDw== >> >> - >> >> >> >> # ldapmodify -x -D "cn=directory manager" -W -f >> /tmp/ldapmodify.caadmin.txt >> >> Enter LDAP Password: >> >> modifying entry "uid=caadmin,ou=people,dc=ca,dc=risd,dc=org" >> >> # >> >> >> >> # ldapsearch -xLLL -D "cn=directory manager" -W -b >> ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate >> >> Enter LDAP Password: >> >> dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org >> >> userCertificate: >> MII**************************************************************************** >> >> >> V****************************************************************************************** >> >> ?. >> >> >> K***********************************************************************************mdw== >> >> >> >> >> >> So it took what I gave it. I noticed that for the old cert, ldapsearch >> displayed ?userCertificate::? (two colons), and now it only has >> ?userCertificate:? (one colon). Is that significant? I tried changing the >> input file to read userCertificate::, and then ldapsearch showed both >> colons again, but I still got the ?you did not provide a valid credential?? >> error when I tried to connect from my laptop. >> >> >> >> >> >> I verified that Firefox on my laptop is using PKI Administrator [33] for >> identification. >> >> >> >> - Brian >> >> >> >> >> >> *From:* Marc Sauton >> *Sent:* Monday, February 17, 2020 2:00 PM >> *To:* Wolf, Brian >> *Cc:* pki-users at redhat.com >> *Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console >> >> >> >> The entry >> >> CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain >> >> likely has the older cert with serial 6, it just needs the newer one with >> serial 0x33 / 51 >> >> It may be easier to use the pkiconsole to add it, under" >> >> "Configuration | Users and Groups | Users | admin | Certificates | Import" >> >> Thanks, >> >> M. >> >> >> >> On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton wrote: >> >> Hello, >> >> Probably either there is no caadmin (uid=admin may set from the older >> environment), or the SSL client certificate is simply missing from the >> administrator or agent groups. >> >> Try for example: >> >> >> >> locate the LDAP base DN of the PKI repository: >> >> ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base >> namingcontexts >> >> >> >> output example: >> >> dn: >> namingcontexts: dc=example,dc=test >> namingcontexts: o=rootca1-CA >> >> namingcontexts: o=subca1-CA >> >> >> >> note it could be also in the form of namingcontexts: >> dc=ca1.example.test-pki-ca1 >> >> and in your case it may be similar to o=risd-ise-CA >> >> >> >> then search into that LDAP backend to verify the values of the attribute >> uniquemember of the entries, like as this example but by replacing the >> string o=subca1-CA to match your environment: >> >> either for the agent users: >> >> ldapsearch -xLLL -D "cn=directory manager" -w password -b >> ou=groups,o=subca1-CA cn=*Agents dn uniqueMember >> >> or the administrators (admin or caadmin is the default one, like a "root" >> user): >> >> ldapsearch -xLLL -D "cn=directory manager" -w password -b >> ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember >> >> >> >> then verify the uniqueMember value correspond to a valid existing LDAP >> entry, like for example: >> >> dn: uid=caadmin,ou=people,o=subca1-CA >> >> >> >> and then verify that admin or agent user entry has a corresponding user >> certificate, like for example: >> >> ldapsearch -LLLx -D "cn=directory manager" -W -b >> ou=people,o=subca1-CA uid=caadmin userCertificate >> >> >> >> you may have to update the value of the userCertificate with ldapmodify >> to match the certificate with serial number 0x33 and subject DN >> >> CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain >> >> from the NSS db at ~/.dogtag/risd-ise/ca/alias/ >> >> >> >> Note this can be done using the pkiconsole. >> >> >> >> Thanks, >> >> M. >> >> >> >> On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian wrote: >> >> I installed PKI-CA several years ago on a Redhat 7 (actually Oracle >> Unbreakable Linux) server. I used it to create certificates for an >> application and have not really used it since. I had to renew the base >> certificates last year. That took some effort, but I got it to work. Now I >> am unable to connect to the web-based agent page. I copied the PKI >> Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and >> installed it under ?Your Certificates and the signing certificate under >> Authorities in Firefox. When I try to connect to the agent page ( >> https://.../ca/agent/ca), the padlock goes green, but I get an ?Invalid >> Credential? error. /var/log/pki/risd-ise/ca/system contains >> >> >> >> Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI >> Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain. >> Error: User not found >> >> >> >> The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are >> actually two entries- the current one and the previous expired one. It is >> also in /etc/pki/ca-trust/source/anchors >> >> >> >> >> >> What it is looking for and where? >> >> >> >> >> >> - Brian >> >> >> >> >> >> >> >> # certutil -L -d ~/.dogtag/MyInstance/ca/alias >> >> >> >> Certificate Nickname Trust >> Attributes >> >> >> SSL,S/MIME,JAR/XPI >> >> >> >> CA Signing Certificate - MyDomain CT,c, >> >> caadmin u,u,u >> >> caadmin u,u,u >> >> >> >> >> >> # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin >> >> Certificate: >> >> Data: >> >> Version: 3 (0x2) >> >> Serial Number: 51 (0x33) >> >> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption >> >> Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" >> >> Validity: >> >> Not Before: Tue Feb 26 04:20:43 2019 >> >> Not After : Wed Feb 26 04:20:43 2020 >> >> Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain >> ,OU=MyInstance >> >> ,O=MyDomain" >> >> Subject Public Key Info: >> >> >> >> >> >> Certificate: >> >> Data: >> >> Version: 3 (0x2) >> >> Serial Number: 6 (0x6) >> >> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption >> >> Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" >> >> Validity: >> >> Not Before: Fri Mar 10 22:38:25 2017 >> >> Not After : Thu Feb 28 22:38:25 2019 >> >> Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomainr >> ,OU=MyInstance >> >> ,O=MyDomain" >> >> Subject Public Key Info: >> >> Public Key Algorithm: PKCS #1 RSA Encryption >> >> RSA Public Key: >> >> >> >> >> >> >> >> >> >> # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - >> MyDomain" >> >> Certificate: >> >> Data: >> >> Version: 3 (0x2) >> >> Serial Number: 51 (0x33) >> >> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption >> >> Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" >> >> Validity: >> >> Not Before: Tue Feb 26 04:20:43 2019 >> >> Not After : Wed Feb 26 04:20:43 2020 >> >> Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain >> ,OU=MyInstance >> >> ,O=MyDomain" >> >> Subject Public Key Info: >> >> Public Key Algorithm: PKCS #1 RSA Encryption >> >> RSA Public Key: >> >> Modulus: >> >> >> >> Current versions: >> >> >> >> Current versions: >> >> >> >> Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM >> >> >> >> pki-base-10.5.16-6 >> >> pki-base-java-10.5.16-6.el7_7.noarch >> >> java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 >> >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.Wolf at risd.org Tue Feb 18 17:05:41 2020 From: Brian.Wolf at risd.org (Wolf, Brian) Date: Tue, 18 Feb 2020 17:05:41 +0000 Subject: [Pki-users] pki 10.5 - Unable to log in to PKI console In-Reply-To: References: Message-ID: Marc- I used this dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify delete: userCertificate - add: userCertificate userCertificate:: MII?. - And now ldapsearch gives me: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate:: MII?. I restarted the pki-tomcat service for the instance. Now when I try to access it, I am back to the simple ?Invalid Credential? error. /var/log/pki/risd-ise/ca/system says: 0.http-bio-8373-exec-1 - [18/Feb/2020:10:25:12 CST] [6] [3] Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI Administrator,E=caadmin at risdca1.risd.org,OU=risd-ise,O=RISD.ORG. Error: User not found Could the problem be that there is no naming context for risd-ise, so it?s not matching the caadmin user? From your first response yesterday, it seems like you expected there to be, but I just have dc=ca,dc=risd,dc=org. I?ve been doing the ldapmodifies on it. If there ever was an entry for risd-ise, I don?t know what happened to it. I definitely didn?t intentionally delete it, because I didn?t really even know about the directory server part beyond the steps in the Installation Guide. ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base namingcontexts Enter LDAP Password: dn: namingcontexts: dc=ca,dc=risd,dc=org namingcontexts: dc=risd,dc=org ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=bwolf,ou=People,dc=ca,dc=risd,dc=org ? - Brian From: Marc Sauton Sent: Monday, February 17, 2020 7:12 PM To: Wolf, Brian Cc: pki-users at redhat.com Subject: Re: [Pki-users] pki 10.5 - Unable to log in to PKI console Extra note, a ldapmodify "replace" should be used as the userCertificate can be multi valued, and the first sample may be used from a LDAP search result set, which can be the older certificate, so it is better to either del/add or replace it to avoid confusion. Thanks, M. On Mon, Feb 17, 2020 at 5:05 PM Marc Sauton > wrote: For the pkiconsole: correct for RHEL, would need the RHCS subscription. but it is available from Fedora: pki-console-10.7.3-3.fc31.noarch : PKI Console Package Repo : fedora I do not think we have the pkiconsole in CentOS ( http://mirror.centos.org/centos/7.7.1908/ ) For the ldapmodify, add the colon char twice because the value is already base-64 encoded, like for example: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify delete: userCertificate - add: userCertificate userCertificate:: MII... That should solve the issue! Thanks, M. On Mon, Feb 17, 2020 at 3:13 PM Wolf, Brian > wrote: Marc- You were correct that the directory manager had the serial #6 version. I tried to replace it with the #33 version, but now when I try to connect, I get the error ?You did not provide a valid certificate for this operation.? Instead of ?Invalid credential.? First, you mentioned using pkiconsole. I don?t have pkiconsole installed. I think we found that that was part of RHCS, and we don?t have a subscription for RHCS. So I?m just wading through the CLI commands. Also, I didn?t find any naming contexts specifically referencing the instance. Caadmin showed up in the Agents and Administrators queries for dc=ca,dc=risd,dc=org. And there is no CN=PKI Administrator entry in the list of Administrators. # ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base namingcontexts Enter LDAP Password: dn: namingcontexts: dc=ca,dc=risd,dc=org namingcontexts: dc=risd,dc=org # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=risd,dc=org cn=*Agents dn uniqueMember Enter LDAP Password: [root at risdca1 tmp]# # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Agents dn uniqueMember Enter LDAP Password: dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=pkidbuser,ou=People,dc=ca,dc=risd,dc=org dn: cn=Registration Manager Agents,ou=groups,dc=ca,dc=risd,dc=org # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember Enter LDAP Password: dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=or The user certificate appeared to be in X509 format. I copied that to a file and verified that it was the expired #6 version. # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate Enter LDAP Password: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate:: MII******************************************************** S*************************************************************************** G*************************************************************************** ? **********************************************************************M7nQ== I didn?t find any examples of multi-line values in the ldapmodify file, so I tried using the same format as the search used, with the second and subsequent lines beginning with a space and a ?-? on the last line. $ cat ldapmodify.caadmin.txt dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify replace: userCertificate userCertificate: MII********************************************************* S**************************************************************************** ? P***********************************************************************mDw== - # ldapmodify -x -D "cn=directory manager" -W -f /tmp/ldapmodify.caadmin.txt Enter LDAP Password: modifying entry "uid=caadmin,ou=people,dc=ca,dc=risd,dc=org" # # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate Enter LDAP Password: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate: MII**************************************************************************** V****************************************************************************************** ?. K***********************************************************************************mdw== So it took what I gave it. I noticed that for the old cert, ldapsearch displayed ?userCertificate::? (two colons), and now it only has ?userCertificate:? (one colon). Is that significant? I tried changing the input file to read userCertificate::, and then ldapsearch showed both colons again, but I still got the ?you did not provide a valid credential?? error when I tried to connect from my laptop. I verified that Firefox on my laptop is using PKI Administrator [33] for identification. - Brian From: Marc Sauton > Sent: Monday, February 17, 2020 2:00 PM To: Wolf, Brian > Cc: pki-users at redhat.com Subject: Re: [Pki-users] pki 10.5 - Unable to log in to PKI console The entry CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain likely has the older cert with serial 6, it just needs the newer one with serial 0x33 / 51 It may be easier to use the pkiconsole to add it, under" "Configuration | Users and Groups | Users | admin | Certificates | Import" Thanks, M. On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton > wrote: Hello, Probably either there is no caadmin (uid=admin may set from the older environment), or the SSL client certificate is simply missing from the administrator or agent groups. Try for example: locate the LDAP base DN of the PKI repository: ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts output example: dn: namingcontexts: dc=example,dc=test namingcontexts: o=rootca1-CA namingcontexts: o=subca1-CA note it could be also in