Hello, TL;DR: how should I authenticate for pki command line commands on stock IPA installation?
Longer context: I try to setup new IPA server (1) with --external-ca and I'd like to sign the CSR which gets generated on IPA 1 using CA at my other IPA server (2). The CSR as produced by IPA 1 is for Subject: O=SUB.EXAMPLE.TEST, CN=Certificate Authority Requested Extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign Jan Ch. hints that I cannot use ipa cert-request because the certificate request does not have hostname CN and besides, IPA and ipa command only support server certificates and here I am attempting to create CA certificate. Hence my understanding is I need to use Dogtag directly and I'd like to use the pki commands. I believe I need start by getting the XML template -- I've used pki cert-request-profile-show caInstallCACert --output template Then I took the Base64 content of the /root/ipa.csr from IPA 2, put it to <value> child element of /CertEnrollmentRequest/Input[@id="11"]/Attribute[@name="cert_request"] and attempted to run # pki cert-request-submit template UnauthorizedException: AuthCredentials.set() Reading man pki(1) suggests I should authenticate using certificate nickname, and reading other documentation suggests that using ca-agent's certificate could be a good option. So I do # openssl pkcs12 -out /root/ca-agent.pem < /root/ca-agent.p12 Enter Import Password: MAC verified OK Enter PEM pass phrase: # pki -n ca-agent client-cert-import --cert /root/ca-agent.pem ------------------------------- Imported certificate "ca-agent" ------------------------------- # pki -n ca-agent cert-request-submit template WARNING: UNTRUSTED ISSUER encountered on 'CN=ipa.example.test,O=EXAMPLE.TEST' indicates a non-trusted CA cert 'CN=Certificate Authority,O=EXAMPLE.TEST' Import CA certificate (Y/n)? n ClientResponseFailure: Error status 401 Unauthorized returned Even if I allow that CA certificate to be imported, the results is the same: Import CA certificate (Y/n)? CA server URI [http://mgmt9.rhq.lab.eng.bos.redhat.com:8080/ca]: ClientResponseFailure: Error status 401 Unauthorized returned What am I doing wrong? This is with ipa-server-4.1.0-18.el7.x86_64 and pki-server-10.1.2-7.el7.noarch. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project