<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>So far attempts to setup user certs using Dogtag CA fail, while self-signed Client Certificates work fine.<o:p></o:p></p><p class=MsoNormal>The end goal is to have tomcat pass a user cert to an application, which will authenticate and bypass the initial login screen.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The details,<o:p></o:p></p><p class=MsoNormal>Dogtag 9.0 installed on a CentOS 6.4 server<o:p></o:p></p><p class=MsoNormal>Server cert is set up correctly in the local keystore and the tomcat server.xml is configured<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> <Connector SSLEnabled="true"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> maxThreads="150"<o:p></o:p></p><p class=MsoNormal> maxSpareThreads="75"<o:p></o:p></p><p class=MsoNormal> minSpareThreads="25"<o:p></o:p></p><p class=MsoNormal> acceptCount="100"<o:p></o:p></p><p class=MsoNormal> clientAuth="true"<o:p></o:p></p><p class=MsoNormal> disableUploadTimeout="true"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> enableLookups="false"<o:p></o:p></p><p class=MsoNormal> maxHttpHeaderSize="8192"<o:p></o:p></p><p class=MsoNormal> URIEncoding="UTF-8"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> keyAlias="tomcat"<o:p></o:p></p><p class=MsoNormal> keystoreFile="/opt/SSL-keystore.jks"<o:p></o:p></p><p class=MsoNormal> keystorePass="PKI-server-cert"<o:p></o:p></p><p class=MsoNormal> keystoreType="JKS"<o:p></o:p></p><p class=MsoNormal> truststoreFile="/opt/SSL-truststore.p12"<o:p></o:p></p><p class=MsoNormal> truststorePass="PKI-CA-cert"<o:p></o:p></p><p class=MsoNormal> truststoreType="PKCS12"<o:p></o:p></p><p class=MsoNormal> port="8443"<o:p></o:p></p><p class=MsoNormal> scheme="https"<o:p></o:p></p><p class=MsoNormal> secure="true"<o:p></o:p></p><p class=MsoNormal> sslProtocol="TLS"/><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This works correctly with a self-signed user cert, the browser requests a user cert before displaying the initial login screen.<o:p></o:p></p><p class=MsoNormal>The next step is to create a truststore entry referencing Dogtag's CA certificate and user cert. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Searching the web for dogtag user certs, openssl and Fedora/user documentation has not yielded any detailed User Guides or user notes.<o:p></o:p></p><p class=MsoNormal>Both the Admin and Agent Guide were useful for defining admin and agent usage, but did not provide detailed information on importing a cert<o:p></o:p></p><p class=MsoNormal>authority into a truststore or using the truststore to sign an X509 client certificate.<o:p></o:p></p><p class=MsoNormal>Once the client certificate handshake is established, can tomcat parse the certificate or would apache mod_SSL be a better choice? <o:p></o:p></p><p class=MsoNormal>Finally can/should the application use an openssl ocsp call to validate the certificate?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>At this point, I'm not knowledgeable enough with PKI and Dogtag to define a workable solution.<o:p></o:p></p><p class=MsoNormal>Have I missed some essential documentation? <o:p></o:p></p><p class=MsoNormal>Has anyone found or written any Dogtag User Notes or have references to Dogtag usage?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Any recommendations would be appreciated.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Chris Grijalva<br></span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Configuration Management</span><b><span style='font-size:12.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span></b><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>|</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'> Data Fusion & Analytics</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:12.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Sotera Defense Solutions, Inc</span></b><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>.<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#17365D'>o: 512.814.0186 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#17365D'>c: 713.291.2215<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#17365D'>f: 512.814.0308<br>e: </span><a href="mailto:firstinitialsurname@potomacfusion.com"><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'>chris.grijalva@soteradefense.com</span></a><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#17365D'> <br>w: </span><a href="http://www.soteradefense.com"><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'>www.soteradefense.com</span></a><o:p></o:p></p><p class=MsoNormal><b><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Potomac Fusion, LLC is now the Data Fusion & Analytics business of Sotera Defense Solutions</span></i></b><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>