These are direct copies from the wiki and references to other sources, they haven't been tested yet but given then we might need to do this in 10 or 20 years I figure its best to create our own copy here.
General Certificate Renewal
https://www.dogtagpki.org/wiki/Certificate_Renewal
Overview This document describes general certificate renewal process. To renew user certificates see User Certificate Renewal. To renew system certificates used by PKI server see System Certificate Renewal. Submitting Renewal Request PKI 10.4 or later To renew CA certificate: $ pki ca-cert-request-submit --profile caCACert --csr-file ca_signing.csr --renewal --serial 0x1 ----------------------------- Submitted certificate request ----------------------------- Request ID: 7 Type: enrollment Request Status: pending Operation Result: success To renew other certificates: $ pki ca-cert-request-submit --profile caManualRenewal --serial 0x6 --renewal ----------------------------- Submitted certificate request ----------------------------- Request ID: 28 Type: renewal Request Status: pending Operation Result: success Approving Renewal Request If the certificate renewal requires agent approval, it can be done with the following command: $ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin \ ca-cert-request-review 28 --action approve ------------------------------- Approved certificate request 28 ------------------------------- Request ID: 28 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x1c See Handling Certificate Request. Retrieving Renewed Certificate To download the new certificate into a file: $ pki ca-cert-show 0x1c --output testuser.crt Changing System Date Sometimes it is necessary to change the system date in order to renew a certificate, for example to renew an already expired certificate or for testing. To change the system date, first disable NTP: $ timedatectl set-ntp false Then change the date: $ timedatectl set-time <YYYY-MM-DD> To reenable NTP: $ timedatectl set-ntp true --adjust-system-clock To check NTP status: $ ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== +chl.la 216.218.254.202 2 u 8 64 3 174.046 2.242 2.282 *utcnist2.colora .NIST. 1 u 3 64 3 164.484 10.623 3.013 ntp.newfxlabs.c .STEP. 16 u - 64 0 0.000 0.000 0.000 +103.245.79.2 118.189.138.5 2 u 9 64 3 275.932 -4.128 1.948 If the output looks like this, check the NTP configuration is located at /etc/ntp.conf. remote refid st t when poll reach delay offset jitter ============================================================================== *LOCAL(0) .LOCL. 10 l 5 64 377 0.000 0.000 0.000 To force time sync: $ ntpdate -s time.nist.gov
System Certificate Renewal
https://www.dogtagpki.org/wiki/System_Certificate_Renewal
Overview This page describes the procedure to renew system certificates used by PKI server. Depending on the subsystems installed, PKI server uses several system certificates, for example: CA signing certificate OCSP signing certificate SSL server certificate Subsystem certificate Audit signing certificate In order for the server to operate properly all of these certificates must be valid. The CA signing certificate usually has the longest validity range (default is 20 years). The other certificates usually have shorter validity range (e.g. 2 years). To avoid service interruption any expiring certificate should be renewed while it's still valid. Note that the default PKI user certificate also has a shorter validity range. See User Certificate Renewal. Also note that the renewal procedure requires a running CA. If the expired system certificate was issued by a CA running on the same server, the server might fail to start and the certificate cannot be renewed since the CA is not available. If that happens, the system date needs to be moved back to a time where all system certificates were still valid before starting the renewal process. This document describes the renewal procedure using CLI in PKI 10.x. In PKI 9.x the renewal procedure needs to be done using legacy servlet interface, but it still follows the same general idea. Identifying Certificates to Renew First, identify the serial numbers of the certificates that are about to expire. In PKI 10.4 or later the serial numbers and the validity dates of the system certificates can be determined with the following command: $ pki-server subsystem-cert-find ca ----------------- 5 entries matched ----------------- Cert ID: signing Nickname: ca_signing Token: Internal Key Storage Token Serial number: 0x1 Issuer: CN=CA Signing Certificate, OU=pki-tomcat, O=EXAMPLE Subject: CN=CA Signing Certificate, OU=pki-tomcat, O=EXAMPLE Not valid before: 2016-12-06 12:49:43 Not valid after: 2036-12-06 12:49:43 Cert ID: ocsp_signing Nickname: ca_ocsp_signing Token: Internal Key Storage Token Serial number: 0x2 Issuer: CN=CA Signing Certificate, OU=pki-tomcat, O=EXAMPLE Subject: CN=CA OCSP Signing Certificate, OU=pki-tomcat, O=EXAMPLE Not valid before: 2016-12-06 12:49:43 Not valid after: 2018-11-26 12:49:43 Cert ID: sslserver Nickname: sslserver Token: Internal Key Storage Token Serial number: 0x3 Issuer: CN=CA Signing Certificate, OU=pki-tomcat, O=EXAMPLE Subject: CN=vm-058-091.abc.idm.lab.eng.brq.redhat.com, OU=pki-tomcat, O=EXAMPLE Not valid before: 2016-12-06 12:49:44 Not valid after: 2018-11-26 12:49:44 Cert ID: subsystem Nickname: subsystem Token: Internal Key Storage Token Serial number: 0x4 Issuer: CN=CA Signing Certificate, OU=pki-tomcat, O=EXAMPLE Subject: CN=Subsystem Certificate, OU=pki-tomcat, O=EXAMPLE Not valid before: 2016-12-06 12:49:44 Not valid after: 2018-11-26 12:49:44 Cert ID: audit_signing Nickname: ca_audit_signing Token: Internal Key Storage Token Serial number: 0x5 Issuer: CN=CA Signing Certificate, OU=pki-tomcat, O=EXAMPLE Subject: CN=CA Audit Signing Certificate, OU=pki-tomcat, O=EXAMPLE Not valid before: 2016-12-06 12:49:44 Not valid after: 2018-11-26 12:49:44 PKI 10.4 or later In PKI 10.4 it can be done with the following commands: $ pki ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal # OCSP signing $ pki ca-cert-request-submit --profile caManualRenewal --serial 0x3 --renewal # SSL server $ pki ca-cert-request-submit --profile caManualRenewal --serial 0x4 --renewal # subsystem $ pki ca-cert-request-submit --profile caManualRenewal --serial 0x5 --renewal # audit signing Approving Renewal Requests As the CA agent, approve each renewal request using the request ID: $ pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 \ ca-cert-request-review 7 --action approve $ pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 \ ca-cert-request-review 8 --action approve $ pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 \ ca-cert-request-review 9 --action approve $ pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 \ ca-cert-request-review 10 --action approve Each approval will generate a new certificate with a new serial number. See also Approving Renewal Request. Retrieving Renewed Certificates Download the renewed certificates into files using the new serial numbers: $ pki ca-cert-show 0x7 --output ca_ocsp_signing.crt $ pki ca-cert-show 0x8 --output sslserver.crt $ pki ca-cert-show 0x9 --output subsystem.crt $ pki ca-cert-show 0xa --output ca_audit_signing.crt See also Retrieving Renewed Certificate. Updating System Certificates The new certificates need to be imported into the NSS database and the copy of the certificates in the CS.cfg need to be updated as well. While NSS should be able to handle multiple certificates (both old and new) in the NSS database it is recommended that the old one is removed. To prevent NSS database or CS.cfg corruption, shutdown the server before making the changes. PKI 10.4 or later First, shutdown the server: $ systemctl stop pki-tomcatd@pki-tomcat.service Update the NSS database and CS.cfg with the following commands: $ pki-server subsystem-cert-update ca ocsp_signing --cert ca_ocsp_signing.crt $ pki-server subsystem-cert-update ca sslserver --cert sslserver.crt $ pki-server subsystem-cert-update ca subsystem --cert subsystem.crt $ pki-server subsystem-cert-update ca audit_signing --cert ca_audit_signing.crt Finally, restart the server: $ systemctl start pki-tomcatd@pki-tomcat.service
User Certificate Renewal
https://www.dogtagpki.org/wiki/User_Certificate_Renewal
Overview This document describes the process to renew a user certificate that can be used to authenticate against PKI server. Submitting Renewal Request Renewing valid user certificate To renew a user certificate using the certificate itself for authentication, the certificate must still be valid and stored in the client NSS database (see Retrieving Certificate): $ pki -c Secret.123 client-cert-find ---------------------- 1 certificate(s) found ---------------------- Serial Number: 0x7 Nickname: testuser Subject DN: UID=testuser Issuer DN: CN=CA Signing Certificate,O=EXAMPLE ---------------------------- Number of entries returned 1 ---------------------------- Submit the renewal request over SSL connection using the client certificate for authentication: $ pki -U https://<hostname>:<secure port> -c <client NSS database password> -n <client certificate nickname> \ client-cert-request <subject DN> --profile <renewal profile> For example: $ pki -U https://server.example.com:8443 -c Secret.123 -n testuser client-cert-request uid=testuser \ --profile caManualRenewal See Certificate Profiles. Renewing expired user certificate If the user certificate has already expired, use the general Certificate Renewal procedure. Approving Renewal Request If the certificate renewal requires agent approval, it can be done with the following command: $ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin \ ca-cert-request-review 28 --action approve ------------------------------- Approved certificate request 28 ------------------------------- Request ID: 28 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x1c See Handling Certificate Request. Assigning Renewed Certificate to User As the PKI admin assign the new certificate to the user. PKI 10.4 or later Assign the new certificate to the user with this command: $ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-cert-add testuser --serial 0x1c Then delete the old certificate from the user. In PKI 10.4 it can be done with the following command: $ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-cert-del testuser --serial 0x7 Retrieving Renewed Certificate As the user, replace the certificate in the client NSS database. PKI 10.4 or later In PKI 10.4 it can be done with the following command: $ pki -c Secret.123 client-cert-import testuser --serial 0x1c --overwrite
Offline System Certificate Renewal
## Overview PKI server provides a mechanism to recover from expired system certificates. This mechanism can also be used to renew the certificates before they expire. There are 2 ways to renew the certs 1. [Automated Renewal Process](#Automated-Renewal-Process) 2. [Manual Renewal Process](#Manual-Renewal-Process) It is assumed that you have the following: * Valid CA signing cert * Valid admin cert To verify these assumptions are valid: 1. List details of all system certificates. (Note down the `<cert ID>` of the certificates that need to be renewed) ```` # pki-server cert-find Cert ID: ca_signing Nickname: ca_signing Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Wed Dec 19 17:33:21 2018 Not Valid After: Sun Dec 19 17:33:21 2038 ```` 2. Check details of the admin certificate ```` # certutil -L \ -d <admin NSS database> \ -n <admin cert nickname> Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" Validity: Not Before: Sat Dec 15 02:16:26 2018 Not After : Fri Dec 04 02:16:26 2020 Subject: "CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O= EXAMPLE" ```` ## Automated Renewal Process One line tool that fixes all certificates: # pki-server cert-fix \ -n <admin cert nickname> \ -d <admin NSS database> \ -c <admin NSS database password> One line tool to fix one particular certificate: # pki-server cert-fix --cert <cert ID> \ -n <admin cert nickname> \ -d <admin NSS database> \ -c <admin NSS database password> For all available options, you can type: $ pki-server cert-fix --help ## Manual Renewal Process ### Initialization It is recommended to run the following steps to ensure that `CS.cfg` and NSS database are synchronized and that the server can operate without any issues. 1. Disable self tests using the following command: ```` # pki-server selftest-disable ```` 2. Synchronize NSS database and CS.cfg for all system certificates that are to be renewed ```` # pki-server cert-update <cert ID> ```` ### Bringing up the PKI server 1. Create temp SSL certificate. The temp cert will be created in `/etc/pki/<instance>/certs/sslserver.crt` ```` # pki-server cert-create sslserver --temp ```` 2. Delete the existing System cert if exist ```` # pki-server cert-del sslserver ```` 3. Import temp SSL certificate created in previous step ```` # pki-server cert-import sslserver ```` 4. Start server ```` # systemctl start pki-tomcatd@pki-tomcat ```` ### System Certificate Renewal 1. Renew required system certs using PKI tool. For **`sslserver`** cert provide the `serial number` from the **original SSL server cert** to avoid placing request for unintended cert. ```` # pki-server cert-create --renew \ -n <admin cert nickname> \ -d <admin NSS database> \ -c <admin NSS database password> \ <cert ID> \ --serial <serial number> ```` **OR** using 3rd party tool, like certmonger. Please refer [certmonger manual](https://www.freeipa.org/page/Certmonger) to renew the certs. 2. Stop server to update PKI server instance to use latest renewed certs ```` # systemctl stop pki-tomcatd@pki-tomcat ```` 3. Delete the existing NSS database certs ```` # pki-server cert-del <cert ID> ```` 4. Import the renewed permanent certs into NSS db and update corresponding CS.cfg files ```` # pki-server cert-import <cert ID> ```` *Note:* Make sure the **Audit Log** has the trust flags: ***"u,u,Pu"*** by running the following command: ```` # certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca_signing CTu,Cu,Cu transportCert cert-pki-tomcat KRA u,u,u storageCert cert-pki-tomcat KRA u,u,u auditSigningCert cert-pki-tomcat KRA u,u,Pu subsystem u,u,u sslserver u,u,u ca_ocsp_signing u,u,u ca_audit_signing u,u,Pu ```` 5. Enable the self test using the following command: ```` # pki-server selftest-enable ```` 6. Start server with new renewed system certificates. ```` # systemctl start pki-tomcatd@pki-tomcat ````
Offline expired certificate renewal for Dogtag
https://frasertweedale.github.io/blog-redhat/posts/2019-02-28-dogtag-cert-fix.html
The worst has happened. Somehow, certificate renewal didn’t happen when it should have, and now you have expired certificates. Worst, these are Dogtag system certificates; you can’t even start Dogtag to issue new ones! Unfortunately, this situation arises fairly often. Sometimes due to administrator error or extended downtime; sometimes due to bugs. These cases are notoriously difficult (and expensive) to analyse and resolve. It often involves time travel: Set the system clock to a time setting just before certificates started expiring. Fix whatever caused renewal not to work in the first place. Renew expiring certificates. Reset system clock. That is the simple case! I have seen much gnarlier scenarios. Ones where multiple times must be visited. Ones where there is no time at which all relevant certs are valid. It would be nice to avoid these scenarios, and the FreeIPA team continues to work to improve the robustness of certificate renewal. We also have a monitoring / health check solution on the roadmap, so that failure of automated renewal sets off alarms before everything else falls over. But in the meantime, customers and support are still dealing with scenarios like this. Better recovery tools are needed. And better tools are on the way! Dinesh, one of the Dogtag developers, has built a tool to simplify renewal when your Dogtag CA is offline due to expired system certificates. This post outlines what the tool is, what it does, and my first experiences using it in a FreeIPA deployment. Along the way and especially toward the end of the post, I will discuss the caveats and potential areas for improvement, and FreeIPA-specific considerations. pki-server cert-fix The tool is implemented as a subcommand of the pki-server utility–namely cert-fix (and I will use this short name throughout the post). So it is implemented in Python, but in some places it calls out to certutil or the Java parts of Dogtag via the HTTP API. The user documentation is maintained the source repository. The insight at the core of cert-fix is that even if Dogtag is not running or cannot run, we still have access to the keys needed to issue certificates. We do need to use Dogtag to properly store issued certificates (for revocation purposes) and produce an audit trail. But if needed, we can use the CA signing key to temporarily fudge the important certificates to get Dogtag running again, then re-issue expired system certificates properly. Assumptions cert-fix makes the following assumptions about your environment. If these do not hold, then cert-fix, as currently implemented, cannot do its thing. The CA signing certificate is valid. You have a valid admin or agent certificate. In a FreeIPA environment the IPA RA certificaite fulfils this role. (indirect) The LDAP server (389 DS) is operational, its certificate is valid, and Dogtag can authenticate to it. These assumptions have been made for good reasons, but there are several certificate expiry scenarios that breach them. I will discuss in detail later in the post. For now, we must accept them. What cert-fix does The cert-fix performs the following actions to renew an expired system certificate: Inspect the system and identify which system certificates need renewing. Or the certificates can be specified on the command line. If Dogtag’s HTTPS certificate is expired, use certutil commands to issue a new “temporary” certificate. The validity period is three months (from the current time). The serial number of the current (expired) HTTPS is reused (a big X.509 no-no, but operationally no big deal in this scenario). There is no audit trail and the certificate will not appear in the LDAP database. Disable the startup self-test for affected subsystems, then start Dogtag. For each target certificate, renew the certificate via API, using given credential. Validity periods and other characteristics are determined by relevant profiles. Serial numbers are chosen in the usual manner, the certificates appear in LDAP and there is an audit trail. Stop Dogtag. For each target certificate, import the new certificate into Dogtag’s NSSDB. Re-enable self-test for affected subsystems and start Dogtag. Using cert-fix There are a couple of ways to try out the tool—without waiting for certificates to expire, that is. One way is to roll your system clock forward, beyond the expiry date of one or more certificates. Another possibility is to modify a certificate profile used for a system certificate so that it will be issued with a very short validity period. I opted for the latter option. I manually edited the default profile configuration, so that Dogtag’s OCSP and HTTPS certificates would be issued with a validity period of 15 minutes. By the time I installed FreeIPA, grabbed a coffee and read a few emails, the certificates had expired. Certmonger didn’t even attempt to renew them. Dogtag was still running and working properly, but ipactl restart put Dogtag, and the whole FreeIPA deployment, out of action. I used pki-server cert-find to have a peek at Dogtag’s system certificates: [root@f29-0 ca]# pki-server cert-find Cert ID: ca_signing Nickname: caSigningCert cert-pki-ca Serial Number: 0x1 Subject DN: CN=Certificate Authority,O=IPA.LOCAL 201902271325 Issuer DN: CN=Certificate Authority,O=IPA.LOCAL 201902271325 Not Valid Before: Wed Feb 27 14:30:22 2019 Not Valid After: Mon Feb 27 14:30:22 2034 Cert ID: ca_ocsp_signing Nickname: ocspSigningCert cert-pki-ca Serial Number: 0x2 Subject DN: CN=OCSP Subsystem,O=IPA.LOCAL 201902271325 Issuer DN: CN=Certificate Authority,O=IPA.LOCAL 201902271325 Not Valid Before: Wed Feb 27 14:30:24 2019 Not Valid After: Wed Feb 27 14:45:24 2019 Cert ID: sslserver Nickname: Server-Cert cert-pki-ca Serial Number: 0x3 Subject DN: CN=f29-0.ipa.local,O=IPA.LOCAL 201902271325 Issuer DN: CN=Certificate Authority,O=IPA.LOCAL 201902271325 Not Valid Before: Wed Feb 27 14:30:24 2019 Not Valid After: Wed Feb 27 14:45:24 2019 Cert ID: subsystem Nickname: subsystemCert cert-pki-ca Serial Number: 0x4 Subject DN: CN=CA Subsystem,O=IPA.LOCAL 201902271325 Issuer DN: CN=Certificate Authority,O=IPA.LOCAL 201902271325 Not Valid Before: Wed Feb 27 14:30:24 2019 Not Valid After: Tue Feb 16 14:30:24 2021 Cert ID: ca_audit_signing Nickname: auditSigningCert cert-pki-ca Serial Number: 0x5 Subject DN: CN=CA Audit,O=IPA.LOCAL 201902271325 Issuer DN: CN=Certificate Authority,O=IPA.LOCAL 201902271325 Not Valid Before: Wed Feb 27 14:30:24 2019 Not Valid After: Tue Feb 16 14:30:24 2021 Note the Not Valid After times for the ca_ocsp_signing and sslserver certificates. These are certificates we must renew. Preparing the agent certificate The cert-fix command requires an agent certificate. We will use the IPA RA certificate. The pki-server CLI tool needs an NSSDB with the agent key and certificate. So we have to set that up. First initialise the NSSDB: [root@f29-0 ~]# mkdir ra-nssdb [root@f29-0 ~]# cd ra-nssdb [root@f29-0 ra-nssdb]# certutil -d . -N Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: XXXXXXXX Re-enter password: XXXXXXXX Then create a PKCS #12 file containing the required key and certificates: [root@f29-0 ra-nssdb]# openssl pkcs12 -export \ -inkey /var/lib/ipa/ra-agent.key \ -in /var/lib/ipa/ra-agent.pem \ -name "ra-agent" \ -certfile /etc/ipa/ca.crt > ra-agent.p12 Enter Export Password: Verifying - Enter Export Password: Import it into the NSSDB, and fix up trust flags on the IPA CA certificate: [root@f29-0 ra-nssdb]# pk12util -d . -i ra-agent.p12 Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL [root@f29-0 ra-nssdb]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ra-agent u,u,u Certificate Authority - IPA.LOCAL 201902271325 ,, [root@f29-0 ra-nssdb]# certutil -d . -M \ -n 'Certificate Authority - IPA.LOCAL 201902271325' \ -t CT,C,C Enter Password or Pin for "NSS Certificate DB": [root@f29-0 ra-nssdb]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ra-agent u,u,u Certificate Authority - IPA.LOCAL 201902271325 CT,C,C Running cert-fix Let’s look at the cert-fix command options: [root@f29-0 ra-nssdb]# pki-server cert-fix --help Usage: pki-server cert-fix [OPTIONS] --cert <Cert ID> Fix specified system cert (default: all certs). -i, --instance <instance ID> Instance ID (default: pki-tomcat). -d <NSS database> NSS database location (default: ~/.dogtag/nssdb) -c <NSS DB password> NSS database password -C <path> Input file containing the password for the NSS database. -n <nickname> Client certificate nickname -v, --verbose Run in verbose mode. --debug Run in debug mode. --help Show help message. It’s not a good idea to put passphrases on the command line in the clear, so let’s write the NSSDB passphrase to a file: [root@f29-0 ra-nssdb]# cat > pwdfile.txt XXXXXXXX ^D Finally, I was ready to execute cert-fix: [root@f29-0 ra-nssdb]# pki-server cert-fix \ -d . -C pwdfile.txt -n ra-agent \ --cert sslserver --cert ca_ocsp_signing \ --verbose Running with --verbose causes INFO and higher-level log messages to be printed to the terminal. Running with --debug includes DEBUG messages. If neither of these is used, nothing is output (unless there’s an error). So I recommend running with --verbose. So, what happened? Unfortunately I ran into several issues. 389 DS not running The first issue was trivial, but likely to occur if you have to cert-fix a FreeIPA deployment. The ipactl [re]start command will shut down every component if any component failed to start. Dogtag didn’t start, therefore ipactl shut down 389 DS too. As a consequence, Dogtag failed to initialise after cert-fix started it, and the command failed. So, before running cert-fix, make sure LDAP is working properly. To start it, use systemctl instead of ipactl: # systemctl start dirsrv@YOUR-REALM Connection refused One issue I encountered was that a slow startup of Dogtag caused failure of the tool. cert-fix does not wait for Dogtag to start up properly. It just ploughs ahead—only to encounter ConnectionRefusedError. I worked around this—temporarily—by adding a sleep after cert-fix starts Dogtag. A proper fix will require a change to the code. cert-fix should perform a server status check, retrying until it succeeds or times out. TLS handshake failure The next error I encountered was a TLS handshake failure: urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='f29-0.ipa.local', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X 509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3841)'))) I haven’t worked out yet what is causing this surprising error. But I wasn’t the first to encounter it. A comment in the Bugzilla ticket indicated that the workaround was to remove the IPA CA certificate from the client NSSDB. This I did: [root@f29-0 ra-nssdb]# certutil -d . -D \ -n "Certificate Authority - IPA.LOCAL 201902271325" After this, my next attempt at running cert-fix succeeded. Results Looking at the previously expired target certificates, observe that the certificates have been updated. They have new serial numbers, and expire in 15 months: [root@f29-0 ra-nssdb]# certutil -d /etc/pki/pki-tomcat/alias \ -L -n 'Server-Cert cert-pki-ca' | egrep "Serial|Not After" Serial Number: 12 (0xc) Not After : Wed May 27 12:45:25 2020 [root@f29-0 ra-nssdb]# certutil -d /etc/pki/pki-tomcat/alias \ -L -n 'ocspSigningCert cert-pki-ca' | egrep "Serial|Not After" Serial Number: 13 (0xd) Not After : Wed May 27 12:45:28 2020 Looking at the output of getcert list for the target certificates, we see that Certmonger has not picked these up (some lines removed): [root@f29-0 ra-nssdb]# getcert list -i 20190227033149 Number of certificates and requests being tracked: 9. Request ID '20190227033149': status: CA_UNREACHABLE ca-error: Internal error stuck: no CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.LOCAL 201902271325 subject: CN=OCSP Subsystem,O=IPA.LOCAL 201902271325 expires: 2019-02-27 14:45:24 AEDT eku: id-kp-OCSPSigning [root@f29-0 ra-nssdb]# getcert list -i 20190227033152 Number of certificates and requests being tracked: 9. Request ID '20190227033152': status: CA_UNREACHABLE ca-error: Internal error stuck: no CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.LOCAL 201902271325 subject: CN=f29-0.ipa.local,O=IPA.LOCAL 201902271325 expires: 2019-02-27 14:45:24 AEDT dns: f29-0.ipa.local key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth Restarting Certmonger (systemctl restart certmonger) resolved the discrepancy. Finally, ipactl restart puts everything back online. cert-fix has saved the day! [root@f29-0 ra-nssdb]# ipactl restart Restarting Directory Service Starting krb5kdc Service Starting kadmin Service Starting httpd Service Starting ipa-custodia Service Starting pki-tomcatd Service Starting ipa-otpd Service ipa: INFO: The ipactl command was successful Issues and caveats Besides the issues already covered, there are several scenarios that cert-fix cannot handle. Expired CA certificate Due to the the long validity period of a typical CA certificate, the assumption that the CA certificate is valid is the safest assumption made by cert-fix. But it is not a safe assumption. The most common way this assumption is violated is with externally-signed CA certificates. For example, the FreeIPA CA in your organisation is signed by Active Directory CA, with a validity period of two years. Things get overlooked and suddenly, your FreeIPA CA is expired. It may take some time for the upstream CA administrators to issue a new certificate. In the meantime, you want to get your FreeIPA/Dogtag CA back up. Right now cert-fix doesn’t handle this scenario. I think it should. As far as I can tell, this should be straightforward to support. Unlike the next few issues… Agent certificate expiry This concerns the assumption that you have a valid agent certificate. Dogtag requires authentication to perform privilieged operations like certificate issuance. Also, the authenticated user must be included in audit events. cert-fix must issue certificates properly (with limiited temporary fudging tolerated for operational efficacy), therefore there must be an agent credential. And if your agent credential is a certificate, it must be valid. So if your agent certificate is expired, it’s Catch-22. That is why the tool, as currently implemented, must assume you have a valid, non-expired agent certificate. In some deployments the agent certificate is renewed on a different cadence from subsystem certificates. In that case, this scenario is less like to occur—but still entirely possible! The assumption is bad. In my judgement it is fairly important to find a workaround for this. One idea could be to talk directly to LDAP and set a randomly-generated password on an agent account, and use that to authenticate. After the tool exits, the passphrase is forgotten. This approach means cert-fix needs a credential and privileges to perform those operations in LDAP. Speaking of LDAP… 389 DS certificate authentication In FreeIPA deployments, Dogtag is configured to use the subsystem certificate to bind (authenticate) to the LDAP server. If the subsystem certificate is expired, 389 DS will reject the certificate; the connection fails and and Dogtag cannot start. A workaround for this may be to temporarily reconfigure Dogtag to use a password to authenticate to LDAP. Then after the new subsystem certificate was issued, it must be added to the pkidbuser entry in LDAP, and certificate authentication reinstated. This is not a FreeIPA-specific consideration. Using TLS client authentication to bind to LDAP is a supported configuration in Dogtag / RHCS. So we should probably support it in cert-fix too, somehow, since the point of the tool is to avoid complex manual procedures in recovering from expired system certificates. 389 DS service certificate expiry You know the tune by now… if this certificate is expired, Dogtag can’t talk to LDAP and can’t start, therefore a new LDAP certificate can’t be issued. Issuing a temporary certificate with the same serial number may be the best way forward here, like what we do for the Dogtag HTTPS certificate. Re-keying …is not supported. But it is a possible future enhancement Serial number reuse Re-using a serial number is prohibited by the X.509 standard. Although the temporary re-issued HTTPS certificate is supposed to be temporary, what if it did leak out? For example, another client that contacted Dogtag while that certificate is in use could log it to a Certificate Transparency log (not a public one, unless your Dogtag CA is chained to a publicly trusted CA). If this occurred, there would be a record that the CA had misbehaved. What are the ramifications? If this happened in the public PKI, the offending CA would at best get a harsh and very public admonishment, and be put on notice. But trust store vendors might just straight up wash their hands of you and yank trust. In a private PKI is it such a big deal? Given our use case—the same subject names are used—probably not. But I leave it as an open topic to ponder how this might backfire. Conclusion In this post I introduced the pki-server cert-fix subcommand. The purpose of this tool is to simplify and speed up recovery when Dogtag system certificates have expired. It does what it says on the tin, with a few rough edges and, right now, a lot of caveats. The fundamentals are very good, but I think we need to address number of these caveats for cert-fix to be generally useful, especially in a FreeIPA context. Based on my early experiences and investigation, my suggested priorities are: Workaround for when the agent certificate is expired. This can affect every kind of deployment and the reliance on a valid agent certificate is a significant limitation. Workaround for expired subsystem certificate when TLS client authentication is used to bind to LDAP. This affects all FreeIPA deployments (standalone Dogtag deployments less commonly). Support renewing the CA certificate in cert-fix. A degree of sanity checking or confirmation may be reasonable (e.g. it must be explicitly listed on the CLI as a --cert option). Investigate ways to handle expired LDAP certificate, if issued by Dogtag. In some deployments, including some FreeIPA deployments, the LDAP certificate is not issued by Dogtag, so the risk is not universal. In writing this post I by no means wish to diminish Dinesh’s work. On the contrary, I’m impressed with what the tool already can do! And, mea culpa, I have taken far too long to test this tool and evaluate it in a FreeIPA setting. Now that I have a clearer picture, I see that I will be very busy making the tool more capable and ready for action in FreeIPA scenarios.