the form of namingcontexts: dc=ca1.example.test-pki-ca1 and in your case it may be similar to o=risd-ise-CA then search into that LDAP backend to verify the values of the attribute uniquemember of the entries, like as this example but by replacing the string o=subca1-CA to match your environment: either for the agent users: ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Agents dn uniqueMember or the administrators (admin or caadmin is the default one, like a "root" user): ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember then verify the uniqueMember value correspond to a valid existing LDAP entry, like for example: dn: uid=caadmin,ou=people,o=subca1-CA and then verify that admin or agent user entry has a corresponding user certificate, like for example: ldapsearch -LLLx -D "cn=directory manager" -W -b ou=people,o=subca1-CA uid=caadmin userCertificate you may have to update the value of the userCertificate with ldapmodify to match the certificate with serial number 0x33 and subject DN CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain from the NSS db at ~/.dogtag/risd-ise/ca/alias/ Note this can be done using the pkiconsole. Thanks, M. On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian > wrote: I installed PKI-CA several years ago on a Redhat 7 (actually Oracle Unbreakable Linux) server. I used it to create certificates for an application and have not really used it since. I had to renew the base certificates last year. That took some effort, but I got it to work. Now I am unable to connect to the web-based agent page. I copied the PKI Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and installed it under ?Your Certificates and the signing certificate under Authorities in Firefox. When I try to connect to the agent page (https://.../ca/agent/ca), the padlock goes green, but I get an ?Invalid Credential? error. /var/log/pki/risd-ise/ca/system contains Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain. Error: User not found The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are actually two entries- the current one and the previous expired one. It is also in /etc/pki/ca-trust/source/anchors What it is looking for and where? - Brian # certutil -L -d ~/.dogtag/MyInstance/ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - MyDomain CT,c, caadmin u,u,u caadmin u,u,u # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin Certificate: Data: Version: 3 (0x2) Serial Number: 51 (0x33) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Tue Feb 26 04:20:43 2019 Not After : Wed Feb 26 04:20:43 2020 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Fri Mar 10 22:38:25 2017 Not After : Thu Feb 28 22:38:25 2019 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomainr,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - MyDomain" Certificate: Data: Version: 3 (0x2) Serial Number: 51 (0x33) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Tue Feb 26 04:20:43 2019 Not After : Wed Feb 26 04:20:43 2020 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: Current versions: Current versions: Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM pki-base-10.5.16-6 pki-base-java-10.5.16-6.el7_7.noarch java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Tue Feb 18 21:14:42 2020 From: msauton at redhat.com (Marc Sauton) Date: Tue, 18 Feb 2020 13:14:42 -0800 Subject: [Pki-users] pki 10.5 - Unable to log in to PKI console In-Reply-To: References: Message-ID: I may have forgotten a detail: the "decrisption" value that needs to be updated ( the pkiconsole would do that) search for the caadmin entry: ldapsearch -xLLL -D "cn=directory manager" -W -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin description and verify that description attribute needs a value in the form of 2;serial-number;issuer-subject-DN;subject-DN if the serial is 0x33 / 51 , it needs to be like for example: description: 2;51;CN=CA Signing Certificate,OU=suba1,O=Sub CA1 Example Test; CN=PKI Administrator,E=caadmin at example.test,OU=subca1,O=Sub CA1 Example Test So another ldapmodify is needed (could have been done in one). Thanks, M. On Tue, Feb 18, 2020 at 9:05 AM Wolf, Brian wrote: > Marc- > > > > I used this > > > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > changetype: modify > > delete: userCertificate > > - > > add: userCertificate > > userCertificate:: MII?. > > - > > > > > > And now ldapsearch gives me: > > > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate:: MII?. > > > > I restarted the pki-tomcat service for the instance. Now when I try to > access it, I am back to the simple ?Invalid Credential? error. > > > > /var/log/pki/risd-ise/ca/system says: > > 0.http-bio-8373-exec-1 - [18/Feb/2020:10:25:12 CST] [6] [3] Cannot > authenticate agent with certificate Serial 0x33 Subject DN CN=PKI > Administrator,E=caadmin at risdca1.risd.org,OU=risd-ise,O=RISD.ORG. Error: > User not found > > > > Could the problem be that there is no naming context for risd-ise, so it?s > not matching the caadmin user? From your first response yesterday, it > seems like you expected there to be, but I just have dc=ca,dc=risd,dc=org. > I?ve been doing the ldapmodifies on it. > > > > If there ever was an entry for risd-ise, I don?t know what happened to it. > I definitely didn?t intentionally delete it, because I didn?t really even > know about the directory server part beyond the steps in the Installation > Guide. > > > > > > ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base namingcontexts > > Enter LDAP Password: > > dn: > > namingcontexts: dc=ca,dc=risd,dc=org > > namingcontexts: dc=risd,dc=org > > > > ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember > > dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=bwolf,ou=People,dc=ca,dc=risd,dc=org > > > > ? > > > > > > > > - Brian > > > > > > > > > > *From:* Marc Sauton > *Sent:* Monday, February 17, 2020 7:12 PM > *To:* Wolf, Brian > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console > > > > Extra note, a ldapmodify "replace" should be used as the userCertificate > can be multi valued, and the first sample may be used from a LDAP search > result set, which can be the older certificate, so it is better to either > del/add or replace it to avoid confusion. > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 5:05 PM Marc Sauton wrote: > > For the pkiconsole: > > correct for RHEL, would need the RHCS subscription. > > but it is available from Fedora: > > pki-console-10.7.3-3.fc31.noarch : PKI Console Package > Repo : fedora > > > > I do not think we have the pkiconsole in CentOS ( > http://mirror.centos.org/centos/7.7.1908/ ) > > > > For the ldapmodify, add the colon char twice because the value is already > base-64 encoded, like for example: > > > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > changetype: modify > delete: userCertificate > - > add: userCertificate > userCertificate:: MII... > > > > That should solve the issue! > > > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 3:13 PM Wolf, Brian wrote: > > Marc- > > > > You were correct that the directory manager had the serial #6 version. I > tried to replace it with the #33 version, but now when I try to connect, I > get the error ?You did not provide a valid certificate for this operation.? > Instead of ?Invalid