I have an IPA CA that is running fine for several years now. I also have two replicas installed.
Today while creating a backup I realized I don't know the password for the file /root/cacert.p12 where the private key of the CA should be stored. The one I thought it should be (same as the pass for my admin user) does not seem to be working.
Is there a way to reexport the private key of the CA? As I said everything is working fine and I have access to the server. If not how should I proceed? Should I destroy the whole CA and build a new one?
John Stokes via FreeIPA-users wrote:
I have an IPA CA that is running fine for several years now. I also have two replicas installed.
Today while creating a backup I realized I don't know the password for the file /root/cacert.p12 where the private key of the CA should be stored. The one I thought it should be (same as the pass for my admin user) does not seem to be working.
Is there a way to reexport the private key of the CA? As I said everything is working fine and I have access to the server. If not how should I proceed? Should I destroy the whole CA and build a new one?
The password is the Directory Manager password provided during initial installation.
You can use PKCS12EXPORT to create a new PKCS#12 file with the CA private key.
There is no supported way to replace the CA in a running IPA server.
rob
On 21/09/2023 15:38, Rob Crittenden via FreeIPA-users wrote:
John Stokes via FreeIPA-users wrote:
Today while creating a backup I realized I don't know the password for the file /root/cacert.p12 where the private key of the CA shoudl be stored. The one I thought it should be (same as the pass for my admin user) does not seem to be working.
Is there a way to reexport the private key of the CA?>
The password is the Directory Manager password provided during initial installation.
Hmm... is the directory manager password stashed somewhere on an IPA server?
I ask because my /root/cacert.p12 and /root/kracert.p12 files also aren't encrypted with my directory manager password and I am pretty sure I haven't changed this password since installing any of my current IPA servers. And when I install a replica I don't remember typing the directory manager password anywhere...
(The knowledge base article about changing the Directory Manager password at https://access.redhat.com/solutions/203473 doesn't mention any steps other than setting a new hashed password in dse.ldif; if the original directory manager password is stashed somewhere then that article could do with an update...)
I went searching through the freeipa source code to figure out /root/cacert.p12 and /root/kracert.p12 are created myself. It seems that they are moved from /var/lib/pki/pki-tomcat/ca_backup_keys.p12 and /var/lib/pki/pki-tomcat/kra_backup_keys.p12 at the end of the server/replica installation process.
Those files are created by https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37f...; I've yet to figure out where pki_backup_password comes from. Hence me wondering if it's actually stored somewhere on the IPA server...
You can use PKCS12EXPORT to create a new PKCS#12 file with the CA private key.
Anyway, I found the command that actaully creates the files at https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37f... and from that I came up with these commands to recreate /root/cacert.p12 and /root/kracert.p12:
# pki-server subsystem-cert-export ca --pkcs12-file=/root/cacert.p12 # pki-server subsystem-cert-export kra --pkcs12-file=/root/kracert.p12
These commands prompt for a password if one is not provided via --pkcs-password-file= so it's convenient to type the directory manager password at this point rather than having to save it to a file for PKCS12Export to consume.
Since the tooling for PKCS12 files is a tad awkward to use, here's a handy command to print out the contents of these files:
# openssl pkcs12 -in /tmp/cacert.p12 -noenc | egrep -v '^[0-9A-Za-z/+]+=*$'
Sam Morris via FreeIPA-users wrote:
On 21/09/2023 15:38, Rob Crittenden via FreeIPA-users wrote:
John Stokes via FreeIPA-users wrote:
Today while creating a backup I realized I don't know the password for the file /root/cacert.p12 where the private key of the CA shoudl be stored. The one I thought it should be (same as the pass for my admin user) does not seem to be working.
Is there a way to reexport the private key of the CA?>
The password is the Directory Manager password provided during initial installation.
Hmm... is the directory manager password stashed somewhere on an IPA server?
Not in plain text.
I ask because my /root/cacert.p12 and /root/kracert.p12 files also aren't encrypted with my directory manager password and I am pretty sure I haven't changed this password since installing any of my current IPA servers. And when I install a replica I don't remember typing the directory manager password anywhere...
