How do I re-apply for an administrator certificate with Red Hat Certificate System 8.0 on RHEL 5?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Certificate System 8.1 and 8.0
  • Red Hat Directory Server 8.1

Issue

It is possible the Red Hat Certificate System's CA Agent services page may not accept the presented user certificate.

This article helps to identify the the client certificate has expired, and describe how to re-apply for an administrator or agent certificate in Red Hat Certificate System 8.0

Resolution

To re-apply for an administrator or agent certificate, follow the suggested directions in the main configuration file, CS.cfg, for example with a CA instance called "ca1":

less /var/lib/pki-ca1/conf/CS.cfg

Or those steps, specially if using RHCS 8.0, there is a workaround for an issue described in Bugzilla 594543:

  • Stop your CA instance, example:
service pki-ca1 stop
  • Manually edit the main configuration file, example:
cp -p /var/lib/pki-ca1/conf/CS.cfg /var/lib/pki-ca1/conf/CS.cfg-test-`/bin/date +%F-%T`
vi /var/lib/pki-ca1/conf/CS.cfg
  • Change the enableAdminEnroll flag from false to true, example:
cmsgateway.enableAdminEnroll=true
  • At this point we hit a defect in 8.0 described in Bugzilla 594543, and the workaround is to copy the file cms-funcs.js to the admin directory:
cp  /var/lib/pki-ca/webapps/ca1/agent/cms-funcs.js /var/lib/pki-ca1/webapps/ca/admin/
  • And edit to correct the file adminEnroll.html:
cp -p /var/lib/pki-ca1/webapps/ca/admin/ca/adminEnroll.html /var/lib/pki-ca1/webapps/ca/admin/ca/adminEnroll.html.orig
vi /var/lib/pki-ca1/webapps/ca/admin/ca/adminEnroll.html

So the newer file has

var startDay = new Date(serverdate);
  • And the diff looks like
476c476
<     var startDay = new Date(serverdate);
---
>     var startDay = new Date();</code>
  • Start your CA instance, example:
service pki-ca1 start
  • Browse to enroll for a new agent/admin certificate against the tcp "Secure Admin Port", example:
https://some-hostname:9545/ca/admin/ca/adminEnroll.htm
  • You should see a web page starting like this:
Administrator/Agent Certificate Enrollment
To access the Agent Services pages and approve requests for certificates, you must have a personal client SSL certificate so that Certificate System can authenticate your identity. You must also be designated as an agent, or privileged user.
...
  • Fill the html form and submit.
    The resulting page should be like:
Enrollment Success
Congratulations a certificate has been issued and the administrator now has Certificate Manager Agent privileges.You can now go to the agent page to process any pending requests.
Issued Certificates:
Serial number   0x...

Now, the SSL client authentication to the agent service should work again.

Root Cause

Digital Certificates have validity dates, it is a good idea to renew before the expiration date.

Otherwise, one has to re-apply for a certitifcate, usually with a different key material.

Diagnostic Steps

Review the Red Hat Certificate System Tomcat log, what for the "valid" keyword, for example:

localhost.2010-04-23.log
Apr 23, 2010 2:55:41 PM org.apache.catalina.core.ApplicationContext log
INFO: caListRequests: You did not provide a valid certificate for this operation

To figure out what can be your "Secure Admin Port", you can use the service status command, example:

/etc/init.d/pki-ca1 status
pki-ca1 (pid 14957) is running ...

    Unsecure Port     = http://ms2-cs8-1-64.sjc.redhat.com:9580/ca/ee/ca
    Secure Agent Port = https://ms2-cs8-1-64.sjc.redhat.com:9543/ca/agent/ca
    Secure EE Port    = https://ms2-cs8-1-64.sjc.redhat.com:9544/ca/ee/ca
    Secure Admin Port = https://ms2-cs8-1-64.sjc.redhat.com:9545/ca/services
    PKI Console Port  = pkiconsole https://ms2-cs8-1-64.sjc.redhat.com:9545/ca
    Tomcat Port       = 9801 (for shutdown)

    PKI Instance Name:   pki-ca1

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  ms2cs8164rootca20100508
    URL:   https://ms2-cs8-1-64.sjc.redhat.com:9545
    ==========================================================================

Comments

Bugzilla number 594543 - rhcs8 - broken admin enrollment web form

Similar, but for Red Hat Certificate System 7.3 on Red Hat Enterprise Linux 4.5

https://access.redhat.com/kb/docs/DOC-8884 - How do I re-apply for an admin certificate with Red Hat Certificate System 7.3 on Red Hat Enterprise Linux 4.5?
   https://access.redhat.com/kb/docs/DOC-8915 - How do I create a new Agent or Admin user(s) for Certificate Authority?

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments