<div dir="ltr">Hi<div><br></div><div>After a little more debugging came to the conclusion that post external CA configuration there seems to be some issue with the directory service</div><div><br></div><div>Upon making a rest call to list the certs, I get an LDAP exception with 'Bad Search Filter' message.</div><div><br></div><div>Has anyone faced this?</div><div><br></div><div>Regards</div><div>Kritee</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Oct 11, 2014 at 10:15 AM, kritee jhawar <span dir="ltr"><<a href="mailto:kriteejhawar@gmail.com" target="_blank">kriteejhawar@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Hi<br><br></div>Thanks for the response.I am inline with what you said, that the clients just need to trust the CA and need not communicate with it. However my clients are physical devices which will need the trust store burnt into them which is why i need to have a constant trust chain.<br></div>External CA seems like the best way to go. Please let me know if you could figure out why my configuartion won't go through with the data I have provided.<br><br></div>Regards<span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888">Kritee<br></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 10, 2014 at 6:13 PM, Gaiseric Vandal <span dir="ltr"><<a href="mailto:gaiseric.vandal@gmail.com" target="_blank">gaiseric.vandal@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div>The CA needs to generate or sign certificates for other servers- e.g. a web server. Clients of those servers should trust the CA's certificate as the CA certificate that signs the server certificates. They don't need to communicate with the CA directly. (The exception might be if the CA is also an online certificate revocation server - but that is beyond my experience.)<br> <br> You should assume that your CA will eventually crash- or that you might make a configuration change or an update that you want to roll back. As with any server, you should back up the critical files. if this is a virtual machine, it makes backing up the entire machine much easier.<br> <br> <br> I wouldn't imagine that the entire CA configuration and database directories are very big. <br><div><div> <br> <br> <br> <br> <br> <br> On 10/10/14 07:18, kritee jhawar wrote:<br> </div></div></div> <blockquote type="cite"><div><div> <div dir="ltr"><br> <div class="gmail_quote"> <div dir="ltr"> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black">Hello,<br> </span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black">I am an engineer from India and I have been struggling with this for the past 2 weeks. Request you to help me out.</span></p> <p class="MsoNormal"><b><span style="color:black">USE-CASE: </span></b><span style="color:black"></span></p> <p class="MsoNormal"><span style="color:black">Dogtag is the private CA for multiple services in a cluster. Trust is established by providing the root certificate of dogtag to all the services. What happens if dogtag crashes? All the services will have to be given the root certificate of the new dogatg.</span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black">How can we avoid this?</span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black">Can we bring up multiple instances dogtag with a static certificate every time?</span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black">The only way I could find is by using the<b> external CA</b> option. </span></p> <p class="MsoNormal"><span style="color:black">I am following the 2-step pkispawn process with 2 config files (deployment-1.cfg and deployment-2.cfg) </span></p> <p class="MsoNormal"><span style="color:black">In the first step the csr is generated. I take the csr and get a certificate from the external CA and place it in the required location. The root certificate of the CA has also been placed in the required location. Step 2 of pkispawn goes through and the ca_admin cert is generated and signed. </span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black">However, when i make a REST call to list the certificates, I get </span><span style="color:rgb(31,73,125)">2 different errors:</span><span style="color:black"></span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:rgb(31,73,125)">(Please note that I replicated the same steps with same files on 2 setups and got 2 errors)</span><span style="color:black"><br> </span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black"> </span><span><span style="color:rgb(204,0,0);background:none repeat scroll 0% 0% white">curl -k --request GET <a href="https://localhost:9443/ca/rest/certs" target="_blank">https://localhost:9443/ca/rest/certs</a></span></span><span style="color:black"><br> </span></p> <p class="MsoNormal" style="margin-bottom:12pt"><b><u><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">ERROR 1</span></u></b><span style="color:black"></span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span><span style="color:rgb(204,0,0)"><?xml version="1.0" encoding="UTF-8"</span></span><span style="color:rgb(204,0,0)"><br> <span>> standalone="yes"?><PKIException><ClassName>com.netscape.certsrv.base.PKIException</ClassName><Code>500</Code><Message>Error listing certs in CertsResourceService.listCerts!</Message><Attributes/></PKIException></span></span><span style="color:black"></span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:rgb(31,73,125)"> </span><span style="color:black"></span></p> <p class="MsoNormal" style="margin-bottom:12pt"><b><u><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">ERROR 2</span></u></b><span style="color:black"></span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:rgb(204,0,0)">With the same steps i also get a NullPointerException as well (Attached logs - null-pointer-error.txt)</span><span style="color:black"><br> <br> <br> <br> </span></p> <p class="MsoNormal"><span style="color:black">When i see the status of my pki-instance after pkispawn step-2, It says the Instance is loaded and needs to be configured. (attched logs : post-pkispawn-2.txt)<br> However it starts using systemctl without any errors</span></p> <p class="MsoNormal"><span style="color:black"> </span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black">I suspect I am missing some part in the configuration.</span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black">Any help/pointers would be very helpful!</span></p> <p class="MsoNormal"><span style="color:black">Thanks</span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black">Kritee </span></p> <p class="MsoNormal" style="margin-bottom:12pt"><b><span style="color:black">Attached files : </span></b><span style="color:black"></span></p> <p class="MsoNormal"><span style="color:black">deployment-1.txt - config file for pkispawn step 1</span></p> <p class="MsoNormal"><span style="color:black">deployment-2.txt - config file for pkispawn step 2</span></p> <p class="MsoNormal"><span style="color:black">pkispawn-1-log.txt - logs for pkisppawn step 1</span></p> <p class="MsoNormal"><span style="color:black">pkispan-2-log.txt - logs for pkispawn step 2</span></p> <p class="MsoNormal"><span style="color:black">dogtag-cert.txt - root certificate of dogtag generated by external CA</span></p> <p class="MsoNormal"><span style="color:black">ca-admin-cert.txt - admin cert signed by dogtag</span></p> <p class="MsoNormal"><span style="color:black">null-pointer-error</span><span style="color:rgb(31,73,125)">.txt</span><span style="color:black"> - null pointer exception while making a REST call to list certs</span></p> <p class="MsoNormal" style="margin-bottom:12pt"><span style="color:black">post-pkispawn-2.txt - status of pki-instance after pkispawn step 2</span></p> </div> </div> <br> </div> <br> <fieldset></fieldset> <br> </div></div><pre>_______________________________________________ Pki-users mailing list <a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></pre> </blockquote> <br> </div> <br>_______________________________________________<br> Pki-users mailing list<br> <a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br></blockquote></div><br></div> </div></div></blockquote></div><br></div>