Skip to content

Certmonger

Jump to bottom
Endi S. Dewata edited this page Mar 8, 2023 · 8 revisions

Listing CAs

$ getcert list-cas
CA 'SelfSign':
	is-default: no
	ca-type: INTERNAL:SELF
	next-serial-number: 01
CA 'IPA':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
CA 'dogtag-ipa-renew-agent':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/local-submit
CA 'dogtag-ipa-ca-renew-agent':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
CA 'dogtag-ipa-ca-renew-agent-reuse':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
CA 'dogtag-ipa-ca-renew-agent-selfsigned':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --force-self-signed

Listing IPA CAs

$ ipa-getcert list-cas
CA 'IPA':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit

Listing Certificates

$ getcert list
Number of certificates and requests being tracked: 9.
Request ID '20230308160504':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=IPA RA,O=EXAMPLE.COM
	issued: 2023-03-08 11:05:05 EST
	expires: 2025-02-25 11:05:05 EST
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-clientAuth
	profile: caSubsystemCert
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes
Request ID '20230308160509':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=CA Audit,O=EXAMPLE.COM
	issued: 2023-03-08 11:03:28 EST
	expires: 2025-02-25 11:03:28 EST
	key usage: digitalSignature,nonRepudiation
	profile: caSignedLogCert
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20230308160511':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=OCSP Subsystem,O=EXAMPLE.COM
	issued: 2023-03-08 11:03:10 EST
	expires: 2025-02-25 11:03:10 EST
	eku: id-kp-OCSPSigning
	profile: caOCSPCert
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20230308160514':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=CA Subsystem,O=EXAMPLE.COM
	issued: 2023-03-08 11:03:22 EST
	expires: 2025-02-25 11:03:22 EST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-clientAuth
	profile: caSubsystemCert
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20230308160515':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=Certificate Authority,O=EXAMPLE.COM
	issued: 2023-03-08 11:03:03 EST
	expires: 2043-03-08 11:03:03 EDT
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	profile: caCACert
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20230308160516':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=ipa.example.com,O=EXAMPLE.COM
	issued: 2023-03-08 11:03:16 EST
	expires: 2025-02-25 11:03:16 EST
	dns: ipa.example.com
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth
	profile: caServerCert
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20230308160519':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=ipa.example.com,O=EXAMPLE.COM
	issued: 2023-03-08 11:05:20 EST
	expires: 2025-03-08 11:05:20 EST
	dns: ipa.example.com
	principal name: ldap/[email protected]
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	profile: caIPAserviceCert
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
	track: yes
	auto-renew: yes
Request ID '20230308160552':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa.example.com-443-RSA'
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=ipa.example.com,O=EXAMPLE.COM
	issued: 2023-03-08 11:05:52 EST
	expires: 2025-03-08 11:05:52 EST
	dns: ipa.example.com,ipa-ca.example.com
	principal name: HTTP/[email protected]
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	profile: caIPAserviceCert
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20230308160558':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=ipa.example.com,O=EXAMPLE.COM
	issued: 2023-03-08 11:05:58 EST
	expires: 2025-03-08 11:05:58 EST
	dns: ipa.example.com
	principal name: krbtgt/[email protected]
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-pkinit-KPKdc
	profile: KDCs_PKINIT_Certs
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
	track: yes
	auto-renew: yes

Listing IPA Certificates

# ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20230308160519':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=ipa.example.com,O=EXAMPLE.COM
	issued: 2023-03-08 11:05:20 EST
	expires: 2025-03-08 11:05:20 EST
	dns: ipa.example.com
	principal name: ldap/[email protected]
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	profile: caIPAserviceCert
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
	track: yes
	auto-renew: yes
Request ID '20230308160552':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa.example.com-443-RSA'
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=ipa.example.com,O=EXAMPLE.COM
	issued: 2023-03-08 11:05:52 EST
	expires: 2025-03-08 11:05:52 EST
	dns: ipa.example.com,ipa-ca.example.com
	principal name: HTTP/[email protected]
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	profile: caIPAserviceCert
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20230308160558':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=ipa.example.com,O=EXAMPLE.COM
	issued: 2023-03-08 11:05:58 EST
	expires: 2025-03-08 11:05:58 EST
	dns: ipa.example.com
	principal name: krbtgt/[email protected]
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-pkinit-KPKdc
	profile: KDCs_PKINIT_Certs
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
	track: yes
	auto-renew: yes

Helpers

dogtag-ipa-ca-renew-agent on master

  • used for renewing CA system certs (signing, OCSP, subsystem, audit)

  • calls http://<hostname>:8080/ca/ee/ca

  • authenticated using IPA RA agent cert (ipaCert)

  • stores renewed cert under ca=ca_renewal,cn=ipa,cn=etc,<base DN>

dogtag-ipa-ca-renew-agent on replica

  • gets renewed cert from ca=ca_renewal,cn=ipa,cn=etc,<base DN>

ipa

  • used for renewing SSL cert

  • calls https://<hostname>/ipa/xml

  • authenticated using host keytab (/etc/krb5.keytab)

  • IPA forwards the request to PKI

See Also

Clone this wiki locally