PKI Certificates - dogtagpki/freeipa GitHub Wiki
In IPA environment PKI server certificates are stored in an NSS database at /etc/pki/pki-tomcat/alias and the password for the NSS database is stored at /etc/pki/pki-tomcat/alias/pwdfile.txt.
The CA certificates are also stored at /root/cacert.p12. The KRA certificates are also stored at /root/kracert.p12.
To display PKI server certificates:
$ pki-server cert-find Cert ID: ca_signing Nickname: caSigningCert cert-pki-ca Token: internal Serial Number: 0x1 Subject DN: CN=Certificate Authority,O=EXAMPLE.COM Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM Not Valid Before: Tue Jun 14 18:26:28 2022 Not Valid After: Sat Jun 14 18:26:28 2042 Trust Flags: CTu,Cu,Cu Cert ID: ca_ocsp_signing Nickname: ocspSigningCert cert-pki-ca Token: internal Serial Number: 0x2 Subject DN: CN=OCSP Subsystem,O=EXAMPLE.COM Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM Not Valid Before: Tue Jun 14 18:26:33 2022 Not Valid After: Mon Jun 03 18:26:33 2024 Trust Flags: u,u,u Cert ID: sslserver Nickname: Server-Cert cert-pki-ca Token: internal Serial Number: 0x3 Subject DN: CN=ipa.example.com,O=EXAMPLE.COM Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM Not Valid Before: Tue Jun 14 18:26:38 2022 Not Valid After: Mon Jun 03 18:26:38 2024 Trust Flags: u,u,u Cert ID: subsystem Nickname: subsystemCert cert-pki-ca Token: internal Serial Number: 0x4 Subject DN: CN=CA Subsystem,O=EXAMPLE.COM Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM Not Valid Before: Tue Jun 14 18:26:43 2022 Not Valid After: Mon Jun 03 18:26:43 2024 Trust Flags: u,u,u Cert ID: ca_audit_signing Nickname: auditSigningCert cert-pki-ca Token: internal Serial Number: 0x5 Subject DN: CN=CA Audit,O=EXAMPLE.COM Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM Not Valid Before: Tue Jun 14 18:26:49 2022 Not Valid After: Mon Jun 03 18:26:49 2024 Trust Flags: u,u,Pu
In IPA environment the CA admin certificate is stored in /root/.dogtag/pki-tomcat/ca_admin.cert. The certificate and key are also stored at /root/ca-agent.p12.
To display the CA admin certificate:
$ openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = EXAMPLE.COM, CN = Certificate Authority
Validity
Not Before: Jun 13 21:11:38 2022 GMT
Not After : Jun 2 21:11:38 2024 GMT
Subject: O = EXAMPLE.COM, CN = ipa-ca-agent
