Setting up CA Admin User with LDAP Tools - dogtagpki/pki GitHub Wiki
This page describes the process to set up a CA admin user with LDAP tools.
$ ldapadd \ -H ldap://$HOSTNAME \ -D "cn=Directory Manager" \ -w Secret.123 << EOF dn: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser cn: caadmin sn: caadmin uid: caadmin mail: [email protected] userPassword: Secret.123 userState: 1 userType: adminType EOF
Convert the certificate to DER format:
$ openssl x509 -outform der -in admin.crt -out admin.der
Get the certificate serial number:
$ openssl x509 -text -noout -in admin.crt ... Serial Number: 5a:a7:13:f5:0f:8b:5e:77:ae:fe:58:7e:4f:d0:c7:da ...
Convert it into decimal format:
$ python >>> int('5aa713f50f8b5e77aefe587e4fd0c7da', 16) 120498037977510792098276151038707812314
Add the certificate into the user entry:
$ ldapmodify \ -H ldap://$HOSTNAME \ -D "cn=Directory Manager" \ -w Secret.123 << EOF dn: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: description description: 2;<decimal serial number>;CN=CA Signing Certificate;CN=Administrator - add: userCertificate userCertificate:< file:admin.der - EOF
$ ldapmodify \ -H ldap://$HOSTNAME \ -D "cn=Directory Manager" \ -w Secret.123 << EOF dn: cn=Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com - dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com - dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com - dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com - dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com - dn: cn=Enterprise RA Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com - dn: cn=Enterprise TKS Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com - dn: cn=Enterprise OCSP Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com - dn: cn=Enterprise TPS Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com - EOF