I can't explain it. Mine is definitely encrypted by the DM password.
(The knowledge base article about changing the Directory Manager password at https://access.redhat.com/solutions/203473 doesn't mention any steps other than setting a new hashed password in dse.ldif; if the original directory manager password is stashed somewhere then that article could do with an update...)
I went searching through the freeipa source code to figure out /root/cacert.p12 and /root/kracert.p12 are created myself. It seems that they are moved from /var/lib/pki/pki-tomcat/ca_backup_keys.p12 and /var/lib/pki/pki-tomcat/kra_backup_keys.p12 at the end of the server/replica installation process.
Those files are created by https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37f...; I've yet to figure out where pki_backup_password comes from. Hence me wondering if it's actually stored somewhere on the IPA server...
pki_backup_password is set to the DM password during installation.
You can use PKCS12EXPORT to create a new PKCS#12 file with the CA private key.
Anyway, I found the command that actaully creates the files at https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37f... and from that I came up with these commands to recreate /root/cacert.p12 and /root/kracert.p12:
# pki-server subsystem-cert-export ca --pkcs12-file=/root/cacert.p12 # pki-server subsystem-cert-export kra --pkcs12-file=/root/kracert.p12
These commands prompt for a password if one is not provided via --pkcs-password-file= so it's convenient to type the directory manager password at this point rather than having to save it to a file for PKCS12Export to consume.
Since the tooling for PKCS12 files is a tad awkward to use, here's a handy command to print out the contents of these files:
# openssl pkcs12 -in /tmp/cacert.p12 -noenc | egrep -v '^[0-9A-Za-z/+]+=*$'
pk12util -l /path/to/cacert.p12 will print all the stored certs and whether there is a private key included.
rob
On 21/09/2023 20:30, Rob Crittenden via FreeIPA-users wrote:
I ask because my /root/cacert.p12 and /root/kracert.p12 files also aren't encrypted with my directory manager password and I am pretty sure I haven't changed this password since installing any of my current IPA servers. And when I install a replica I don't remember typing the directory manager password anywhere...
I can't explain it. Mine is definitely encrypted by the DM password.
I just pulled the cacert.p12 and kracert.p12 files from the backup of my original ipa server and... my directory manager password is able to decrypt them!
So it's only my current servers where the file can't be decrypted... how strange...
Since the tooling for PKCS12 files is a tad awkward to use, here's a handy command to print out the contents of these files:
# openssl pkcs12 -in /tmp/cacert.p12 -noenc | egrep -v '^[0-9A-Za-z/+]+=*$'
pk12util -l /path/to/cacert.p12 will print all the stored certs and whether there is a private key included.
Ah that's a much nicer command, thanks.
What is the kracert.p12 used for?
I get this error when I try to export: [root@aaa-01 ca]# pki-server subsystem-cert-export kra --pkcs12-file=/root/kracertbackup.p12 ERROR: No kra subsystem in instance pki-tomcat.
On 21/09/2023 22:05, John Stokes via FreeIPA-users wrote:
What is the kracert.p12 used for?
I get this error when I try to export: [root@aaa-01 ca]# pki-server subsystem-cert-export kra --pkcs12-file=/root/kracertbackup.p12 ERROR: No kra subsystem in instance pki-tomcat.
You've probablty not run ipa-server-install --setup-kra
KRA is the Key Recovery Authority which is the component that stores secrets when you use FreeIPA's 'vaults' feature:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Thank you. I used the procedure mentioned here https://www.dogtagpki.org/wiki/PKCS12Export and was able to export the key.
One more thing: When exporting, I got these warnings:
WARNING: The SHA-1 algorithm used in org.mozilla.jss.pkcs12.SafeBag::getLocalKeyIDFromCert:264 is deprecated. Use a more secure algorithm.
I suppose the key was crated with SHA-1 back then (5 years ago). Is there anything I can do about this?
freeipa-users@lists.fedorahosted.org
-
John Stokes -
Rob Crittenden -
Sam Morris