Sam Morris via FreeIPA-users wrote: > On 21/09/2023 15:38, Rob Crittenden via FreeIPA-users wrote: >> John Stokes via FreeIPA-users wrote: >>> Today while creating a backup I realized I don't know the >>> password for the file /root/cacert.p12 where the private key >>> of the CA shoudl be stored. The one I thought it should be >>> (same as the pass for my admin user) does not seem to be >>> working. >>> >>> Is there a way to reexport the private key of the CA?> >> The password is the Directory Manager password provided during initial >> installation. > > Hmm... is the directory manager password stashed somewhere on an IPA > server?
Not in plain text. > I ask because my /root/cacert.p12 and /root/kracert.p12 files also > aren't encrypted with my directory manager password and I am pretty sure > I haven't changed this password since installing any of my current IPA > servers. And when I install a replica I don't remember typing the > directory manager password anywhere... I can't explain it. Mine is definitely encrypted by the DM password. > > (The knowledge base article about changing the Directory Manager > password at https://access.redhat.com/solutions/203473 doesn't mention > any steps other than setting a new hashed password in dse.ldif; if the > original directory manager password is stashed somewhere then that > article could do with an update...) > > I went searching through the freeipa source code to figure out > /root/cacert.p12 and /root/kracert.p12 are created myself. It seems that > they are moved from /var/lib/pki/pki-tomcat/ca_backup_keys.p12 and > /var/lib/pki/pki-tomcat/kra_backup_keys.p12 at the end of the > server/replica installation process. > > Those files are created by > https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37fb8/base/server/python/pki/server/deployment/scriptlets/finalization.py#L61; > I've yet to figure out where pki_backup_password comes from. Hence me > wondering if it's actually stored somewhere on the IPA server... pki_backup_password is set to the DM password during installation. >> You can use PKCS12EXPORT to create a new PKCS#12 file with the CA >> private key. > > Anyway, I found the command that actaully creates the files at > https://github.com/dogtagpki/pki/blob/6f50d7a68a34fcd3949e83b4ac607d8a65b37fb8/base/server/python/pki/server/deployment/__init__.py#L3797 > and from that I came up with these commands to recreate /root/cacert.p12 > and /root/kracert.p12: > > # pki-server subsystem-cert-export ca --pkcs12-file=/root/cacert.p12 > # pki-server subsystem-cert-export kra --pkcs12-file=/root/kracert.p12 > > These commands prompt for a password if one is not provided via > --pkcs-password-file= so it's convenient to type the directory manager > password at this point rather than having to save it to a file for > PKCS12Export to consume. > > Since the tooling for PKCS12 files is a tad awkward to use, here's a > handy command to print out the contents of these files: > > # openssl pkcs12 -in /tmp/cacert.p12 -noenc | egrep -v '^[0-9A-Za-z/+]+=*$' pk12util -l /path/to/cacert.p12 will print all the stored certs and whether there is a private key included. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
