How to gain access as CA admin agent (ipa-ca-agent) to approve cert requests by pki CLI in IPA

Issue

1. In IPA server, user need to generate cert request and approve it by CLI for profile Manual User Dual-Use Certificate Enrollment because many newer versions of browsers, including Firefox v69 and up, as well as Chrome, have removed the functionality to generate PKI keys and the support for CRMF for key archival.

Refer to creating_a_csr_using_pki_client-cert-request

2. The problem here is in the above document, the step to approve the cert request is ambiguous. It is written that we need to run this command:

# pki -d agent token db directory -P https -p 8443 -h host.test.com -c agent token db passwd -n <CA agent cert nickname> ca-cert-request-approve request id

There are 2 ambiguous things here:
- What is agent token db directory?
- What is <CA agent cert nickname>

3. If we try to run the command following the guide above, we will see this error:

[root@rhel8-idmserver nssdb]# pki -d /root/.dogtag/nssdb/  -P https -p 8443 -h `hostname`   ca-cert-request-approve 11
PKIException: Unauthorized

4. This error is expected because we did not do the step to authenticate as CA agent who has the privilege to approve the cert request.

5. So this KCS will guide you how to generate and approve the cert request by pki CLI , which include the most important step as authenticate pki client as ipa-ca-agent that has the right to approve the cert request.