It turned out that that ca-agent.p12 in /root did have the key I need. So I guess I'm good. That's getting backed up and we'll make new users for our config management system.
For academic purposes, I am still curious as to how one would go about this. I did update the admin user with a self-signed key, and I even went as far as to use the CA to sign a key. I tried creating a new user and updating the admin user with certificates via ldapmodify. In both cases, I got that I could not map certificate to any user. [10/May/2016:18:27:27][http-bio-8443-exec-11]: CertUserDBAuthentication: cannot map certificate to any user [10/May/2016:18:27:27][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=CN=ipa-ca-agent, O=EXAMPLE.C OM][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=ipa-ca-agent, O=EXAMPLE.COM] authentication failure On Tue, May 10, 2016 at 12:47 PM, John Hogenmiller (yt) <[email protected]> wrote: > To follow up on my own message, I can definitely view the user cert > with ldap search. > > ldapsearch -Y GSSAPI -L -u -b "o=ipaca" 'uid=admin' > > The contents of userCertificate attribute do match the ca_admin.cert > file. That certificate is signed by the freeipa cacert. The key is if > I can replace the userCertificate attribute and if that new one needs > to be signed. > > -John > > On Tue, May 10, 2016 at 11:58 AM, John Hogenmiller (yt) > <[email protected]> wrote: >> Hello, >> >> I've been recently learning a good bit about dogtag pki. I've setup a >> standalone dogtag instance for development, I've written some code to >> generate CSRs and get a cert from dogtag. I then went to try and get this >> working against our FreeIPA instances. While trying to create a user >> certificate, I found that none of my pki -n caadmin commands would work. >> >> I eventually discovered this page >> http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the >> master/first freeipa server. While I did have the .cert and .der files, I >> did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out this >> server was rebuilt at one point, and no one was aware of the need to back up >> this directory. >> >> I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe >> either of these contain the private key that would have been in >> ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to >> be replicated to every freeipa replica). >> >> My question at this point is if I can regain control of the dogtag CA >> system. I believe I would have to create a new key/cert pair locally, and >> then update an ldap entry with the new cert. Or maybe I can create a new >> user entirely to manage dogtag. I would probably have to sign the user cert >> using cacert.p12 as well. Since I'm unfamiliar with dogtag internals, >> looking for guidance. If my guesses are correct, a series of openssl >> commands, followed by some work with ldif files and ldapmodify. >> >> Thanks in advance, >> John _______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
