Dogtag / Red Hat Certificate System reset admin pkiconsole password
Published: 19-06-2013 | Author: Remy van Elst | Text only version of this article
Table of Contents
This tutorial shows you how to reset the password of the pkiconsole admin user within the Red Hat Certificate System or Dogtag.
What is Red Hat Certificate System:
Red Hat Certificate System provides a powerful security framework to manage user identities and ensure privacy of communications. Handling all the major functions of the identity life cycle, Red Hat Certificate System simplifies enterprise-wide deployment and adoption of a Public Key Infrastructure (PKI).
Dogtag is the open source fork maintained by the Fedora project.
PKI Console is used as an administrative backend into the RHCS/Dogtag system. It
allows configuration of all kind of CA aspects, CRL's, Certificates, OCSP's and
much more. You login to the pkiconsole with an administrative user, most of the
time named admin. Dogtag/RHCS uses an LDAP database in the backend to store all
the information. In the case of dogtag 1.3 this is
fedora-ds, all the latter
versions and RHCS use
389-ds. The pkiconsole authenticates against this LDAP
database, so if you have the
Directory Manager password you can reset the
First locate the
/etc/pki-<instance-name>/password.conf file. It looks like
hardware-pki-<instance-name>=0000 internal=0000123400001234 internaldb=00001234 replicationdb=83729562
internaldb value is the LDAP password for the
Directory Manager. The
hardware part is used when you use a HSM.
Now we have the password for the
Directory Manager we can login to the LDAP
and reset the admin password.
Use the following command to login to the LDAP of your CA instance, changing the values for your setup:
ldapmodify -H ldap://localhost:99389 -D "cn=Directory Manager" -Wx -e preread=userPassword
You will be asked for the Directory Manager password, after entering that you
don't see anything. You are now on an LDAP prompt, where you can enter
commands. The commands for changing the admin password are these:
dn: uid=admin,ou=People,dc=pki-<instance-name> changetype:modify replace:userpassword userpassword: 1234
return twice after the last line. When successful it will show the
modifying entry "uid=admin,ou=People,dc=pki-<instance-name>"
CTRL+C twice afterwards, and you are done. You can now login to the
PKIConsole with your new password.