credential.? > > > > First, you mentioned using pkiconsole. I don?t have pkiconsole installed. > I think we found that that was part of RHCS, and we don?t have a > subscription for RHCS. So I?m just wading through the CLI commands. > > > > Also, I didn?t find any naming contexts specifically referencing the > instance. Caadmin showed up in the Agents and Administrators queries for > dc=ca,dc=risd,dc=org. > > > > And there is no CN=PKI Administrator entry in the list of Administrators. > > > > > > # ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base > namingcontexts > > Enter LDAP Password: > > dn: > > namingcontexts: dc=ca,dc=risd,dc=org > > namingcontexts: dc=risd,dc=org > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=risd,dc=org cn=*Agents dn uniqueMember > > Enter LDAP Password: > > [root at risdca1 tmp]# > > > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Agents dn uniqueMember > > Enter LDAP Password: > > dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=pkidbuser,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Registration Manager Agents,ou=groups,dc=ca,dc=risd,dc=org > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember > > Enter LDAP Password: > > dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=or > > > > > > > > The user certificate appeared to be in X509 format. I copied that to a > file and verified that it was the expired #6 version. > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate > > Enter LDAP Password: > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate:: > MII******************************************************** > > > S*************************************************************************** > > > G*************************************************************************** > > ? > > > **********************************************************************M7nQ== > > > > I didn?t find any examples of multi-line values in the ldapmodify file, so > I tried using the same format as the search used, with the second and > subsequent lines beginning with a space and a ?-? on the last line. > > > > > > $ cat ldapmodify.caadmin.txt > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > changetype: modify > > replace: userCertificate > > userCertificate: > MII********************************************************* > > > S**************************************************************************** > > ? > > > P***********************************************************************mDw== > > - > > > > # ldapmodify -x -D "cn=directory manager" -W -f /tmp/ldapmodify.caadmin.txt > > Enter LDAP Password: > > modifying entry "uid=caadmin,ou=people,dc=ca,dc=risd,dc=org" > > # > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate > > Enter LDAP Password: > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate: > MII**************************************************************************** > > > V****************************************************************************************** > > ?. > > > K***********************************************************************************mdw== > > > > > > So it took what I gave it. I noticed that for the old cert, ldapsearch > displayed ?userCertificate::? (two colons), and now it only has > ?userCertificate:? (one colon). Is that significant? I tried changing the > input file to read userCertificate::, and then ldapsearch showed both > colons again, but I still got the ?you did not provide a valid credential?? > error when I tried to connect from my laptop. > > > > > > I verified that Firefox on my laptop is using PKI Administrator [33] for > identification. > > > > - Brian > > > > > > *From:* Marc Sauton > *Sent:* Monday, February 17, 2020 2:00 PM > *To:* Wolf, Brian > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console > > > > The entry > > CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain > > likely has the older cert with serial 6, it just needs the newer one with > serial 0x33 / 51 > > It may be easier to use the pkiconsole to add it, under" > > "Configuration | Users and Groups | Users | admin | Certificates | Import" > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton wrote: > > Hello, > > Probably either there is no caadmin (uid=admin may set from the older > environment), or the SSL client certificate is simply missing from the > administrator or agent groups. > > Try for example: > > > > locate the LDAP base DN of the PKI repository: > > ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts > > > > > output example: > > dn: > namingcontexts: dc=example,dc=test > namingcontexts: o=rootca1-CA > > namingcontexts: o=subca1-CA > > > > note it could be also in the form of namingcontexts: > dc=ca1.example.test-pki-ca1 > > and in your case it may be similar to o=risd-ise-CA > > > > then search into that LDAP backend to verify the values of the attribute > uniquemember of the entries, like as this example but by replacing the > string o=subca1-CA to match your environment: > > either for the agent users: > > ldapsearch -xLLL -D "cn=directory manager" -w password -b > ou=groups,o=subca1-CA cn=*Agents dn uniqueMember > > or the administrators (admin or caadmin is the default one, like a "root" > user): > > ldapsearch -xLLL -D "cn=directory manager" -w password -b > ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember > > > > then verify the uniqueMember value correspond to a valid existing LDAP > entry, like for example: > > dn: uid=caadmin,ou=people,o=subca1-CA > > > > and then verify that admin or agent user entry has a corresponding user > certificate, like for example: > > ldapsearch -LLLx -D "cn=directory manager" -W -b > ou=people,o=subca1-CA uid=caadmin userCertificate > > > > you may have to update the value of the userCertificate with ldapmodify to > match the certificate with serial number 0x33 and subject DN > > CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain > > from the NSS db at ~/.dogtag/risd-ise/ca/alias/ > > > > Note this can be done using the pkiconsole. > > > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian wrote: > > I installed PKI-CA several years ago on a Redhat 7 (actually Oracle > Unbreakable Linux) server. I used it to create certificates for an > application and have not really used it since. I had to renew the base > certificates last year. That took some effort, but I got it to work. Now I > am unable to connect to the web-based agent page. I copied the PKI > Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and > installed it under ?Your Certificates and the signing certificate under > Authorities in Firefox. When I try to connect to the agent page ( > https://.../ca/agent/ca), the padlock goes green, but I get an ?Invalid > Credential? error. /var/log/pki/risd-ise/ca/system contains > > > > Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI > Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain. > Error: User not found > > > > The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are > actually two entries- the current one and the previous expired one. It is > also in /etc/pki/ca-trust/source/anchors > > > > > > What it is looking for and where? > > > > > > - Brian > > > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > CA Signing Certificate - MyDomain