<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
reposting, since I Emily possibly joined the mailing list after I
replied ;-).<br>
<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 04/10/2015 09:14 AM, Christina Fu
wrote:<br>
</div>
<blockquote cite="mid:5527F6EA.2020502@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Hi Emily,<br>
Please see my in-line reply below.<br>
Actually, you might want to read my last comment first, and then
circle back, so you won't get confused.<br>
<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 04/08/2015 02:38 PM, Emily
Stemmerich wrote:<br>
</div>
<blockquote
cite="mid:A73BDD4B8459C54E8AED3D5D701FC5EB882C3DE1@exchangehe.arcananet.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div>Hi,</div>
<div><br>
</div>
<div>I was referred to this email list by alee on the
#dogtag-pki IRC group to get some help on automatic
certificate renewals. We are trying to get Dogtag 10.2.1 set
up to be a certificate authority for Cisco routers’ identity
certificates. For the first step I have things working to get
a certificate using the caRouterCert.cfg profile with a
one-time password in the flatfile.txt. For the second step
I’m trying to get auto-renewal of the identity certificates
working. Here is where I stand:</div>
<div><br>
</div>
</blockquote>
If you intend to do auto-enrollment, then one-time pin is not the
right authentication method. See my reply to #2 below.<br>
<br>
<blockquote
cite="mid:A73BDD4B8459C54E8AED3D5D701FC5EB882C3DE1@exchangehe.arcananet.com"
type="cite">
<div> </div>
<div>1. For testing, I have set the validity to 1 day so that
the renewal attempt happens the next day… I don’t see a way of
making it any shorter to expedite testing. <br>
</div>
</blockquote>
a trick I hear in testing is to reset the clock<br>
<br>
<blockquote
cite="mid:A73BDD4B8459C54E8AED3D5D701FC5EB882C3DE1@exchangehe.arcananet.com"
type="cite">
<div><br>
</div>
<div>2. I have added “renewal=true” to the caRouterCert.cfg
hoping that it will enable auto-renewal. I’m not sure if
using the same profile would require that a “one-time”
password needs to be in flatfile.txt again (which isn’t
practical)? If I would need a different profile for the
renewal I’m not clear on how to add and then use it for the
renewal.</div>
</blockquote>
the caRouterCert profile works just like all the other profiles
where the authentication/authorization are configurable.<br>
Here is a link that explains how authentication works and how to
configure in profiles:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html">https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html</a><br>
<br>
You have choices of authentication. For example, if you want
auto-approval (without agent manual approval), you will need to
set up directory-based authentication.<br>
<br>
<blockquote
cite="mid:A73BDD4B8459C54E8AED3D5D701FC5EB882C3DE1@exchangehe.arcananet.com"
type="cite">
<div><br>
</div>
<div>3. I have renewal.graceBefore=10 and renewal.graceAfter=1
in the profile just for testing purposes.</div>
<div><br>
</div>
<div>4. I have confirmed on the router that the expiration is
as expected (24hrs) and it shows a date/time that it will
attempt to renew automatically (the link below discusses cert
renewal from the perspective of IOS).</div>
<div><a moz-do-not-send="true"
href="http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116094-maintain-ios-pki.html#anc8">http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116094-maintain-ios-pki.html#anc8</a></div>
<div><br>
</div>
<div>5. When the renewal time comes on the router, I see lots
of activity in the dogtag debug log, but am unsure of what to
look for to troubleshoot it failing.</div>
</blockquote>
<br>
Please note that the renewal feature is not intended for the
router. You can read the doc here:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html">https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html</a><br>
<br>
In case of router renewal, you just need to go through the same
caRouterCert profile. As you can see from the renewal link above,
renewal can take two forms:<br>
1. reuse keys - in this case, you just need to resubmit the same
request<br>
2. new keys - in this case, you generate a new request to submit<br>
<br>
Hope this helps.<br>
Christina<br>
<br>
<br>
<blockquote
cite="mid:A73BDD4B8459C54E8AED3D5D701FC5EB882C3DE1@exchangehe.arcananet.com"
type="cite">
<div><br>
</div>
<div>Please advise on what to change and/or look for. I can
also send logs and/or config files if that would help.</div>
<div><br>
</div>
<div>Best Regards,</div>
<div>-Emily</div>
<div><br>
</div>
<div><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</body>
</html>