Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed

Dogtag / Red Hat Certificate System reset admin pkiconsole password

Published: 19-06-2013 | Author: Remy van Elst | Text only version of this article


❗ This post is over eleven years old. It may no longer be up to date. Opinions may have changed.

This tutorial shows you how to reset the password of the pkiconsole admin user within the Red Hat Certificate System or Dogtag.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!

What is Red Hat Certificate System:

Red Hat Certificate System provides a powerful security framework to manage user identities and ensure privacy of communications. Handling all the major functions of the identity life cycle, Red Hat Certificate System simplifies enterprise-wide deployment and adoption of a Public Key Infrastructure (PKI).

Dogtag is the open source fork maintained by the Fedora project.

The PKICONSOLE interface

PKI Console is used as an administrative backend into the RHCS/Dogtag system. It allows configuration of all kind of CA aspects, CRL's, Certificates, OCSP's and much more. You login to the pkiconsole with an administrative user, most of the time named admin. Dogtag/RHCS uses an LDAP database in the backend to store all the information. In the case of dogtag 1.3 this is fedora-ds, all the latter versions and RHCS use 389-ds. The pkiconsole authenticates against this LDAP database, so if you have the Directory Manager password you can reset the admin password.

First locate the /etc/pki-<instance-name>/password.conf file. It looks like this:

hardware-pki-<instance-name>=0000
internal=0000123400001234
internaldb=00001234
replicationdb=83729562

The internaldb value is the LDAP password for the Directory Manager. The hardware part is used when you use a HSM.

Now we have the password for the Directory Manager we can login to the LDAP and reset the admin password.

Use the following command to login to the LDAP of your CA instance, changing the values for your setup:

ldapmodify -H ldap://localhost:99389 -D "cn=Directory Manager" -Wx -e preread=userPassword

You will be asked for the Directory Manager password, after entering that you don't see anything. You are now on an LDAP prompt, where you can enter LDIF commands. The commands for changing the admin password are these:

dn: uid=admin,ou=People,dc=pki-<instance-name>
changetype:modify
replace:userpassword
userpassword: 1234

Press return twice after the last line. When successful it will show the following:

modifying entry "uid=admin,ou=People,dc=pki-<instance-name>"

Press CTRL+C twice afterwards, and you are done. You can now login to the PKIConsole with your new password.

Tags: 389-ds , certificate-system , dogtag , fedora-ds , ldap , pki , pkiconsole , red-hat , ssl , tutorials