On Wed, Jun 12, 2019 at 10:52 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Ian Kumlien via FreeIPA-users wrote:
> On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>>
>> Ian Kumlien via FreeIPA-users wrote:
>>> On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden <rcritten(a)redhat.com>
wrote:
>>>> Ian Kumlien via FreeIPA-users wrote:
>
> [--8<--]
>
>>> Certificate Nickname Trust
Attributes
>>>
SSL,S/MIME,JAR/XPI
>>>
>>> Server-Cert cert-pki-ca u,u,u
>>> transportCert cert-pki-kra u,u,u
>>> storageCert cert-pki-kra u,u,u
>>> auditSigningCert cert-pki-kra u,u,Pu
>>> XERCES.LAN IPA CA CT,C,C
>>> XERCES.LAN IPA CA CT,C,C
>>> XERCES.LAN IPA CA CT,C,C
>>
>>
>> You're missing all the CA certificates except the one that tomcat uses!?
>> That includes the CA signing cert!
>>
>> It should look more like (excluding the *kra certs):
>>
>> caSigningCert cert-pki-ca CTu,Cu,Cu
>> ocspSigningCert cert-pki-ca u,u,u
>> subsystemCert cert-pki-ca u,u,u
>> auditSigningCert cert-pki-ca u,u,Pu
>> Server-Cert cert-pki-ca u,u,u
>>
>> Do the keys for those certs exist?
>>
>> # grep internal /etc/pki/pki-tomcat/password.conf
>> internal=foo
>> # certutil -K -d /etc/pki/pki-tomcat/alias/
>> certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private
>> Key and Certificate Services"
>> Enter Password or Pin for "NSS Certificate DB": foo
>>
>> Perhaps a bunch of orphans?
>
> Seems like it, I have three orphans and the keys for subsystemCert,
> caSigningCert, ocspSigningCert seems to exists
You'll need the audit signing cert as well. Hopefully that key is in
there somewhere.
If you have another master with a CA you can get the cert values from
them using:
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n "<nickname"> -a >
/tmp/<nickname>
Or you can get the raw cert values from /etc/pki/pki-tomcat/ca/CS.cfg
from the values:
ca.audit_signing.cert
ca.ocsp_signing.cert
ca.signing.cert
ca.subsystem.cert
You'll need to re-format that into PEM format manually.
Once you have all the certs from either method, add them to the db with:
# certutil -A -d /etc/pki/pki-tomcat/alias/ -n "<nickname"> -t
<trust>
-a -i /tmp/<nickname>
The trust value will vary by cert. Use the list that I provided in my
last e-mail for the proper values.
The nickname is important, don't get creative :-) Use the value from my
output.
Thanks! Will do, but will do it tomorrow, been a long day and...
things might go awry if I try it now, will let you know how it goes!
> rob