To follow up on my own message, I can definitely view the user cert with ldap search.
ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin' The contents of userCertificate attribute do match the ca_admin.cert file. That certificate is signed by the freeipa cacert. The key is if I can replace the userCertificate attribute and if that new one needs to be signed. -John On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt) <[email protected]> wrote: > Hello, > > I've been recently learning a good bit about dogtag pki. I've setup a > standalone dogtag instance for development, I've written some code to > generate CSRs and get a cert from dogtag. I then went to try and get this > working against our FreeIPA instances. While trying to create a user > certificate, I found that none of my pki -n caadmin commands would work. > > I eventually discovered this page > http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the > master/first freeipa server. While I did have the .cert and .der files, I > did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out this > server was rebuilt at one point, and no one was aware of the need to back up > this directory. > > I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe > either of these contain the private key that would have been in > ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to > be replicated to every freeipa replica). > > My question at this point is if I can regain control of the dogtag CA > system. I believe I would have to create a new key/cert pair locally, and > then update an ldap entry with the new cert. Or maybe I can create a new > user entirely to manage dogtag. I would probably have to sign the user cert > using cacert.p12 as well. Since I'm unfamiliar with dogtag internals, > looking for guidance. If my guesses are correct, a series of openssl > commands, followed by some work with ldif files and ldapmodify. > > Thanks in advance, > John _______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