CT,c, > > caadmin u,u,u > > caadmin u,u,u > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > > > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 6 (0x6) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Fri Mar 10 22:38:25 2017 > > Not After : Thu Feb 28 22:38:25 2019 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomainr > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > > > > > > > > > # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - > MyDomain" > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > Modulus: > > > > Current versions: > > > > Current versions: > > > > Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM > > > > pki-base-10.5.16-6 > > pki-base-java-10.5.16-6.el7_7.noarch > > java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.Wolf at risd.org Tue Feb 18 22:39:14 2020 From: Brian.Wolf at risd.org (Wolf, Brian) Date: Tue, 18 Feb 2020 22:39:14 +0000 Subject: [Pki-users] pki 10.5 - Unable to log in to PKI console In-Reply-To: References: Message-ID: That did it! I can now access the agent page. I still get the Java ?Error? pop-ups, but I can click through those and get to where I need. Now I get to renew the caadmin cert and repeat this exercise, and then document everything for next time! Since we?re only using dogtag for a single internal application, it would be nice to extend these longer than 2 years each time. I found https://frasertweedale.github.io/blog-redhat/posts/2019-03-04-dogtag-system-cert-lifetime.html that discusses how to adjust the maximum certificate lifetimes. Also https://www.dogtagpki.org/wiki/PKI_CA_Profile_CLI . Do you have any recommendations on that, as in am I better off just leaving well-enough alone? Thanks again for all of your help! If you ever decide to write a ?Dogtag for Dummies? book, I?ll buy a copy! Of course I?ll probably be retiring within the next 5 years, so you?ll need to get it done before that! - Brian From: Marc Sauton Sent: Tuesday, February 18, 2020 3:15 PM To: Wolf, Brian Cc: pki-users at redhat.com Subject: Re: [Pki-users] pki 10.5 - Unable to log in to PKI console I may have forgotten a detail: the "decrisption" value that needs to be updated ( the pkiconsole would do that) search for the caadmin entry: ldapsearch -xLLL -D "cn=directory manager" -W -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin description and verify that description attribute needs a value in the form of 2;serial-number;issuer-subject-DN;subject-DN if the serial is 0x33 / 51 , it needs to be like for example: description: 2;51;CN=CA Signing Certificate,OU=suba1,O=Sub CA1 Example Test; CN=PKI Administrator,E=caadmin at example.test,OU=subca1,O=Sub CA1 Example Test So another ldapmodify is needed (could have been done in one). Thanks, M. On Tue, Feb 18, 2020 at 9:05 AM Wolf, Brian > wrote: Marc- I used this dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify delete: userCertificate - add: userCertificate userCertificate:: MII?. - And now ldapsearch gives me: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate:: MII?. I restarted the pki-tomcat service for the instance. Now when I try to access it, I am back to the simple ?Invalid Credential? error. /var/log/pki/risd-ise/ca/system says: 0.http-bio-8373-exec-1 - [18/Feb/2020:10:25:12 CST] [6] [3] Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI Administrator,E=caadmin at risdca1.risd.org,OU=risd-ise,O=RISD.ORG. Error: User not found Could the problem be that there is no naming context for risd-ise, so it?s not matching the caadmin user? From your first response yesterday, it seems like you expected there to be, but I just have dc=ca,dc=risd,dc=org. I?ve been doing the ldapmodifies on it. If there ever was an entry for risd-ise, I don?t know what happened to it. I definitely didn?t intentionally delete it, because I didn?t really even know about the directory server part beyond the steps in the Installation Guide. ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base namingcontexts Enter LDAP Password: dn: namingcontexts: dc=ca,dc=risd,dc=org namingcontexts: dc=risd,dc=org ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=bwolf,ou=People,dc=ca,dc=risd,dc=org ? - Brian From: Marc Sauton > Sent: Monday, February 17, 2020 7:12 PM To: Wolf, Brian > Cc: pki-users at redhat.com Subject: Re: [Pki-users] pki 10.5 - Unable to log in to PKI console Extra note, a ldapmodify "replace" should be used as the userCertificate can be multi valued, and the first sample may be used from a LDAP search result set, which can be the older certificate, so it is better to either del/add or replace it to avoid confusion. Thanks, M. On Mon, Feb 17, 2020 at 5:05 PM Marc Sauton > wrote: For the pkiconsole: correct for RHEL, would need the RHCS subscription. but it is available from Fedora: pki-console-10.7.3-3.fc31.noarch : PKI Console Package Repo : fedora I do not think we have the pkiconsole in CentOS ( http://mirror.centos.org/centos/7.7.1908/ ) For the ldapmodify, add the colon char twice because the value is already base-64 encoded, like for example: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify delete: userCertificate - add: userCertificate userCertificate:: MII... That should solve the issue! Thanks, M. On Mon, Feb 17, 2020 at 3:13 PM Wolf, Brian > wrote: Marc- You were correct that the directory manager had the serial #6 version. I tried to replace it with the #33 version, but now when I try to connect, I get the error ?You did not provide a valid certificate for this operation.? Instead of ?Invalid credential.? First, you mentioned using pkiconsole. I don?t have pkiconsole installed. I think we found that that was part of RHCS, and we don?t have a subscription for RHCS. So I?m just wading through the CLI commands. Also, I didn?t find any naming contexts specifically referencing the instance. Caadmin showed up in the Agents and Administrators queries for dc=ca,dc=risd,dc=org. And there is no CN=PKI Administrator entry in the list of Administrators. # ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base namingcontexts Enter LDAP Password: dn: namingcontexts: dc=ca,dc=risd,dc=org namingcontexts: dc=risd,dc=org # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=risd,dc=org cn=*Agents dn uniqueMember Enter LDAP Password: [root at risdca1 tmp]# # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Agents dn uniqueMember Enter LDAP Password: dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=pkidbuser,ou=People,dc=ca,dc=risd,dc=org dn: cn=Registration Manager Agents,ou=groups,dc=ca,dc=risd,dc=org # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember Enter LDAP Password: dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=risd,dc=org uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=or The user certificate appeared to be in X509 format. I copied that to a file and verified that it was the expired #6 version. # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate Enter LDAP Password: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate:: MII******************************************************** S*************************************************************************** G*************************************************************************** ? **********************************************************************M7nQ== I didn?t find any examples of multi-line values in the ldapmodify file, so I tried using the same format as the search used, with the second and subsequent lines beginning with a space and a ?