It was discovered that ipa-kra-install puts the CA agent certificate and private key to a world readable file, /etc/httpd/alias/kra-agent.pem. This allows users on an IPA server where ipa-kra-install was run to issue arbitrary certificates with the IPA CA.

The ipa-kra-install script configures the KRA subsystem of Dogtag, which is used for the Password Vault feature of IPA. During the configuration process, a KRA agent user account is created in Dogtag, which is used by IPA to authenticate to the KRA. Currently the KRA agent uses the same certificate and private key as the CA agent, which IPA uses to authenticate to the CA.

The kra-agent.pem file is necessary because the Dogtag client Python library does not support using a certificate and private key from a NSS database for authentication, so it is not possible to use the CA agent certificate and private key directly from their primary location, which is the NSS database at /etc/httpd/alias.