Hi John, Thank you for your continuous help. I've tried the commands that you showed me, here are the results:
pk12util -i importfile ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -d /etc/pki/nssdb/ pk12util: File Open failed: importfile: PR_FILE_NOT_FOUND_ERROR: File not found pk12util -l listfile -d /etc/pki/nssdb pk12util: File Open failed: listfile: PR_FILE_NOT_FOUND_ERROR: File not found pk12util: PKCS12 decode not verified: PR_FILE_NOT_FOUND_ERROR: File not found I looked to see if there are any other nssdb directory out there, I have one in /root/.pki/nssdb but it's empty and another one /root/.dogtag/nssdb but this is the result of me running pki -c Secret123 client-init earlier. Any other idea? On Mon, Apr 25, 2016 at 6:45 PM, John Magne <[email protected]> wrote: > Hi: > > If you have access to the nss db and the pin, you can try the > following command, preferably with the server shut down: > > pk12util > Usage: pk12util -i importfile [-d certdir] [-P dbprefix] [-h tokenname] > [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W > p12filepw] > [-v] > Usage: pk12util -l listfile [-d certdir] [-P dbprefix] [-h tokenname] > [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W > p12filepw] > [-v] > Usage: pk12util -o exportfile -n certname [-d certdir] [-P dbprefix] > [-c key_cipher] [-C cert_cipher] > [-m | --key_len keyLen] [--cert_key_len certKeyLen] [-v] > [-k slotpwfile | -K slotpw] > [-w p12filepwfile | -W p12filepw] > > > ----- Original Message ----- > From: "Ha T. Lam" <[email protected]> > To: "John Magne" <[email protected]> > Cc: [email protected] > Sent: Monday, 25 April, 2016 5:18:59 PM > Subject: Re: [Pki-users] How to renew the admin certificate > > Yes, I think the uid is caadmin too. I didn't do the installation, but I > inherit the config file used during installation, whic​h lists among other > things, the values of pki_admin_uid, pki_admin_password, > and pki_client_pkcs12_password. > > After digging around some more, I found this page about how to setup a new > CA admin: > > http://pki.fedoraproject.org/wiki/CA_Admin_Setup > > But when I execute the following command (replacing CA Admin password and > nickname appropriately from the values in config file): > > pki -c <CA admin password> -n <CA admin nickname> ca-user-add newcaadmin > --fullName "CA Admin" > > I got: ResteasyIOException: IOException > > I think it is because the default CA Admin certificate was not installed > into a database. I tried to do that following: > > http://pki.fedoraproject.org/wiki/Default_CA_Admin > > but at the following command (replacing Secret123 with our secret) > > pki -c Secret123 client-cert-import --pkcs12 > ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password > ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf > > I got: > > Error: Unrecognized option: --pkcs12 > usage: client-cert-import [OPTIONS] > --ca-cert <path> Import CA certificate file > --ca-server Import CA certificate from CA server > --cert <path> Import certificate file > > I switched to > > pki -c Secret123 -n caadmin client-cert-import --cert > ~/.dogtag/pki-tomcat/ca_admin_cert.p12 > > to get "Import failed" > > I seem to get stuck at installing either the old cert or the new one. Do > you know what the commands are to install cert? > > On Mon, Apr 25, 2016 at 4:17 PM, John Magne <[email protected]> wrote: > > > I suspect the uid is probably caadmin, which is the default, if you left > > it that way. > > > > ----- Original Message ----- > > From: "Ha T. Lam" <[email protected]> > > To: "John Magne" <[email protected]> > > Cc: [email protected] > > Sent: Monday, April 25, 2016 3:12:35 PM > > Subject: Re: [Pki-users] How to renew the admin certificate > > > > Hi John, > > > > Thank you very much for your quick reply. I've managed to get ssh -X > sorted > > out because when I typed > > > > pkiconsole https://ca02.mycompany.com:8433/ca > > > > I get a dialog box asking for User ID and Password. From our conf file, I > > put in the pki_admin_uid and pki_admin_password, the dialog box went > away, > > but nothing else happened. I also tried using pki_client_pkcs12_password > > but with the same result. Looking at the log > > file /var/log/pki/pki-tomcat/localhost_access_log.2016-04-25.txt, I see > > > > "POST /ca/auths HTTP/1.0" 200 27 > > > > At this point, I'm not sure if it's because I put in the wrong > > authentication or if I'm still having problem with the pkiconsole. I've > > been trying to setup vncserver as you recommended but haven't had much > > luck. > > > > I stumbled on the pki commands and it looks like I can use them to > install > > client certificate, are they equivalent to the pkiconsole? > > > > Thanks, > > Ha > > > > > > On Mon, Apr 25, 2016 at 11:10 AM, John Magne <[email protected]> wrote: > > > > > Hello: > > > > > > Your approach seems reasonable: > > > > > > Perhaps you might want to start a vncserver on there and > > > come in that way. There has been issues with using the console over > ssh. > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Ha T. Lam" <[email protected]> > > > > To: [email protected] > > > > Sent: Sunday, April 24, 2016 9:29:07 PM > > > > Subject: [Pki-users] How to renew the admin certificate > > > > > > > > Hi all, > > > > > > > > We have a Dog Tag system hosted on Fedora inside a VirtualBox, our > > admin > > > > certificate has unfortunately expired, so the web interface complains > > > that > > > > the cert is invalid. I've managed to rewind the clock and authorized > > > myself > > > > a PKI Administrator certificate following this thread: > > > > > > > > https://www.redhat.com/archives/pki-users/2013-October/msg00008.html > > > > > > > > I'm now trying to import the new certificate into the system. The > > thread > > > > mentioned doing it through the pkiconsole, but I have not been able > to > > > get > > > > it to work, when I typed: > > > > > > > > pkiconsole https://ca02.mycompany.com:8433/ca > > > > > > > > I don't get any error message, but I don't see any console either. I > > > suspect > > > > this is because I'm ssh-ing into a virtualbox and the display is not > > set > > > > correctly. > > > > > > > > My questions are: > > > > 1. Does the process I mentioned above make sense? I'm new to dogtag > and > > > still > > > > learning about it. > > > > 2. If I'm on the right track, is there a command line option for > > > pkiconsole? > > > > > > > > Thank you for your help, > > > > Ha > > > > > > > > _______________________________________________ > > > > Pki-users mailing list > > > > [email protected] > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > >
_______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
