<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    reposting, since I Emily possibly joined the mailing list after I
    replied ;-).<br>
    <br>
    Christina<br>
    <br>
    <div class="moz-cite-prefix">On 04/10/2015 09:14 AM, Christina Fu
      wrote:<br>
    </div>
    <blockquote cite="mid:5527F6EA.2020502@redhat.com" type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      Hi Emily,<br>
       Please see my in-line reply below.<br>
      Actually, you might want to read my last comment first, and then
      circle back, so you won't get confused.<br>
      <br>
      Christina<br>
      <br>
      <div class="moz-cite-prefix">On 04/08/2015 02:38 PM, Emily
        Stemmerich wrote:<br>
      </div>
      <blockquote
cite="mid:A73BDD4B8459C54E8AED3D5D701FC5EB882C3DE1@exchangehe.arcananet.com"
        type="cite">
        <meta http-equiv="Content-Type" content="text/html;
          charset=ISO-8859-1">
        <div>Hi,</div>
        <div><br>
        </div>
        <div>I was referred to this email list by alee on the
          #dogtag-pki IRC group to get some help on automatic
          certificate renewals.  We are trying to get Dogtag 10.2.1 set
          up to be a certificate authority for Cisco routers’ identity
          certificates.  For the first step I have things working to get
          a certificate using the caRouterCert.cfg profile with a
          one-time password in the flatfile.txt.  For the second step
          I’m trying to get auto-renewal of the identity certificates
          working.  Here is where I stand:</div>
        <div><br>
        </div>
      </blockquote>
      If you intend to do auto-enrollment, then one-time pin is not the
      right authentication method.  See my reply to #2 below.<br>
      <br>
      <blockquote
cite="mid:A73BDD4B8459C54E8AED3D5D701FC5EB882C3DE1@exchangehe.arcananet.com"
        type="cite">
        <div> </div>
        <div>1.  For testing, I have set the validity to 1 day so that
          the renewal attempt happens the next day… I don’t see a way of
          making it any shorter to expedite testing. <br>
        </div>
      </blockquote>
      a trick I hear in testing is to reset the clock<br>
      <br>
      <blockquote
cite="mid:A73BDD4B8459C54E8AED3D5D701FC5EB882C3DE1@exchangehe.arcananet.com"
        type="cite">
        <div><br>
        </div>
        <div>2. I have added “renewal=true” to the caRouterCert.cfg
          hoping that it will enable auto-renewal.  I’m not sure if
          using the same profile would require that a “one-time”
          password needs to be in flatfile.txt again (which isn’t
          practical)?  If I would need a different profile for the
          renewal I’m not clear on how to add and then use it for the
          renewal.</div>
      </blockquote>
      the caRouterCert profile works just like all the other profiles
      where the authentication/authorization are configurable.<br>
      Here is a link that explains how authentication works and how to
      configure in profiles:<br>
      <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html">https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html</a><br>
      <br>
      You have choices of authentication.  For example, if you want
      auto-approval (without agent manual approval), you will need to
      set up directory-based authentication.<br>
      <br>
      <blockquote
cite="mid:A73BDD4B8459C54E8AED3D5D701FC5EB882C3DE1@exchangehe.arcananet.com"
        type="cite">
        <div><br>
        </div>
        <div>3.  I have renewal.graceBefore=10 and renewal.graceAfter=1
          in the profile just for testing purposes.</div>
        <div><br>
        </div>
        <div>4.  I have confirmed on the router that the expiration is
          as expected (24hrs) and it shows a date/time that it will
          attempt to renew automatically (the link below discusses cert
          renewal from the perspective of IOS).</div>
        <div><a moz-do-not-send="true"
href="http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116094-maintain-ios-pki.html#anc8">http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116094-maintain-ios-pki.html#anc8</a></div>
        <div><br>
        </div>
        <div>5.  When the renewal time comes on the router, I see lots
          of activity in the dogtag debug log, but am unsure of what to
          look for to troubleshoot it failing.</div>
      </blockquote>
      <br>
      Please note that the renewal feature is not intended for the
      router.  You can read the doc here:<br>
      <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html">https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html</a><br>
      <br>
      In case of router renewal, you just need to go through the same
      caRouterCert profile.  As you can see from the renewal link above,
      renewal can take two forms:<br>
      1. reuse keys - in this case, you just need to resubmit the same
      request<br>
      2. new keys - in this case, you generate a new request to submit<br>
      <br>
      Hope this helps.<br>
      Christina<br>
      <br>
      <br>
      <blockquote
cite="mid:A73BDD4B8459C54E8AED3D5D701FC5EB882C3DE1@exchangehe.arcananet.com"
        type="cite">
        <div><br>
        </div>
        <div>Please advise on what to change and/or look for.  I can
          also send logs and/or config files if that would help.</div>
        <div><br>
        </div>
        <div>Best Regards,</div>
        <div>-Emily</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
    </blockquote>
    <br>
  </body>
</html>