-? on the last line. $ cat ldapmodify.caadmin.txt dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org changetype: modify replace: userCertificate userCertificate: MII********************************************************* S**************************************************************************** ? P***********************************************************************mDw== - # ldapmodify -x -D "cn=directory manager" -W -f /tmp/ldapmodify.caadmin.txt Enter LDAP Password: modifying entry "uid=caadmin,ou=people,dc=ca,dc=risd,dc=org" # # ldapsearch -xLLL -D "cn=directory manager" -W -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate Enter LDAP Password: dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org userCertificate: MII**************************************************************************** V****************************************************************************************** ?. K***********************************************************************************mdw== So it took what I gave it. I noticed that for the old cert, ldapsearch displayed ?userCertificate::? (two colons), and now it only has ?userCertificate:? (one colon). Is that significant? I tried changing the input file to read userCertificate::, and then ldapsearch showed both colons again, but I still got the ?you did not provide a valid credential?? error when I tried to connect from my laptop. I verified that Firefox on my laptop is using PKI Administrator [33] for identification. - Brian From: Marc Sauton > Sent: Monday, February 17, 2020 2:00 PM To: Wolf, Brian > Cc: pki-users at redhat.com Subject: Re: [Pki-users] pki 10.5 - Unable to log in to PKI console The entry CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain likely has the older cert with serial 6, it just needs the newer one with serial 0x33 / 51 It may be easier to use the pkiconsole to add it, under" "Configuration | Users and Groups | Users | admin | Certificates | Import" Thanks, M. On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton > wrote: Hello, Probably either there is no caadmin (uid=admin may set from the older environment), or the SSL client certificate is simply missing from the administrator or agent groups. Try for example: locate the LDAP base DN of the PKI repository: ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts output example: dn: namingcontexts: dc=example,dc=test namingcontexts: o=rootca1-CA namingcontexts: o=subca1-CA note it could be also in the form of namingcontexts: dc=ca1.example.test-pki-ca1 and in your case it may be similar to o=risd-ise-CA then search into that LDAP backend to verify the values of the attribute uniquemember of the entries, like as this example but by replacing the string o=subca1-CA to match your environment: either for the agent users: ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Agents dn uniqueMember or the administrators (admin or caadmin is the default one, like a "root" user): ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember then verify the uniqueMember value correspond to a valid existing LDAP entry, like for example: dn: uid=caadmin,ou=people,o=subca1-CA and then verify that admin or agent user entry has a corresponding user certificate, like for example: ldapsearch -LLLx -D "cn=directory manager" -W -b ou=people,o=subca1-CA uid=caadmin userCertificate you may have to update the value of the userCertificate with ldapmodify to match the certificate with serial number 0x33 and subject DN CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain from the NSS db at ~/.dogtag/risd-ise/ca/alias/ Note this can be done using the pkiconsole. Thanks, M. On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian > wrote: I installed PKI-CA several years ago on a Redhat 7 (actually Oracle Unbreakable Linux) server. I used it to create certificates for an application and have not really used it since. I had to renew the base certificates last year. That took some effort, but I got it to work. Now I am unable to connect to the web-based agent page. I copied the PKI Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and installed it under ?Your Certificates and the signing certificate under Authorities in Firefox. When I try to connect to the agent page (https://.../ca/agent/ca), the padlock goes green, but I get an ?Invalid Credential? error. /var/log/pki/risd-ise/ca/system contains Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain. Error: User not found The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are actually two entries- the current one and the previous expired one. It is also in /etc/pki/ca-trust/source/anchors What it is looking for and where? - Brian # certutil -L -d ~/.dogtag/MyInstance/ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - MyDomain CT,c, caadmin u,u,u caadmin u,u,u # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin Certificate: Data: Version: 3 (0x2) Serial Number: 51 (0x33) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Tue Feb 26 04:20:43 2019 Not After : Wed Feb 26 04:20:43 2020 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Fri Mar 10 22:38:25 2017 Not After : Thu Feb 28 22:38:25 2019 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomainr,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - MyDomain" Certificate: Data: Version: 3 (0x2) Serial Number: 51 (0x33) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" Validity: Not Before: Tue Feb 26 04:20:43 2019 Not After : Wed Feb 26 04:20:43 2020 Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance ,O=MyDomain" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: Current versions: Current versions: Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM pki-base-10.5.16-6 pki-base-java-10.5.16-6.el7_7.noarch java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Tue Feb 18 23:55:55 2020 From: msauton at redhat.com (Marc Sauton) Date: Tue, 18 Feb 2020 15:55:55 -0800 Subject: [Pki-users] pki 10.5 - Unable to log in to PKI console In-Reply-To: References: Message-ID: Hello Brian, I am glad this did finally help. And...I like the book suggestion! as well as the timeframe challenge ;-) But we also have quite a lot of documentation. Yes, you can change to validity dates per enrollment profile, it is even encouraged to do so to respect the local custom PKI policies / certification practice statement / CPS / certificate policy rules. Those enrollment profiles were designed to be very flexible, and it may take some time to understand how they work (trade-off) Changing the enrollment/renewal/revocation profiles can be done using the pkiconsole, the pki command line, https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/planning_installation_and_deployment_guide/sect-deployment_guide-planning_your_crts-determining_the_requirements_for_subsystem_certificates#planning-profiles 5.4.6. Using and Customizing Certificate Profiles and https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/certificate_profiles CHAPTER 2. MAKING RULES FOR ISSUING CERTIFICATES (CERTIFICATE PROFILES) or manually: you are