Add a new LDAP user certificate

Add a new LDAP user certificateΒΆ

You may need to add a new certificate for an LDAP user. For example, if the certificate is outdated and you cannot access the subsystem. In this case, you may see the following error message when trying to reach the Key Recovery Authority (KRA) subsystem:

pki -d /root/.dogtag/pki-tomcat/ca/alias/ -c rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -n caadmin kra
PKIException: Unauthorized

To add a new LDAP user certificate:

  1. Log in to the OpenStack secrets storage node (kmn).

  2. Obtain information about the new certificate:

    pki cert-show 16 --encode
    
  3. Note the certificate data and serial number in decimal (serial number: 0x10 = 16).

  4. Verify that the LDAP user does not have a new certificate:

    ldapsearch -D "cn=Directory Manager" -b "o=pki-tomcat-KRA" -w rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -h kmn01.rl-dogtag-2.local "uid=kraadmin"
    
  5. Create a modify_kra_admin.ldif file with information about the new certificate. In userCertificate, insert the certificate data and in description insert the certificate ID with a correct serial number in decimal (serial number: 0x10 = 16).

  6. Apply the changes:

    ldapmodify -D "cn=Directory Manager" -w rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -h kmn01.rl-dogtag-2.local -f ./modify_kra_admin.ldif
    
  7. Verify that the LDAP user has a new certificate:

    ldapsearch -D "cn=Directory Manager" -b "o=pki-tomcat-KRA" -w rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -h kmn01.rl-dogtag-2.local "uid=kraadmin"
    
  8. Verify that the subsystem is accessible:

    pki -d /root/.dogtag/pki-tomcat/ca/alias/ -c rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -n caadmin kra
    

    Example of system response:

    Commands:
     kra-group               Group management commands
     kra-key                 Key management commands
     kra-selftest            Selftest management commands
     kra-user                User management commands