[Freeipa-users] Re: Lost password for CA private key

2023-09-22 Thread Sam Morris via FreeIPA-users 

On 21/09/2023 22:05, John Stokes via FreeIPA-users wrote:

What is the kracert.p12 used for?

I get this error when I try to export:
[root@aaa-01 ca]# pki-server subsystem-cert-export kra 
--pkcs12-file=/root/kracertbackup.p12
ERROR: No kra subsystem in instance pki-tomcat.


You've probablty not run ipa-server-install --setup-kra

KRA is the Key Recovery Authority which is the component that stores 
secrets when you use FreeIPA's 'vaults' feature:


https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/vaults-in-idm_configuring-and-managing-idm

--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Lost password for CA private key

2023-09-21 Thread John Stokes via FreeIPA-users 
One more thing: When exporting, I got these warnings:

WARNING: The SHA-1 algorithm used in 
org.mozilla.jss.pkcs12.SafeBag::getLocalKeyIDFromCert:264 is deprecated. Use a 
more secure algorithm.

I suppose the key was crated with SHA-1 back then (5 years ago). Is there 
anything I can do about this?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Lost password for CA private key

2023-09-21 Thread John Stokes via FreeIPA-users 
What is the kracert.p12 used for? 

I get this error when I try to export:
[root@aaa-01 ca]# pki-server subsystem-cert-export kra 
--pkcs12-file=/root/kracertbackup.p12
ERROR: No kra subsystem in instance pki-tomcat.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Lost password for CA private key

2023-09-21 Thread John Stokes via FreeIPA-users 
Thank you. I used the procedure mentioned here 
https://www.dogtagpki.org/wiki/PKCS12Export and was able to export the key.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Lost password for CA private key

2023-09-21 Thread Sam Morris via FreeIPA-users 

On 21/09/2023 20:30, Rob Crittenden via FreeIPA-users wrote:

I ask because my /root/cacert.p12 and /root/kracert.p12 files also
aren't encrypted with my directory manager password and I am pretty sure
I haven't changed this password since installing any of my current IPA
servers. And when I install a replica I don't remember typing the
directory manager password anywhere...


I can't explain it. Mine is definitely encrypted by the DM password.


I just pulled the cacert.p12 and kracert.p12 files from the backup of my 
original ipa server and... my directory manager password is able to 
decrypt them!


So it's only my current servers where the file can't be decrypted... how 
strange...



Since the tooling for PKCS12 files is a tad awkward to use, here's a
handy command to print out the contents of these files:

# openssl pkcs12 -in /tmp/cacert.p12 -noenc | egrep -v '^[0-9A-Za-z/+]+=*$'


pk12util -l /path/to/cacert.p12 will print all the stored certs and
whether there is a private key included.


Ah that's a much nicer command, thanks.

--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Lost password for CA private key

2023-09-21 Thread Rob Crittenden via FreeIPA-users 
Sam Morris via FreeIPA-users wrote:
> On 21/09/2023 15:38, Rob Crittenden via FreeIPA-users wrote:
>> John Stokes via FreeIPA-users wrote:
>>> Today while creating a backup I realized I don't know the
>>> password for the file /root/cacert.p12 where the private key
>>> of the CA shoudl be stored. The one I thought it should be
>>> (same as the pass for my admin user) does not seem to be
>>> working.
>>>
>>> Is there a way to reexport the private key of the CA?>
>> The password is the Directory Manager password provided during initial
>> installation.
> 
> Hmm... is the directory manager password stashed somewhere on an IPA
> server?

Not in plain text.
> I ask because my /root/cacert.p12 and /root/kracert.p12 files also
> aren't encrypted with my directory manager password and I am pretty sure
> I haven't changed this password since installing any of my current IPA
> servers. And when I install a replica I don't remember typing the
> directory manager password anywhere...

I can't explain it. Mine is definitely encrypted by the DM password.
> 
> (The knowledge base article about changing the Directory Manager
> password at https://access.redhat.com/solutions/203473 doesn't mention
> any steps other than setting a new hashed password in dse.ldif; if the
> original directory manager password is stashed somewhere then that
> article could do with an update...)
> 
> I went searching through the freeipa source code to figure out
> /root/cacert.p12 and /root/kracert.p12 are created myself. It seems that
> they are moved from /var/lib/pki/pki-tomcat/ca_backup_keys.p12 and
> /var/lib/pki/pki-tomcat/kra_backup_keys.p12 at the end of the
> server/replica installation process.
> 
> Those files are created by
> https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37fb8/base/server/python/pki/server/deployment/scriptlets/finalization.py#L61;
> I've yet to figure out where pki_backup_password comes from. Hence me
> wondering if it's actually stored somewhere on the IPA server...

pki_backup_password is set to the DM password during installation.

