Ian Kumlien wrote:
On Thu, Jun 13, 2019 at 3:47 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
> Ian Kumlien wrote:
>> On Thu, Jun 13, 2019 at 12:32 PM Ian Kumlien <ian.kumlien(a)gmail.com>
wrote:
>>>
>>> On Wed, Jun 12, 2019 at 10:55 PM Ian Kumlien <ian.kumlien(a)gmail.com>
wrote:
>>>>
>>>> On Wed, Jun 12, 2019 at 10:52 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
>>>>>
>>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>>> On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
>>>>>>>
>>>>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>>>>> On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
>>>>>>>>> Ian Kumlien via FreeIPA-users wrote:
>>>>>>
>>>>>> [--8<--]
>>>>>>
>>>>>>>> Certificate Nickname
Trust Attributes
>>>>>>>>
SSL,S/MIME,JAR/XPI
>>>>>>>>
>>>>>>>> Server-Cert cert-pki-ca
u,u,u
>>>>>>>> transportCert cert-pki-kra
u,u,u
>>>>>>>> storageCert cert-pki-kra
u,u,u
>>>>>>>> auditSigningCert cert-pki-kra
u,u,Pu
>>>>>>>> XERCES.LAN IPA CA
CT,C,C
>>>>>>>> XERCES.LAN IPA CA
CT,C,C
>>>>>>>> XERCES.LAN IPA CA
CT,C,C
>>>>>>>
>>>>>>>
>>>>>>> You're missing all the CA certificates except the one
that tomcat uses!?
>>>>>>> That includes the CA signing cert!
>>>>>>>
>>>>>>> It should look more like (excluding the *kra certs):
>>>>>>>
>>>>>>> caSigningCert cert-pki-ca
CTu,Cu,Cu
>>>>>>> ocspSigningCert cert-pki-ca
u,u,u
>>>>>>> subsystemCert cert-pki-ca
u,u,u
>>>>>>> auditSigningCert cert-pki-ca
u,u,Pu
>>>>>>> Server-Cert cert-pki-ca
u,u,u
>>>>>>>
>>>>>>> Do the keys for those certs exist?
>>>>>>>
>>>>>>> # grep internal /etc/pki/pki-tomcat/password.conf
>>>>>>> internal=foo
>>>>>>> # certutil -K -d /etc/pki/pki-tomcat/alias/
>>>>>>> certutil: Checking token "NSS Certificate DB" in
slot "NSS User Private
>>>>>>> Key and Certificate Services"
>>>>>>> Enter Password or Pin for "NSS Certificate DB":
foo
>>>>>>>
>>>>>>> Perhaps a bunch of orphans?
>>>>>>
>>>>>> Seems like it, I have three orphans and the keys for
subsystemCert,
>>>>>> caSigningCert, ocspSigningCert seems to exists
>>>>>
>>>>> You'll need the audit signing cert as well. Hopefully that key is
in
>>>>> there somewhere.
>>>>>
>>>>> If you have another master with a CA you can get the cert values
from
>>>>> them using:
>>>>>
>>>>> # certutil -L -d /etc/pki/pki-tomcat/alias/ -n
"<nickname"> -a >
>>>>> /tmp/<nickname>
>>>>>
>>>>> Or you can get the raw cert values from
/etc/pki/pki-tomcat/ca/CS.cfg
>>>>> from the values:
>>>>>
>>>>> ca.audit_signing.cert
>>>>> ca.ocsp_signing.cert
>>>>> ca.signing.cert
>>>>> ca.subsystem.cert
>>>>>
>>>>> You'll need to re-format that into PEM format manually.
>>>>>
>>>>> Once you have all the certs from either method, add them to the db
with:
>>>>>
>>>>> # certutil -A -d /etc/pki/pki-tomcat/alias/ -n
"<nickname"> -t <trust>
>>>>> -a -i /tmp/<nickname>
>>>>>
>>>>> The trust value will vary by cert. Use the list that I provided in
my
>>>>> last e-mail for the proper values.
>>>>>
>>>>> The nickname is important, don't get creative :-) Use the value
from my
>>>>> output.
>>>>
>>>> Thanks! Will do, but will do it tomorrow, been a long day and...
>>>> things might go awry if I try it now, will let you know how it goes!
>>>
>>> Ok, so this is interesting...
>>>
>>> certutil -A -d /etc/pki/pki-tomcat/alias/ -n "caSigningCert
>>> cert-pki-ca" -t "CTu,Cu,Cu" -a -i ./ca.signing.cert
>>> Notice: Trust flag u is set automatically if the private key is present.
>>> Enter Password or Pin for "NSS Certificate DB":
>>>
>>> and:
>>> echo $?
>>> 0
>>>
>>> But it's not added - and it's still valid... (openssl reads it
fine....)
>>>
>>> I actually suspect that the "XERCES.LAN IPA CA" certificates are
the
>>> ones we're looking for - just named incorrectly
>
> Ok, we could fix that but below is more worrying.
>
>> Also, added the others, but i can't set "u"..
>>
>> new certs added are now:
>> ocspSigningCert cert-pki-ca ,,
>> subsystemCert cert-pki-ca ,,
>> auditSigningCert cert-pki-ca ,,P
>
> This means there is no private key to go along with the certificate.
>
> So do you have another working CA somewhere?
No, but i do have backups from 2018, =)
So I assume is should unpack there somewhere and do the old export/import trick
Yes, that would do it. I'd be sure to make a backup of the current db
before doing anything else to it.
Anything else I should think about? And key is the only missing bit?
(for the 'u' bit)
The u flag is for user cert and indicates there is a private key
associated with the certificate. It is automatic.
Also, how do i rename one specific "XERCES.LAN IPA CA" to
the caSigningCert bit?
It looks to me like the signing key is missing. You'll want to delete
those three of the "XERCES.LAN IPA CA" certs from the database and
import the CA signing cert from your backup.
rob