correct for the upstream doc at https://www.dogtagpki.org/wiki/PKI_CA_Profile_CLI but I prefer to edit manually to keep the order of the lines in the text file of the profile. ( not profiles may also be stored into the LDAP backend) stop the CA, then cd /var/lib/pki/some-string-here/ca/profiles/ca/ If this is about the caadmin, the enrollment profile we want to modify is caAdminCert.cfg cp -p caAdminCert.cfg caAdminCert.cfg.orig then edit the file caAdminCert to tune the parameters policyset.adminCertSet.2.constraint.params.range=365 policyset.adminCertSet.2.default.params.range=365 also review the policyset.adminCertSet.3.constraint.params.keyParameters extra note: In a 2 steps installation ( 7.6. TWO-STEP INSTALLATION https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/planning_installation_and_deployment_guide/two-step-installation ) , it is a good practice to do the same for the CA's internal profiles, set constraints and policies for validity dates, encryption, extensions, SANs, custom OIDs , etc.: caCACert.cfg caOCSPCert.cfg caServerCert.cfg caSubsystemCert.cfg caSignedLogCert.cfg and for example, for end user and server certificates: caUserCert.cfg caServerCert.cfg A lot of those default profiles are provided as working examples to be used for customization (like file signing, smartcards) Thanks, Marc S. On Tue, Feb 18, 2020 at 2:39 PM Wolf, Brian wrote: > That did it! I can now access the agent page. I still get the Java ?Error? > pop-ups, but I can click through those and get to where I need. Now I get > to renew the caadmin cert and repeat this exercise, and then document > everything for next time! > > > > Since we?re only using dogtag for a single internal application, it would > be nice to extend these longer than 2 years each time. I found > https://frasertweedale.github.io/blog-redhat/posts/2019-03-04-dogtag-system-cert-lifetime.html > that discusses how to adjust the maximum certificate lifetimes. Also > https://www.dogtagpki.org/wiki/PKI_CA_Profile_CLI . Do you have any > recommendations on that, as in am I better off just leaving well-enough > alone? > > > > Thanks again for all of your help! If you ever decide to write a ?Dogtag > for Dummies? book, I?ll buy a copy! Of course I?ll probably be retiring > within the next 5 years, so you?ll need to get it done before that! > > > > > > - Brian > > > > > > > > *From:* Marc Sauton > *Sent:* Tuesday, February 18, 2020 3:15 PM > *To:* Wolf, Brian > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console > > > > I may have forgotten a detail: > > the "decrisption" value that needs to be updated ( the pkiconsole would do > that) > > search for the caadmin entry: > > ldapsearch -xLLL -D "cn=directory manager" -W > -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin description > > > > and verify that description attribute needs a value in the form of > > 2;serial-number;issuer-subject-DN;subject-DN > > > > if the serial is 0x33 / 51 , it needs to be like for example: > > description: 2;51;CN=CA Signing Certificate,OU=suba1,O=Sub CA1 Example > Test; CN=PKI Administrator,E=caadmin at example.test,OU=subca1,O=Sub CA1 > Example Test > > > > So another ldapmodify is needed (could have been done in one). > > Thanks, > > M. > > > > > > On Tue, Feb 18, 2020 at 9:05 AM Wolf, Brian wrote: > > Marc- > > > > I used this > > > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > changetype: modify > > delete: userCertificate > > - > > add: userCertificate > > userCertificate:: MII?. > > - > > > > > > And now ldapsearch gives me: > > > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate:: MII?. > > > > I restarted the pki-tomcat service for the instance. Now when I try to > access it, I am back to the simple ?Invalid Credential? error. > > > > /var/log/pki/risd-ise/ca/system says: > > 0.http-bio-8373-exec-1 - [18/Feb/2020:10:25:12 CST] [6] [3] Cannot > authenticate agent with certificate Serial 0x33 Subject DN CN=PKI > Administrator,E=caadmin at risdca1.risd.org,OU=risd-ise,O=RISD.ORG. Error: > User not found > > > > Could the problem be that there is no naming context for risd-ise, so it?s > not matching the caadmin user? From your first response yesterday, it > seems like you expected there to be, but I just have dc=ca,dc=risd,dc=org. > I?ve been doing the ldapmodifies on it. > > > > If there ever was an entry for risd-ise, I don?t know what happened to it. > I definitely didn?t intentionally delete it, because I didn?t really even > know about the directory server part beyond the steps in the Installation > Guide. > > > > > > ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base namingcontexts > > Enter LDAP Password: > > dn: > > namingcontexts: dc=ca,dc=risd,dc=org > > namingcontexts: dc=risd,dc=org > > > > ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember > > dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=bwolf,ou=People,dc=ca,dc=risd,dc=org > > > > ? > > > > > > > > - Brian > > > > > > > > > > *From:* Marc Sauton > *Sent:* Monday, February 17, 2020 7:12 PM > *To:* Wolf, Brian > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console > > > > Extra note, a ldapmodify "replace" should be used as the userCertificate > can be multi valued, and the first sample may be used from a LDAP search > result set, which can be the older certificate, so it is better to either > del/add or replace it to avoid confusion. > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 5:05 PM Marc Sauton wrote: > > For the pkiconsole: > > correct for RHEL, would need the RHCS subscription. > > but it is available from Fedora: > > pki-console-10.7.3-3.fc31.noarch : PKI Console Package > Repo : fedora > > > > I do not think we have the pkiconsole in CentOS ( > http://mirror.centos.org/centos/7.7.1908/ ) > > > > For the ldapmodify, add the colon char twice because the value is already > base-64 encoded, like for example: > > > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > changetype: modify > delete: userCertificate > - > add: userCertificate > userCertificate:: MII... > > > > That should solve the issue! > > > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 3:13 PM Wolf, Brian wrote: > > Marc- > > > > You were correct that the directory manager had the serial #6 version. I > tried to replace it with the #33 version, but now when I try to connect, I > get the error ?You did not provide a valid certificate for this operation.? > Instead of ?Invalid credential.? > > > > First, you mentioned using pkiconsole. I don?t have pkiconsole installed. > I think we found that that was part of RHCS, and we don?t have a > subscription for RHCS. So I?m just wading through the CLI commands. > > > > Also, I didn?t find any naming contexts specifically referencing the > instance. Caadmin showed up in the Agents and Administrators queries for > dc=ca,dc=risd,dc=org. > > > > And there is no CN=PKI Administrator entry in the list of Administrators. > > > > > > # ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base > namingcontexts > > Enter LDAP Password: > > dn: > > namingcontexts: dc=ca,dc=risd,dc=org > > namingcontexts: dc=risd,dc=org > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=risd,dc=org cn=*Agents dn uniqueMember > > Enter LDAP Password: > > [root at risdca1 