Skip to content

Setting up CA Admin User with LDAP Tools

Endi S. Dewata edited this page Jan 15, 2024 · 3 revisions

Overview

This page describes the process to set up a CA admin user with LDAP tools.

Adding CA Admin User

$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 << EOF
dn: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
cn: caadmin
sn: caadmin
uid: caadmin
mail: [email protected]
userPassword: Secret.123
userState: 1
userType: adminType
EOF

Assigning Certificate to CA Admin User

Convert the certificate to DER format:

$ openssl x509 -outform der -in admin.crt -out admin.der

Get the certificate serial number:

$ openssl x509 -text -noout -in admin.crt
...
        Serial Number:
            5a:a7:13:f5:0f:8b:5e:77:ae:fe:58:7e:4f:d0:c7:da
...

Convert it into decimal format:

$ python
>>> int('5aa713f50f8b5e77aefe587e4fd0c7da', 16)
120498037977510792098276151038707812314

Add the certificate into the user entry:

$ ldapmodify \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 << EOF
dn: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: description
description: 2;<decimal serial number>;CN=CA Signing Certificate;CN=Administrator
-
add: userCertificate
userCertificate:< file:admin.der
-
EOF

Assigning Roles to CA Admin User

$ ldapmodify \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 << EOF
dn: cn=Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
-

dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
-

dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
-

dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
-

dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
-

dn: cn=Enterprise RA Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
-

dn: cn=Enterprise TKS Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
-

dn: cn=Enterprise OCSP Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
-

dn: cn=Enterprise TPS Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=caadmin,ou=people,dc=ca,dc=pki,dc=example,dc=com
-
EOF
Clone this wiki locally