Hello, Probably either there is no caadmin (uid=admin may set from the older environment), or the SSL client certificate is simply missing from the administrator or agent groups. Try for example:
locate the LDAP base DN of the PKI repository: ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts output example: dn: namingcontexts: dc=example,dc=test namingcontexts: o=rootca1-CA namingcontexts: o=subca1-CA note it could be also in the form of namingcontexts: dc=ca1.example.test-pki-ca1 and in your case it may be similar to o=risd-ise-CA then search into that LDAP backend to verify the values of the attribute uniquemember of the entries, like as this example but by replacing the string o=subca1-CA to match your environment: either for the agent users: ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Agents dn uniqueMember or the administrators (admin or caadmin is the default one, like a "root" user): ldapsearch -xLLL -D "cn=directory manager" -w password -b ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember then verify the uniqueMember value correspond to a valid existing LDAP entry, like for example: dn: uid=caadmin,ou=people,o=subca1-CA and then verify that admin or agent user entry has a corresponding user certificate, like for example: ldapsearch -LLLx -D "cn=directory manager" -W -b ou=people,o=subca1-CA uid=caadmin userCertificate you may have to update the value of the userCertificate with ldapmodify to match the certificate with serial number 0x33 and subject DN CN=PKI Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance,O=MyDomain from the NSS db at ~/.dogtag/risd-ise/ca/alias/ Note this can be done using the pkiconsole. Thanks, M. On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian <brian.w...@risd.org> wrote: > I installed PKI-CA several years ago on a Redhat 7 (actually Oracle > Unbreakable Linux) server. I used it to create certificates for an > application and have not really used it since. I had to renew the base > certificates last year. That took some effort, but I got it to work. Now I > am unable to connect to the web-based agent page. I copied the PKI > Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and > installed it under “Your Certificates and the signing certificate under > Authorities in Firefox. When I try to connect to the agent page ( > https://.../ca/agent/ca), the padlock goes green, but I get an “Invalid > Credential” error. /var/log/pki/risd-ise/ca/system contains > > > > Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI > Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance,O=MyDomain. > Error: User not found > > > > The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are > actually two entries- the current one and the previous expired one. It is > also in /etc/pki/ca-trust/source/anchors > > > > > > What it is looking for and where? > > > > > > - Brian > > > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > CA Signing Certificate - MyDomain CT,c, > > caadmin u,u,u > > caadmin u,u,u > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > > > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 6 (0x6) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Fri Mar 10 22:38:25 2017 > > Not After : Thu Feb 28 22:38:25 2019 > > Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomainr > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > > > > > > > > > # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - > MyDomain" > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > Modulus: > > > > Current versions: > > > > Current versions: > > > > Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM > > > > pki-base-10.5.16-6 > > pki-base-java-10.5.16-6.el7_7.noarch > > java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 > > > > > _______________________________________________ > Pki-users mailing list > Pki-users@redhat.com > https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
