[Pki-users] pki 10.5 - Unable to log in to PKI console

Wolf, Brian Mon, 17 Feb 2020 09:41:50 -0800

I installed PKI-CA several years ago on a Redhat 7 (actually Oracle Unbreakable 
Linux) server. I used it to create certificates for an application and have not 
really used it since. I had to renew the base certificates last year. That took 
some effort, but I got it to work. Now I am unable to connect to the web-based 
agent page. I copied the PKI Administrator .p12 certificate from 
~/.dogtag/MyInstance/ to my laptop and installed it under "Your Certificates 
and the signing certificate under Authorities  in Firefox. When I try to 
connect to the agent page  (https://.../ca/agent/ca), the padlock goes green, 
but I get an "Invalid Credential" error. /var/log/pki/risd-ise/ca/system 
contains


Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI 
Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance,O=MyDomain. Error: User 
not found

The caadmin cert is in  ~/.dogtag/risd-ise/ca/alias/cer8.db. There are actually 
two entries- the current one and the previous expired one.  It is also in 
/etc/pki/ca-trust/source/anchors


What it is looking for and where?


- Brian



# certutil -L -d ~/.dogtag/MyInstance/ca/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Signing Certificate - MyDomain                            CT,c,
caadmin                                                      u,u,u
caadmin                                                      u,u,u


# certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 51 (0x33)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain"
        Validity:
            Not Before: Tue Feb 26 04:20:43 2019
            Not After : Wed Feb 26 04:20:43 2020
        Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance
            ,O=MyDomain"
        Subject Public Key Info:


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6 (0x6)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain"
        Validity:
            Not Before: Fri Mar 10 22:38:25 2017
            Not After : Thu Feb 28 22:38:25 2019
        Subject: "CN=PKI 
Administrator,E=caadmin@MyServer.MyDomainr,OU=MyInstance
            ,O=MyDomain"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:




# certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - 
MyDomain"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 51 (0x33)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain"
        Validity:
            Not Before: Tue Feb 26 04:20:43 2019
            Not After : Wed Feb 26 04:20:43 2020
        Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance
            ,O=MyDomain"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:

Current versions:

Current versions:

Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM

pki-base-10.5.16-6
pki-base-java-10.5.16-6.el7_7.noarch
java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

[Pki-users] pki 10.5 - Unable to log in to PKI console

Reply via email to