Authentication for the pki command

The dogtag PKI CA provides its own command-line tools for reading and writing configuration. Some of these require authentication in order to work.

On the CA machine as root you have access to the NSS certificate database so can use the subsystem certificate for authentication, like:

# pki -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -f /etc/pki/pki-tomcat/password.conf ca-profile-find

This will only take you so far. Some modifications are not allowed by the entry. You can use the IPA RA certificate for that but to do so you need to add it to an NSS database.

Convert to PKCS#12 format:

# openssl pkcs12 -export -in /var/lib/ipa/ra-agent.pem -inkey /var/lib/ipa/ra-agent.key -name 'IPA RA' -out /root/ra-agent.p12

Create a local PKI NSS database

# pki client-init

Import into root’s dogtag NSS database

# pk12util -d ~/.dogtag/nssdb/ -i /root/ra-agent.p12

And run commands with it:

# pki -d ~/.dogtag/nssdb -n 'IPA RA' -f /etc/pki/pki-tomcat/password.conf ca-profile-show acmeIPAServerCert

It is dangerous to directly modify settings in the CA. There be dragons. IPA purposefully treats the CA as a black box for which there are a limited set of buttons to push. Peeking behind the curtain can be powerful but dangerous.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s