On 21/09/2023 15:38, Rob Crittenden via FreeIPA-users wrote:
John Stokes via FreeIPA-users wrote:
Today while creating a backup I realized I don't know the
>> password for the file /root/cacert.p12 where the private key
>> of the CA shoudl be stored. The one I thought it should be
>> (same as the pass for my admin user) does not seem to be
>> working.
>>
>> Is there a way to reexport the private key of the CA?>
The password is the Directory Manager password provided during initial
installation.
Hmm... is the directory manager password stashed somewhere on an IPA server?
I ask because my /root/cacert.p12 and /root/kracert.p12 files also
aren't encrypted with my directory manager password and I am pretty sure
I haven't changed this password since installing any of my current IPA
servers. And when I install a replica I don't remember typing the
directory manager password anywhere...
(The knowledge base article about changing the Directory Manager
password at https://access.redhat.com/solutions/203473 doesn't mention
any steps other than setting a new hashed password in dse.ldif; if the
original directory manager password is stashed somewhere then that
article could do with an update...)
I went searching through the freeipa source code to figure out
/root/cacert.p12 and /root/kracert.p12 are created myself. It seems that
they are moved from /var/lib/pki/pki-tomcat/ca_backup_keys.p12 and
/var/lib/pki/pki-tomcat/kra_backup_keys.p12 at the end of the
server/replica installation process.
Those files are created by
https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37fb8/base/server/python/pki/server/deployment/scriptlets/finalization.py#L61;
I've yet to figure out where pki_backup_password comes from. Hence me
wondering if it's actually stored somewhere on the IPA server...
> You can use PKCS12EXPORT to create a new PKCS#12 file with the CA
> private key.
Anyway, I found the command that actaully creates the files at
https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37fb8/base/server/python/pki/server/deployment/__init__.py#L3797
and from that I came up with these commands to recreate /root/cacert.p12
and /root/kracert.p12:
# pki-server subsystem-cert-export ca --pkcs12-file=/root/cacert.p12
# pki-server subsystem-cert-export kra --pkcs12-file=/root/kracert.p12
These commands prompt for a password if one is not provided via
--pkcs-password-file= so it's convenient to type the directory manager
password at this point rather than having to save it to a file for
PKCS12Export to consume.
Since the tooling for PKCS12 files is a tad awkward to use, here's a
handy command to print out the contents of these files:
# openssl pkcs12 -in /tmp/cacert.p12 -noenc | egrep -v '^[0-9A-Za-z/+]+=*$'
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue