Overview#
Sometimes it is necessary to access the PKI services in IPA directly. Some of the PKI services may require PKI admin authentication, so the PKI admin certificate needs to be imported into the PKI client environment.
Preparing PKI Client#
If necessary, create a new security database on the client:
$ pki -c Secret.123 client-init
------------------
Client initialized
------------------
Importing PKI Admin Certificate#
Import the PKI admin certificate which is stored in /root/ca-agent.p12 on the server with the following command:
$ pki -c Secret.123 client-cert-import --pkcs12 /root/ca-agent.p12 --pkcs12-password <IPA admin's password>
----------------------------------------
Imported certificates from PKCS #12 file
----------------------------------------
Verify the import with this command:
$ pki -c Secret.123 client-cert-find
----------------------
1 certificate(s) found
----------------------
Serial Number: 0x6
Nickname: ipa-ca-agent
Subject DN: CN=ipa-ca-agent,O=EXAMPLE.COM
Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM
----------------------------
Number of entries returned 1
----------------------------
Using PKI Admin Certificate#
The PKI admin certificate can be used by specifying the “ipa-ca-agent” nickname to access CA services:
$ pki -c Secret.123 -n ipa-ca-agent ca-user-find
-----------------
4 entries matched
-----------------
User ID: CA-server.example.com-8443
Full name: CA-server.example.com-8443
User ID: admin
Full name: admin
User ID: pkidbuser
Full name: pkidbuser
User ID: ipara
Full name: ipara
----------------------------
Number of entries returned 4
----------------------------
and KRA services:
$ pki -c Secret.123 -n ipa-ca-agent kra-user-find
-----------------
3 entries matched
-----------------
User ID: admin
Full name: admin
User ID: CA-server.example.com-443
Full name: CA-server.example.com-443
User ID: ipakra
Full name: IPA KRA User
----------------------------
Number of entries returned 3
----------------------------