>> You can use PKCS12EXPORT to create a new PKCS#12 file with the CA
>> private key.
> 
> Anyway, I found the command that actaully creates the files at
> https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37fb8/base/server/python/pki/server/deployment/__init__.py#L3797
> and from that I came up with these commands to recreate /root/cacert.p12
> and /root/kracert.p12:
> 
> # pki-server subsystem-cert-export  ca --pkcs12-file=/root/cacert.p12
> # pki-server subsystem-cert-export kra --pkcs12-file=/root/kracert.p12
> 
> These commands prompt for a password if one is not provided via
> --pkcs-password-file= so it's convenient to type the directory manager
> password at this point rather than having to save it to a file for
> PKCS12Export to consume.
> 
> Since the tooling for PKCS12 files is a tad awkward to use, here's a
> handy command to print out the contents of these files:
> 
> # openssl pkcs12 -in /tmp/cacert.p12 -noenc | egrep -v '^[0-9A-Za-z/+]+=*$'

pk12util -l /path/to/cacert.p12 will print all the stored certs and
whether there is a private key included.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Lost password for CA private key

2023-09-21 Thread Sam Morris via FreeIPA-users 

On 21/09/2023 15:38, Rob Crittenden via FreeIPA-users wrote:

John Stokes via FreeIPA-users wrote:

Today while creating a backup I realized I don't know the

>> password for the file /root/cacert.p12 where the private key
>> of the CA shoudl be stored. The one I thought it should be
>> (same as the pass for my admin user) does not seem to be
>> working.
>>
>> Is there a way to reexport the private key of the CA?>

The password is the Directory Manager password provided during initial
installation.


Hmm... is the directory manager password stashed somewhere on an IPA server?

I ask because my /root/cacert.p12 and /root/kracert.p12 files also 
aren't encrypted with my directory manager password and I am pretty sure 
I haven't changed this password since installing any of my current IPA 
servers. And when I install a replica I don't remember typing the 
directory manager password anywhere...


(The knowledge base article about changing the Directory Manager 
password at https://access.redhat.com/solutions/203473 doesn't mention 
any steps other than setting a new hashed password in dse.ldif; if the 
original directory manager password is stashed somewhere then that 
article could do with an update...)


I went searching through the freeipa source code to figure out 
/root/cacert.p12 and /root/kracert.p12 are created myself. It seems that 
they are moved from /var/lib/pki/pki-tomcat/ca_backup_keys.p12 and 
/var/lib/pki/pki-tomcat/kra_backup_keys.p12 at the end of the 
server/replica installation process.


Those files are created by 
https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37fb8/base/server/python/pki/server/deployment/scriptlets/finalization.py#L61; 
I've yet to figure out where pki_backup_password comes from. Hence me 
wondering if it's actually stored somewhere on the IPA server...


> You can use PKCS12EXPORT to create a new PKCS#12 file with the CA
> private key.

Anyway, I found the command that actaully creates the files at 
https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37fb8/base/server/python/pki/server/deployment/__init__.py#L3797 
and from that I came up with these commands to recreate /root/cacert.p12 
and /root/kracert.p12:


# pki-server subsystem-cert-export  ca --pkcs12-file=/root/cacert.p12
# pki-server subsystem-cert-export kra --pkcs12-file=/root/kracert.p12

These commands prompt for a password if one is not provided via 
--pkcs-password-file= so it's convenient to type the directory manager 
password at this point rather than having to save it to a file for 
PKCS12Export to consume.


Since the tooling for PKCS12 files is a tad awkward to use, here's a 
handy command to print out the contents of these files:


# openssl pkcs12 -in /tmp/cacert.p12 -noenc | egrep -v '^[0-9A-Za-z/+]+=*$'

--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Lost password for CA private key

2023-09-21 Thread Rob Crittenden via FreeIPA-users 
John Stokes via FreeIPA-users wrote:
> I have an IPA CA that is running fine for several years now. I also have two 
> replicas installed.
> 
> Today while creating a backup I realized I don't know the password for the 
> file /root/cacert.p12 where the private key of the CA should be stored. The 
> one I thought it should be (same as the pass for my admin user) does not seem 
> to be working.
> 
> Is there a way to reexport the private key of the CA? As I said everything is 
> working fine and I have access to the server.
> If not how should I proceed? Should I destroy the whole CA and build a new 
> one?

The password is the Directory Manager password provided during initial
installation.

You can use PKCS12EXPORT to create a new PKCS#12 file with the CA
private key.

There is no supported way to replace the CA in a running IPA server.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue