This has been an issue since CentOS 7 and the top search results bring us to this forum where there hasn’t been concrete solution. What we ended up doing is to download the SRPM and extract the images/etc and place them in their destinations manually. The web-ui works fine without them; but with them things look like Windows 95 instead of 3.11.
This is what we do:
sudo dnf install wget tar
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/41/Everything/source/tree/Packages/d/dogtag-pki-11.5.0-3.fc41.2.src.rpm
rpm -vv -Uvh dogtag-pki-11.5.0-3.fc41.2.src.rpm
cd rpmbuild
cd SOURCES
tar xvfz pki-11.5.0.tar.gz
cd pki-11.5.0/themes/dogtag/common-ui/shared
sudo cp -r * /usr/share/pki/server/webapps/pki/
#this last one is to get rid of the header that shows a variable on every page
sudo rm -rf /usr/share/pki/server/webapps/pki/ca
sudo vim /usr/share/pki/server/webapps/pki/pki.properties
#replace ${CERTIFICATE_SYSTEM_THEME} with Dogtag or WoofTag or Whatever you want and ${CERTIFICATE_SYSTEM_VERSION} with 10.5 or whatever version is installed. I don't know how to make this grab the actual variables.
That’s it. It should survive updates and now it looks almost like a Fedora install.
I’m surprised there are those out there who try to use dogtag directly. Either way, that’s a clever way of getting the theme back.
For others who want to know “why” the theme is missing, this is on purpose in Enterprise Linux distributions (RHEL, Rocky Linux, CentOS Stream), as dogtag is specifically for the use of FreeIPA or “IdM”. In particular, here and here (and same goes for the dogtag-pki package in 10). theme is undefined whereas in fedora, it’s set as a global to “dogtag” and specific compile options are turned off whereas in fedora they’re all turned on.
%global product_name IDM PKI
%global product_id idm-pki
%undefine theme
. . .
# Build the package unless --without <package> is specified.
# For idm-pki do not build the following packages:
# ocsp, tks, tps, javadoc, theme, tests, debug
%bcond_without base
%bcond_without server
%bcond_without acme
%bcond_without ca
%bcond_without est
%bcond_without kra
%bcond_with ocsp
%bcond_with tks
%bcond_with tps
%bcond_with javadoc
%bcond_with theme
%bcond_without meta
%bcond_with tests
%bcond_without debug
I suppose it may be possible to recompile our own source RPM and re-enable all these options since these are simply conditionals that can be turned off and on.
I use dogtag for internal certificates (different web servers, domain controllers, client authentication, sso, etc); it seems a more organized way to handle certificates than just using openssl and it has a web-ui for easy review. If there are more appropriate alternatives then I’d like to try them. Basically it’s an alternative to Microsoft’s CA system for me, I’m trying to move away from Microsoft/Google/Enshitification/Etc where possible.
Thank you for the background on why it’s missing. One day, when I’m able do away with Windows Server (and Windows 8+) FreeIPA would likely be put into production.