tmp]# > > > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Agents dn uniqueMember > > Enter LDAP Password: > > dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=pkidbuser,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Registration Manager Agents,ou=groups,dc=ca,dc=risd,dc=org > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember > > Enter LDAP Password: > > dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=or > > > > > > > > The user certificate appeared to be in X509 format. I copied that to a > file and verified that it was the expired #6 version. > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate > > Enter LDAP Password: > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate:: > MII******************************************************** > > > S*************************************************************************** > > > G*************************************************************************** > > ? > > > **********************************************************************M7nQ== > > > > I didn?t find any examples of multi-line values in the ldapmodify file, so > I tried using the same format as the search used, with the second and > subsequent lines beginning with a space and a ?-? on the last line. > > > > > > $ cat ldapmodify.caadmin.txt > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > changetype: modify > > replace: userCertificate > > userCertificate: > MII********************************************************* > > > S**************************************************************************** > > ? > > > P***********************************************************************mDw== > > - > > > > # ldapmodify -x -D "cn=directory manager" -W -f /tmp/ldapmodify.caadmin.txt > > Enter LDAP Password: > > modifying entry "uid=caadmin,ou=people,dc=ca,dc=risd,dc=org" > > # > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate > > Enter LDAP Password: > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate: > MII**************************************************************************** > > > V****************************************************************************************** > > ?. > > > K***********************************************************************************mdw== > > > > > > So it took what I gave it. I noticed that for the old cert, ldapsearch > displayed ?userCertificate::? (two colons), and now it only has > ?userCertificate:? (one colon). Is that significant? I tried changing the > input file to read userCertificate::, and then ldapsearch showed both > colons again, but I still got the ?you did not provide a valid credential?? > error when I tried to connect from my laptop. > > > > > > I verified that Firefox on my laptop is using PKI Administrator [33] for > identification. > > > > - Brian > > > > > > *From:* Marc Sauton > *Sent:* Monday, February 17, 2020 2:00 PM > *To:* Wolf, Brian > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console > > > > The entry > > CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain > > likely has the older cert with serial 6, it just needs the newer one with > serial 0x33 / 51 > > It may be easier to use the pkiconsole to add it, under" > > "Configuration | Users and Groups | Users | admin | Certificates | Import" > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton wrote: > > Hello, > > Probably either there is no caadmin (uid=admin may set from the older > environment), or the SSL client certificate is simply missing from the > administrator or agent groups. > > Try for example: > > > > locate the LDAP base DN of the PKI repository: > > ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts > > > > > output example: > > dn: > namingcontexts: dc=example,dc=test > namingcontexts: o=rootca1-CA > > namingcontexts: o=subca1-CA > > > > note it could be also in the form of namingcontexts: > dc=ca1.example.test-pki-ca1 > > and in your case it may be similar to o=risd-ise-CA > > > > then search into that LDAP backend to verify the values of the attribute > uniquemember of the entries, like as this example but by replacing the > string o=subca1-CA to match your environment: > > either for the agent users: > > ldapsearch -xLLL -D "cn=directory manager" -w password -b > ou=groups,o=subca1-CA cn=*Agents dn uniqueMember > > or the administrators (admin or caadmin is the default one, like a "root" > user): > > ldapsearch -xLLL -D "cn=directory manager" -w password -b > ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember > > > > then verify the uniqueMember value correspond to a valid existing LDAP > entry, like for example: > > dn: uid=caadmin,ou=people,o=subca1-CA > > > > and then verify that admin or agent user entry has a corresponding user > certificate, like for example: > > ldapsearch -LLLx -D "cn=directory manager" -W -b > ou=people,o=subca1-CA uid=caadmin userCertificate > > > > you may have to update the value of the userCertificate with ldapmodify to > match the certificate with serial number 0x33 and subject DN > > CN=PKI Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain > > from the NSS db at ~/.dogtag/risd-ise/ca/alias/ > > > > Note this can be done using the pkiconsole. > > > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian wrote: > > I installed PKI-CA several years ago on a Redhat 7 (actually Oracle > Unbreakable Linux) server. I used it to create certificates for an > application and have not really used it since. I had to renew the base > certificates last year. That took some effort, but I got it to work. Now I > am unable to connect to the web-based agent page. I copied the PKI > Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and > installed it under ?Your Certificates and the signing certificate under > Authorities in Firefox. When I try to connect to the agent page ( > https://.../ca/agent/ca), the padlock goes green, but I get an ?Invalid > Credential? error. /var/log/pki/risd-ise/ca/system contains > > > > Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI > Administrator,E=caadmin at MyServer.MyDomain,OU=MyInstance,O=MyDomain. > Error: User not found > > > > The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are > actually two entries- the current one and the previous expired one. It is > also in /etc/pki/ca-trust/source/anchors > > > > > > What it is looking for and where? > > > > > > - Brian > > > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > CA Signing Certificate - MyDomain CT,c, > > caadmin u,u,u > > caadmin u,u,u > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > > > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 6 (0x6) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Fri Mar 10 22:38:25 2017 > > Not After : Thu Feb 28 22:38:25 2019 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomainr > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > > > > > > > > > # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - > MyDomain" > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin at MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > Modulus: > > > > Current versions: > > > > Current versions: > > > > Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM > > > > pki-base-10.5.16-6 > > pki-base-java-10.5.16-6.el7_7.noarch > > java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: