<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Kritee,<br>
<br>
At the minimum, you need the fixes I talked about. They were checked
into the master but has not been built officially so yum is not
going to get you the right rpm. However, you can check it out and
build it yourself.<br>
Here is how you check out the master:<br>
<pre>git clone git://git.fedorahosted.org/git/pki.git</pre>
You can then use the build scripts to build.<br>
<br>
Finally, I apologize that we are not supposed to respond to private
emails. Dogtag is a community where we share our knowledge. In the
future please send requests to the mailing list.<br>
I took the exception this time to look at your CSR and certs and I
could see that you need the fixes I talked about. I don't know if
you have other issues though, but AFAIK you need those two fixes.<br>
<br>
Hope this helps.<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 10/29/2014 01:16 AM, kritee jhawar
wrote:<br>
</div>
<blockquote
cite="mid:CAGJVne16Mj--mUQcn4HZDvh3nne4MgTj8tpA8sy8gJ121-675g@mail.gmail.com"
type="cite">Hi Christina
<div><br>
</div>
<div>I have done the default configuration for 389ds and haven't
specifically turned on ssl for it. </div>
<div><br>
</div>
<div>Initially I tried using Microsoft and OpenSSL CA as external
CAs. This is about a month back and I pull the Rpms using yum
(so I assume they are the latest ones with the fix you
mentioned). </div>
With this, my pki spawn went fine. Infect the admin cert got
generated using the externally provided root cert as well. But
dogtag couldn't connect to the ds. As mentioned earlier it gave me
a PKIException error listing the certs with error code 500.
<div>Looking at the ds logs I found that the error was 'bad search
filter'. </div>
<div>However when I tried the same steps with dogtag as external
CA the setup went through without a glitch. The chain I imported
was directly from the GUI of dogtag. In fact I included the
header and footer as well. </div>
<div><br>
</div>
<div>When I tried to reverse engineer the chain, I took the root
cert of external dogtag ca and used OpenSSL to convert it into
pkcs7. This chain was not the same as provided from the GUI.
Hence I thought that there is some particular format for the
chain because of which the other CAs aren't working. </div>
<div><br>
</div>
<div>Also, I updated the Rpms using yum and tried to generate the
CSR with the extra attributes. My csr still doesn't reflect
those added attributes. </div>
<div><br>
</div>
<div>Is yum not the correct way to get the latest code ?</div>
<div><br>
</div>
<div>I am very new to this, really appreciate your assistance and
time.</div>
<div><br>
</div>
Regards
<div>Kritee <span></span><br>
<div>
<div><br>
On Wednesday, 29 October 2014, Christina Fu <<a
moz-do-not-send="true" href="mailto:cfu@redhat.com">cfu@redhat.com</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> the cert chain you
provide in the file specified under<br>
pki_external_ca_cert_chain_path<br>
should be just pkcs7 without header/footer.<br>
<br>
I don't know why it would not talk to the DS (did you
turn on ssl for the ds?).<br>
Not sure if you build your Dogtag from the master, if
you do, I'd suggest you get the most updated so you get
fixes from the tickets I provided previously which would
address at least two issues relating to external CA.<br>
<br>
Christina<br>
<br>
<div>On 10/27/2014 07:55 PM, kritee jhawar wrote:<br>
</div>
<blockquote type="cite">Hi Christina
<div><br>
</div>
<div>I was undertaking this activity last month where
Microsoft CA didn't work out but Dogtag as external
CA did. </div>
<div><br>
</div>
<div>While using Microsoft CA or OpenSSL CA, pki spawn
goes through without any error but dogtag stops
communications to 389ds. Upon calling the rest Api
/ca/rest/certs I get a "PKIException error listing
the certs". </div>
<div><br>
</div>
<div>Is there a particular format for the ca cert
chain that we need to provide ? I was trying to
reverse engineer the chain provided by dogtag. </div>
<div><br>
</div>
<div>Thanks </div>
<div>Kritee<span></span></div>
<div><br>
</div>
<div><br>
<br>
On Monday, 27 October 2014, Christina Fu <<a
moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','cfu@redhat.com');"
target="_blank">cfu@redhat.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> If you
meant the following two:<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/pki/ticket/1190"
target="_blank">https://fedorahosted.org/pki/ticket/1190</a>
CA: issuer DN encoding not preserved at issuance
with signing cert signed by an external CA <br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/pki/ticket/1110"
target="_blank">https://fedorahosted.org/pki/ticket/1110</a>
- pkispawn (configuration) does not provide CA
extensions in subordinate certificate signing
requests (CSR) <br>
<br>
They have just recently been fixed upstream so I
imagine you could use Microsoft CA now.
Theoretically any other CA can be used as an
external CA, but if you run into issues, please
feel free to report.<br>
<br>
Christina<br>
<br>
<br>
<div>On 10/27/2014 12:15 AM, kritee jhawar
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi
<div><br>
</div>
<div>In my recent thread i read that there
is a bug due to which Microsoft CA can't
work as external CA for dogtag.</div>
<div>Can OpenSSL be used ? </div>
<div><br>
</div>
<div>Thanks</div>
<div>Kritee</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true">Pki-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>