<div dir="ltr"><div><div><div>Sorry for the incomplete reply, the mail got sent by mistake.<br><br><div>Hi Christina </div><div><br></div><div>When using Dogtag as
external CA I had provided only the self signed certificate as pkcs7
(the same way I did for OpenSSL) and it had worked. </div><div><br></div><div>The
idea behind this was we needed a constant trust anchor to be burnt into
the devices(which will function as clients). Initially I tried to find a
way to provide a static root certificate to dogtag so that even after
the crash it will come up with the same certificate. However i didnt find anything.<br></div>Then I moved onto the external CA option.<br></div>Now when i tried with a chain of 2 certificates (self signed cert for openssl + cert signed by openssl for dogtag) I get the same error as before. <br><br></div>Thanks<br></div>Kritee<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Nov 8, 2014 at 12:18 PM, Kritee Jhawar <span dir="ltr"><<a href="mailto:kriteejhawar@gmail.com" target="_blank">kriteejhawar@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Hi Christina </div><div><br></div><div>When using Dogtag as external CA I had provided only the self signed certificate as pkcs7 (the same way I did for OpenSSL) and it had worked. </div><div><br></div><div>The idea behind this was we needed a constant trust anchor to be burnt into the devices(which will function as clients). Initially I tried to find a way to provide a static root certificate to dogtag so that even after the crash it will come up with the same certificate. </div><div>Then I moved onto the l<br><br>Sent from my iPhone</div><div><div class="h5"><div><br>On 07-Nov-2014, at 22:38, Christina Fu <<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
Hi Kritee,<br>
<br>
I just looked closely. Your ca cert chain contains only one single
self-signed root cert. I think what you need is a chain down to the
dogtag CA cert that links up from the root, so in your case, you
should have both the root and the dogtag CA cert in the pkcs7.<br>
<br>
Hope that helps.<br>
Christina<br>
<br>
<br>
<div>On 11/06/2014 01:25 AM, kritee jhawar
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Hi Christina<br>
<br>
</div>
Thanks for the response. PFA the typescript for pkispawn step1
and pkispawn step2.<br>
<br>
</div>
<div>Thanks,<br>
</div>
<div>Kritee<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Nov 6, 2014 at 8:01 AM,
Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Kritee,<br>
I think we could use a bit more info. <br>
Could you try running pkispawn with script... something
like the following:<br>
script -c 'pkispawn -s CA -f config-step2.txt -vvv'<br>
<br>
the resulting typescript file might give us some more
clue.<span><font color="#888888"><br>
Christina</font></span>
<div>
<div><br>
<br>
<div>On 10/31/2014 09:24 PM, kritee jhawar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>Thanks Christina<br>
<br>
</div>
I checked out the master branch and
built it. Now i can see the added
extensions in the CSR generated,
however i am getting the same error as
earlier.<br>
</div>
This time again, I tried the supply the
certificate chain with and without the
headers. The chain is in a valid pkcs7
format.<br>
</div>
Following is how the extensions look in
the certificate signed by openssl for
dogtag:<br>
<br>
X509v3 extensions:<br>
X509v3 Basic Constraints:
critical<br>
CA:TRUE<br>
X509v3 Key Usage: critical<br>
Digital Signature, Non
Repudiation, Certificate Sign, CRL Sign<br>
1.3.6.1.4.1.311.20.2:<br>
.<br>
.S.u.b.C.A<br>
<br>
</div>
The error i get in step 2 of pkispawn is as
follows:<br>
<br>
pkispawn : INFO ....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc<br>
pkispawn : INFO ....... loading
external CA signing certificate from file:
'/home/kjhawar/dogtag/dg_ca.cert'<br>
pkispawn : INFO ....... loading
external CA signing certificate chain from
file: '/home/kjhawar/dogtag/dg_chain.cert'<br>
pkispawn : INFO ....... configuring
PKI configuration data.<br>
pkispawn : INFO ....... AtoB
/root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert.der<br>
pkispawn : INFO ....... certutil -A
-d /root/.dogtag/pki-tomcat/ca/alias -n PKI
Administrator -t u,u,u -i
/root/.dogtag/pki-tomcat/ca_admin.cert.der
-f /root/.dogtag/pki-tomcat/ca/password.conf<br>
Notice: Trust flag u is set automatically if
the private key is present.<br>
pkispawn : INFO ....... pk12util -d
/root/.dogtag/pki-tomcat/ca/alias -o
/root/.dogtag/pki-tomcat/ca_admin_cert.p12
-n PKI Administrator -w
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
-k /root/.dogtag/pki-tomcat/ca/password.conf<br>
pkispawn : INFO ... finalizing
'pki.server.deployment.scriptlets.finalization'<br>
pkispawn : INFO ....... cp -p
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141101020655<br>
pkispawn : INFO ....... generating
manifest file called
'/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'<br>
pkispawn : INFO ....... cp -p
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141101020655<br>
pkispawn : INFO ....... executing
'systemctl daemon-reload'<br>
pkispawn : INFO ....... executing
'systemctl restart <a href="mailto:pki-tomcatd@pki-tomcat.service" target="_blank">pki-tomcatd@pki-tomcat.service</a>'<br>
Job for <a href="mailto:pki-tomcatd@pki-tomcat.service" target="_blank">pki-tomcatd@pki-tomcat.service</a>
canceled.<br>
pkispawn : ERROR .......
subprocess.CalledProcessError: Command
'['systemctl', 'restart', '<a href="mailto:pki-tomcatd@pki-tomcat.service" target="_blank">pki-tomcatd@pki-tomcat.service</a>']'
returned non-zero exit status 1!<br>
<br>
Installation failed.<br>
<br>
</div>
Kindly let me know if any specific
configuration has to be done in my openssl CA.