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a1:a8:7c:3a:16:85:66:6b:ca:67:98:36:6e:c0:
a1:0a:56:77:a8:e1:1f:e0:16:04:f2:a3:24:0a:dd:
4c:a6:a7:3e:6a:ef:4b:41:0c:b9:91:e7:2f:5a:93:
15:0e:96:c9:cc:21:2d:40:d4:c7:9b:21:0c:04:2b:
5c:ba:b0:b7:d3:5c:27:25:ce:fc:88:53:88:08:16:
6d:ae:83:a2:98:91:6f:01:80:27:78:9d:90:4a:dc:
20:23:be:4d:b7:60:f9:9e:93:42:94:31:b8:e6:cc:
07:95:50:d7:44:c0:0d:2c:bd:67:2e:24:59:24:58:
97:e3:fa:37:7c:71:12:91:db:a7:24:8f:17:e8:5f:
90:f5:e3:39:25:75:71:c5:97:ac:27:1a:c0:16:4c:
71:69:a4:bf:bf:f7:d9:23:13:df:9b:97:40:85:e1:
2a:0f:ff:bb:8a:2a:9e:9e:2c:da:4d:c2:17:01:e5:
d1:82:1e:f5:49:90:ab:cd:dd:03:df:10:c8:50:0e:
49:28:a3:13:fa:50:a6:ac:0f:ed:f7:14:c6:4b:d5:
03:53:3e:42:eb:49:05:65:1d:17:0a:c4:39:1d:7f:
7f:d5:7f:b1:90:b0:0d:fb:1a:9a:94:cc:f2:74:79:
0b:38:b1:1b:9b:82:bf:d6:96:62:ca:7d:b7:75:9d:
43:7b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
B9:A2:91:05:0B:E5:DD:00:2E:1A:64:DD:26:DC:D3:A1:43:DA:8C:C3
Authority Information Access:
OCSP - URI:http://ipa-ca.example.com/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
84:8c:9a:b2:a2:35:3e:0a:13:c3:e5:60:b4:94:bf:67:2a:6e:
12:f3:65:1b:f3:4e:a9:3c:83:80:5a:e2:17:b9:22:f2:4d:67:
c4:ce:95:26:19:ef:00:b2:05:33:d3:ae:f7:d3:88:9d:d2:ea:
30:28:67:fa:a5:0d:4c:15:df:f0:73:6f:34:d6:92:64:2c:e9:
6b:27:2d:31:cd:18:d4:34:be:13:24:73:a6:0a:d9:dc:f8:3d:
72:9f:87:e7:5f:cf:60:a1:a1:48:74:a0:68:b8:33:7f:81:28:
37:42:f1:55:85:44:3e:e1:f1:bf:3a:3b:91:c8:03:01:9b:46:
50:18:33:d1:0a:92:18:85:90:99:7d:ed:c7:ac:a1:07:e4:31:
4a:77:09:d6:0c:b7:4d:14:6c:2d:77:f1:15:f6:39:3e:7d:c4:
8e:62:d2:a8:46:9a:4c:a6:e9:c2:53:0d:81:8c:ba:be:ac:66:
c6:a1:8f:94:33:09:c8:40:a9:f0:78:ae:14:17:c7:0b:76:47:
b0:df:90:fa:60:d2:b0:d1:27:6a:9b:f3:c8:62:87:c0:92:f9:
75:c2:70:23:61:44:48:e6:a3:ea:f5:e0:c8:ce:e3:b7:1b:17:
22:b7:22:ec:c3:ac:59:d1:93:ef:67:fa:ae:b6:a7:02:5a:d7:
f3:7f:10:0a:d3:7b:aa:6c:fc:80:50:c4:d0:b8:d7:08:94:98:
f6:07:c1:6a:02:c4:18:77:2a:2a:37:0d:0c:5b:ad:9d:04:be:
1c:44:79:cd:92:0e:35:08:53:ab:e7:63:cc:d0:98:6b:ed:fa:
8a:4e:c8:6e:71:23:e4:6e:44:61:e9:94:f3:2d:12:3c:60:29:
9b:b3:6f:e8:62:0d:1f:ab:e9:62:67:c5:fc:e3:5c:31:73:51:
80:35:01:19:a6:b0:9b:9a:9c:d9:0e:19:89:ec:de:c5:6b:12:
7c:cf:c0:c4:ce:23:5a:6e:a9:77:5b:2c:5f:d9:1f:7f:da:fe:
1b:0c:0b:ca:48:a4
In IPA environment the RA agent certificate is stored at /var/lib/ipa/ra-agent.pem and the key are stored at /var/lib/ipa/ra-agent.key.
