Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Dogtag / Red Hat Certificate System reset admin pkiconsole password

Published: 19-06-2013 | Author: Remy van Elst | Text only version of this article


Table of Contents


This tutorial shows you how to reset the password of the pkiconsole admin userwithin the Red Hat Certificate System or Dogtag.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

What is Red Hat Certificate System:

Red Hat Certificate System provides a powerful security framework to manage user identities and ensure privacy of communications. Handling all the major functions of the identity life cycle, Red Hat Certificate System simplifies enterprise-wide deployment and adoption of a Public Key Infrastructure (PKI).

Dogtag is the open source fork maintained by the Fedora project.

The PKICONSOLE interface

PKI Console is used as an administrative backend into the RHCS/Dogtag system. Itallows configuration of all kind of CA aspects, CRL's, Certificates, OCSP's andmuch more. You login to the pkiconsole with an administrative user, most of thetime named admin. Dogtag/RHCS uses an LDAP database in the backend to store allthe information. In the case of dogtag 1.3 this is fedora-ds, all the latterversions and RHCS use 389-ds. The pkiconsole authenticates against this LDAPdatabase, so if you have the Directory Manager password you can reset theadmin password.

First locate the /etc/pki-<instance-name>/password.conf file. It looks likethis:

hardware-pki-<instance-name>=0000internal=0000123400001234internaldb=00001234replicationdb=83729562

The internaldb value is the LDAP password for the Directory Manager. Thehardware part is used when you use a HSM.

Now we have the password for the Directory Manager we can login to the LDAPand reset the admin password.

Use the following command to login to the LDAP of your CA instance, changing thevalues for your setup:

ldapmodify -H ldap://localhost:99389 -D "cn=Directory Manager" -Wx -e preread=userPassword

You will be asked for the Directory Manager password, after entering that youdon't see anything. You are now on an LDAP prompt, where you can enter LDIFcommands. The commands for changing the admin password are these:

dn: uid=admin,ou=People,dc=pki-<instance-name>changetype:modifyreplace:userpassworduserpassword: 1234

Press return twice after the last line. When successful it will show thefollowing:

modifying entry "uid=admin,ou=People,dc=pki-<instance-name>"

Press CTRL+C twice afterwards, and you are done. You can now login to thePKIConsole with your new password.

Tags: 389-ds, certificate-system, dogtag, fedora-ds, ldap, pki, pkiconsole, red-hat, ssl, tutorials