Ian Kumlien wrote:
On Thu, Jun 13, 2019 at 12:32 PM Ian Kumlien
<ian.kumlien(a)gmail.com> wrote:
>
> On Wed, Jun 12, 2019 at 10:55 PM Ian Kumlien <ian.kumlien(a)gmail.com> wrote:
>>
>> On Wed, Jun 12, 2019 at 10:52 PM Rob Crittenden <rcritten(a)redhat.com>
wrote:
>>>
>>> Ian Kumlien via FreeIPA-users wrote:
>>>> On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
>>>>>
>>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>>> On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
>>>>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>
>>>> [--8<--]
>>>>
>>>>>> Certificate Nickname
Trust Attributes
>>>>>>
SSL,S/MIME,JAR/XPI
>>>>>>
>>>>>> Server-Cert cert-pki-ca
u,u,u
>>>>>> transportCert cert-pki-kra
u,u,u
>>>>>> storageCert cert-pki-kra
u,u,u
>>>>>> auditSigningCert cert-pki-kra
u,u,Pu
>>>>>> XERCES.LAN IPA CA
CT,C,C
>>>>>> XERCES.LAN IPA CA
CT,C,C
>>>>>> XERCES.LAN IPA CA
CT,C,C
>>>>>
>>>>>
>>>>> You're missing all the CA certificates except the one that tomcat
uses!?
>>>>> That includes the CA signing cert!
>>>>>
>>>>> It should look more like (excluding the *kra certs):
>>>>>
>>>>> caSigningCert cert-pki-ca
CTu,Cu,Cu
>>>>> ocspSigningCert cert-pki-ca u,u,u
>>>>> subsystemCert cert-pki-ca u,u,u
>>>>> auditSigningCert cert-pki-ca u,u,Pu
>>>>> Server-Cert cert-pki-ca u,u,u
>>>>>
>>>>> Do the keys for those certs exist?
>>>>>
>>>>> # grep internal /etc/pki/pki-tomcat/password.conf
>>>>> internal=foo
>>>>> # certutil -K -d /etc/pki/pki-tomcat/alias/
>>>>> certutil: Checking token "NSS Certificate DB" in slot
"NSS User Private
>>>>> Key and Certificate Services"
>>>>> Enter Password or Pin for "NSS Certificate DB": foo
>>>>>
>>>>> Perhaps a bunch of orphans?
>>>>
>>>> Seems like it, I have three orphans and the keys for subsystemCert,
>>>> caSigningCert, ocspSigningCert seems to exists
>>>
>>> You'll need the audit signing cert as well. Hopefully that key is in
>>> there somewhere.
>>>
>>> If you have another master with a CA you can get the cert values from
>>> them using:
>>>
>>> # certutil -L -d /etc/pki/pki-tomcat/alias/ -n "<nickname">
-a >
>>> /tmp/<nickname>
>>>
>>> Or you can get the raw cert values from /etc/pki/pki-tomcat/ca/CS.cfg
>>> from the values:
>>>
>>> ca.audit_signing.cert
>>> ca.ocsp_signing.cert
>>> ca.signing.cert
>>> ca.subsystem.cert
>>>
>>> You'll need to re-format that into PEM format manually.
>>>
>>> Once you have all the certs from either method, add them to the db with:
>>>
>>> # certutil -A -d /etc/pki/pki-tomcat/alias/ -n "<nickname">
-t <trust>
>>> -a -i /tmp/<nickname>
>>>
>>> The trust value will vary by cert. Use the list that I provided in my
>>> last e-mail for the proper values.
>>>
>>> The nickname is important, don't get creative :-) Use the value from my
>>> output.
>>
>> Thanks! Will do, but will do it tomorrow, been a long day and...
>> things might go awry if I try it now, will let you know how it goes!
>
> Ok, so this is interesting...
>
> certutil -A -d /etc/pki/pki-tomcat/alias/ -n "caSigningCert
> cert-pki-ca" -t "CTu,Cu,Cu" -a -i ./ca.signing.cert
> Notice: Trust flag u is set automatically if the private key is present.
> Enter Password or Pin for "NSS Certificate DB":
>
> and:
> echo $?
> 0
>
> But it's not added - and it's still valid... (openssl reads it fine....)
>
> I actually suspect that the "XERCES.LAN IPA CA" certificates are the
> ones we're looking for - just named incorrectly
Ok, we could fix that but below is more worrying.
Also, added the others, but i can't set "u"..
new certs added are now:
ocspSigningCert cert-pki-ca ,,
subsystemCert cert-pki-ca ,,
auditSigningCert cert-pki-ca ,,P
This means there is no private key to go along with the certificate.
So do you have another working CA somewhere?
rob