Attaching the config file i am using currently<br>
<br>
</div>
Thanks<br>
</div>
Kritee<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 31, 2014 at
10:36 PM, Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Kritee,<br>
<br>
At the minimum, you need the fixes I talked
about. They were checked into the master but
has not been built officially so yum is not
going to get you the right rpm. However,
you can check it out and build it yourself.<br>
Here is how you check out the master:<br>
<pre>git clone git://<a href="http://git.fedorahosted.org/git/pki.git" target="_blank">git.fedorahosted.org/git/pki.git</a></pre>
You can then use the build scripts to build.<br>
<br>
Finally, I apologize that we are not
supposed to respond to private emails.
Dogtag is a community where we share our
knowledge. In the future please send
requests to the mailing list.<br>
I took the exception this time to look at
your CSR and certs and I could see that you
need the fixes I talked about. I don't know
if you have other issues though, but AFAIK
you need those two fixes.<br>
<br>
Hope this helps.<span><font color="#888888"><br>
Christina</font></span>
<div>
<div><br>
<br>
<div>On 10/29/2014 01:16 AM, kritee
jhawar wrote:<br>
</div>
<blockquote type="cite">Hi Christina
<div><br>
</div>
<div>I have done the default
configuration for 389ds and haven't
specifically turned on ssl for it. </div>
<div><br>
</div>
<div>Initially I tried using Microsoft
and OpenSSL CA as external CAs. This
is about a month back and I pull the
Rpms using yum (so I assume they are
the latest ones with the fix you
mentioned). </div>
With this, my pki spawn went fine.
Infect the admin cert got generated
using the externally provided root
cert as well. But dogtag couldn't
connect to the ds. As mentioned
earlier it gave me a PKIException
error listing the certs with error
code 500.
<div>Looking at the ds logs I found
that the error was 'bad search
filter'. </div>
<div>However when I tried the same
steps with dogtag as external CA the
setup went through without a glitch.
The chain I imported was directly
from the GUI of dogtag. In fact I
included the header and footer as
well. </div>
<div><br>
</div>
<div>When I tried to reverse engineer
the chain, I took the root cert of
external dogtag ca and used OpenSSL
to convert it into pkcs7. This chain
was not the same as provided from
the GUI. Hence I thought that there
is some particular format for the
chain because of which the other CAs
aren't working. </div>
<div><br>
</div>
<div>Also, I updated the Rpms using
yum and tried to generate the CSR
with the extra attributes. My csr
still doesn't reflect those added
attributes. </div>
<div><br>
</div>
<div>Is yum not the correct way to get
the latest code ?</div>
<div><br>
</div>
<div>I am very new to this, really
appreciate your assistance and time.</div>
<div><br>
</div>
Regards
<div>Kritee <span></span><br>
<div>
<div><br>
On Wednesday, 29 October 2014,
Christina Fu <<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> the cert
chain you provide in the
file specified under<br>
pki_external_ca_cert_chain_path<br>
should be just pkcs7 without
header/footer.<br>
<br>
I don't know why it would
not talk to the DS (did you
turn on ssl for the ds?).<br>
Not sure if you build your
Dogtag from the master, if
you do, I'd suggest you get
the most updated so you get
fixes from the tickets I
provided previously which
would address at least two
issues relating to external
CA.<br>
<br>
Christina<br>
<br>
<div>On 10/27/2014 07:55 PM,
kritee jhawar wrote:<br>
</div>
<blockquote type="cite">Hi
Christina
<div><br>
</div>
<div>I was undertaking
this activity last month
where Microsoft CA
didn't work out but
Dogtag as external CA
did. </div>
<div><br>
</div>
<div>While using Microsoft
CA or OpenSSL CA, pki
spawn goes through
without any error but
dogtag stops
communications to 389ds.
Upon calling the rest
Api /ca/rest/certs I get
a "PKIException error
listing the certs". </div>
<div><br>
</div>
<div>Is there a particular
format for the ca cert
chain that we need to
provide ? I was trying
to reverse engineer the
chain provided by
dogtag. </div>
<div><br>
</div>
<div>Thanks </div>
<div>Kritee<span></span></div>
<div><br>
</div>
<div><br>
<br>
On Monday, 27 October
2014, Christina Fu <<a>cfu@redhat.com</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> If
you meant the
following two:<br>
<a href="https://fedorahosted.org/pki/ticket/1190" target="_blank">https://fedorahosted.org/pki/ticket/1190</a>
CA: issuer DN
encoding not
preserved at
issuance with
signing cert signed
by an external CA <br>
<a href="https://fedorahosted.org/pki/ticket/1110" target="_blank">https://fedorahosted.org/pki/ticket/1110</a>
- pkispawn
(configuration) does
not provide CA
extensions in
subordinate
certificate signing
requests (CSR) <br>
<br>
They have just
recently been fixed
upstream so I
imagine you could
use Microsoft CA
now. Theoretically
any other CA can be
used as an external
CA, but if you run
into issues, please
feel free to report.<br>
<br>
Christina<br>
<br>
<br>
<div>On 10/27/2014
12:15 AM, kritee
jhawar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi
<div><br>
</div>
<div>In my
recent thread
i read that
there is a bug
due to which
Microsoft CA
can't work as
external CA
for dogtag.</div>
<div>Can OpenSSL
be used ? </div>
<div><br>
</div>
<div>Thanks</div>
<div>Kritee</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Pki-users mailing list
<a>Pki-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></blockquote></div></div></div></blockquote></div><br></div>