The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
During IPA server installation, the pkispawn command creates an orphan key in /etc/pki/pki-tomcat/alias.
This happens with pki packages installed from the copr repo @pki/master (for instance dogtag-pki-base-11.3.0-0.1.alpha1.20220816002107UTC.52585e78.fc36.noarch).
In order to reproduce:
Install IPA server with # ipa-server-install --domain testrelm.test --realm TESTRELM.TEST -a Secret123 -p Secret123 -U
and with the following options: args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmparm8sd8v', '--debug', '--log-file', '/var/log/pki/pki-ca-spawn.20220816144351.log']
During IPA server installation, the pkispawn command creates an orphan key in /etc/pki/pki-tomcat/alias. This happens with pki packages installed from the copr repo @pki/master (for instance
dogtag-pki-base-11.3.0-0.1.alpha1.20220816002107UTC.52585e78.fc36.noarch
).In order to reproduce:
# ipa-server-install --domain testrelm.test --realm TESTRELM.TEST -a Secret123 -p Secret123 -U
pkispawn is called with the following configuration file:
and with the following options:
args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmparm8sd8v', '--debug', '--log-file', '/var/log/pki/pki-ca-spawn.20220816144351.log']
Companion issue on IPA side: https://pagure.io/freeipa/issue/9223