To display the RA agent certificate:
$ openssl x509 -text -noout -in /var/lib/ipa/ra-agent.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = EXAMPLE.COM, CN = Certificate Authority
Validity
Not Before: Jun 13 21:12:42 2022 GMT
Not After : Jun 2 21:12:42 2024 GMT
Subject: O = EXAMPLE.COM, CN = IPA RA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:94:2e:e7:1b:81:5b:aa:58:47:df:c3:27:14:
99:7f:61:6e:74:72:33:39:52:d3:15:d5:1d:83:6e:
99:79:c1:f9:ef:d5:a6:99:0d:e7:f8:aa:60:a0:8a:
39:19:f0:d9:c5:cd:87:fb:96:a9:15:9e:fe:1f:07:
51:e0:d3:0b:76:bc:0c:05:02:6b:16:27:e6:fb:67:
9b:7f:07:02:94:16:26:20:b3:ac:c3:e0:9c:3e:09:
a5:d8:c3:e2:8e:e5:9d:e7:5a:aa:cd:e8:fd:b3:b7:
3f:9c:50:52:76:c4:b7:01:22:31:aa:5e:fc:0c:a0:
db:90:74:21:db:b8:cb:a0:9a:44:a6:f2:71:bc:76:
d3:b6:85:dc:32:9e:3d:27:34:e6:88:ce:d5:b2:77:
c6:05:1e:9c:02:43:98:c0:e7:93:84:b1:43:37:54:
20:ac:cf:4e:67:2b:23:10:36:41:11:de:05:8b:f3:
b3:fa:ed:a6:33:fd:d6:0d:f3:f8:bf:56:ea:87:14:
65:ea:9f:26:d9:54:85:f2:67:4c:29:71:e4:4c:e2:
86:90:aa:92:16:79:d3:72:f0:be:76:29:e2:d8:a5:
e8:6d:3f:59:28:04:79:f3:81:dd:ba:98:bc:13:fb:
8a:36:c9:a6:e0:ea:a9:5d:be:3b:e2:c6:82:da:84:
14:b7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
B9:A2:91:05:0B:E5:DD:00:2E:1A:64:DD:26:DC:D3:A1:43:DA:8C:C3
Authority Information Access:
OCSP - URI:http
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
5d:35:b5:97:fb:8d:fc:b0:e9:2e:63:52:ec:39:b3:13:65:e3:
53:c0:c9:b8:1a:f3:7d:6f:ed:9f:dc:e5:3c:2a:bd:b9:fd:45:
ea:5d:98:15:42:87:f5:e3:f9:73:e3:61:52:4c:12:08:22:b8:
2d:1f:8e:a0:7a:82:09:ea:16:ac:90:6f:d7:ae:ec:c7:dd:11:
45:9c:5a:80:5c:2f:d1:43:26:ba:95:db:22:0d:8b:f9:8d:ae:
a8:ba:34:d9:40:bb:55:3c:2c:28:49:86:cb:75:dd:c3:89:6a:
0b:87:0d:d5:9f:bf:b8:c7:9c:9c:ae:9f:ad:d1:f0:e2:34:36:
d0:5a:ec:71:cf:57:82:0f:62:1d:a9:1b:bc:06:91:a5:6a:e8:
c9:0e:50:4a:15:17:2d:d7:5e:12:18:b7:55:b3:eb:ca:71:1f:
9a:4d:f6:73:09:f1:eb:8d:6c:64:d0:93:b7:4d:f4:e4:86:6c:
6a:4d:b2:b4:22:41:63:66:e9:14:e0:1c:dd:d0:e6:6c:ed:79:
82:9f:73:a7:d5:fe:a9:5b:37:c1:88:f0:d9:5a:8b:d7:02:cd:
9f:02:85:75:a4:45:c7:15:17:dc:02:6a:c3:99:cd:9a:a3:a5:
b6:af:92:eb:81:f8:65:03:e3:3b:86:80:07:a4:07:16:29:2e:
0a:3f:e4:48:75:2f:7b:1e:af:90:6d:2d:f1:9a:89:25:f6:91:
de:bc:85:2e:99:23:9b:b6:a4:fa:32:bc:10:ed:10:04:ee:24:
f3:7c:7d:eb:cf:ef:c6:bd:c6:6e:fe:5f:be:20:d9:25:cd:5e:
c3:60:51:0b:3b:80:66:ab:a6:33:f5:8d:bc:15:df:d8:f0:1c:
b8:4b:58:38:d3:96:9d:24:c3:d9:eb:13:27:6e:c8:9f:73:a9:
1e:48:01:1c:e8:ef:2c:5a:49:f0:35:15:96:3b:4c:02:38:63:
4d:c8:64:37:18:c4:3a:1b:59:40:78:ea:4b:eb:fe:ba:dc:6f:
63:64:b6:b2:08:6f