Hello,

TL;DR: how should I authenticate for pki command line commands on
stock IPA installation?

Longer context: I try to setup new IPA server (1) with --external-ca
and I'd like to sign the CSR which gets generated on IPA 1 using
CA at my other IPA server (2).

The CSR as produced by IPA 1 is for

        Subject: O=SUB.EXAMPLE.TEST, CN=Certificate Authority
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign

Jan Ch. hints that I cannot use ipa cert-request because the certificate
request does not have hostname CN and besides, IPA and ipa command only
support server certificates and here I am attempting to create CA
certificate.

Hence my understanding is I need to use Dogtag directly and I'd like
to use the pki commands. I believe I need start by getting the XML
template -- I've used

        pki cert-request-profile-show caInstallCACert --output template

Then I took the Base64 content of the /root/ipa.csr from IPA 2, put it
to <value> child element of

        /CertEnrollmentRequest/Input[@id="11"]/Attribute[@name="cert_request"]

and attempted to run

        # pki cert-request-submit template 
        UnauthorizedException: AuthCredentials.set()

Reading man pki(1) suggests I should authenticate using certificate
nickname, and reading other documentation suggests that using
ca-agent's certificate could be a good option. So I do

        # openssl pkcs12 -out /root/ca-agent.pem < /root/ca-agent.p12
        Enter Import Password:
        MAC verified OK
        Enter PEM pass phrase:
        # pki -n ca-agent client-cert-import --cert /root/ca-agent.pem
        -------------------------------
        Imported certificate "ca-agent"
        -------------------------------
        # pki -n ca-agent cert-request-submit template
        WARNING: UNTRUSTED ISSUER encountered on 
'CN=ipa.example.test,O=EXAMPLE.TEST' indicates a non-trusted CA cert 
'CN=Certificate Authority,O=EXAMPLE.TEST'
        Import CA certificate (Y/n)? n
        ClientResponseFailure: Error status 401 Unauthorized returned

Even if I allow that CA certificate to be imported, the results is
the same:

        Import CA certificate (Y/n)? 
        CA server URI [http://mgmt9.rhq.lab.eng.bos.redhat.com:8080/ca]: 
        ClientResponseFailure: Error status 401 Unauthorized returned

What am I doing wrong? This is with ipa-server-4.1.0-18.el7.x86_64
and pki-server-10.1.2-7.el7.noarch.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to