Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin certificate (ca_admin_cert.p12) not updated correctly in multiple CA installations #4936

Open
PsOverflow opened this issue Jan 24, 2025 · 0 comments
Open

Admin certificate (ca_admin_cert.p12) not updated correctly in multiple CA installations #4936

PsOverflow opened this issue Jan 24, 2025 · 0 comments
Labels
Bug Bug fixes downstream Same issue identified in downstream automation and needs triage regression Regression bug. Introduced due to changes in unrelated code

Comments

@PsOverflow
Copy link
Contributor

Issue: Admin certificate (ca_admin_cert.p12) not updated correctly in multiple CA installations

Affected Version:
OS: Fedora-41
Build: @pki/master
pki-11.6.0-0.3.alpha3.20250123224917UTC.2f8e9573.fc41.src.rpm

Steps to reproduce:

  1. Install CA:
Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [caadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 

Directory Server:
  Hostname [pki1.example.com]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 
  Password: 
  Base DN [o=pki-tomcat-CA]: 

Security Domain:
  Name [example.com Security Domain]: 

Begin installation (Yes/No/Quit)? yes
  1. Notice the timestamp and generated ca_admin_cert.p12 file:
# ls -l /root/.dogtag/pki-tomcat/ca_admin_cert.p12
-rw-------. 1 root root 2988 Jan 24 08:07 /root/.dogtag/pki-tomcat/ca_admin_cert.p12
  1. Uninstall the CA:
# pkidestroy -s CA -i pki-tomcat --remove-logs --remove-conf --force
Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/registry/ca/deployment.cfg.
WARNING: The 'pki_ds_hostname' in [CA] has been deprecated. Use 'pki_ds_url' instead.
WARNING: The 'pki_ds_ldap_port' in [CA] has been deprecated. Use 'pki_ds_url' instead.
Uninstalling CA from /var/lib/pki/pki-tomcat.

Uninstallation complete.
  1. Admin certificate is not removed and It's still there in same path:
# ls -l /root/.dogtag/pki-tomcat/ca_admin_cert.p12
-rw-------. 1 root root 2988 Jan 24 08:07 /root/.dogtag/pki-tomcat/ca_admin_cert.p12
  1. Re-install the CA:
Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [caadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 

Directory Server:
  Hostname [pki1.example.com]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 
  Base DN [o=pki-tomcat-CA]: 
  Base DN already exists. Overwrite (Yes/No/Quit)? yes

Security Domain:
  Name [example.com Security Domain]: 

Begin installation (Yes/No/Quit)? yes

Installing CA into /var/lib/pki/pki-tomcat.
  1. Even with new installations, admin certificate is not updated:
# ls -l /root/.dogtag/pki-tomcat/ca_admin_cert.p12
-rw-------. 1 root root 2988 Jan 24 08:07 /root/.dogtag/pki-tomcat/ca_admin_cert.p12

Expected Result:

When deploying Multiple CA instances, the admin certificate should be properly updated/generate anew.
@PsOverflow PsOverflow added Bug Bug fixes regression Regression bug. Introduced due to changes in unrelated code downstream Same issue identified in downstream automation and needs triage labels Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Bug fixes downstream Same issue identified in downstream automation and needs triage regression Regression bug. Introduced due to changes in unrelated code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PsOverflow