[Freeipa-devel] certmonger proxy configuration not possible ?

Thu Aug 4 16:01:47 UTC 2016

On Thu, 04 Aug 2016, Marx, Peter wrote:
>I tried it and found out it can't work this way - when issuing a CSR
>with getcert, the parameters of this request are normally handed over
>by getcert to the scep-submit helper. I see no way to intercept these
>parameters  and pass them to the proxy-shellscript. Only the -u
>paramter is known beforehand, as it is configured in the ca description
>file or in the proxy shellscript itself.
On systemd-enabled systems certmonger runs as a service. You can affect
the environment of the service by adding files ending in .conf in
/etc/systemd/system/certmonger.service.d/

See systemd.service and systemd.unit man pages.

>
>Peter
>
>-----Original Message-----
>From: Rob Crittenden [mailto:rcritten at redhat.com]
>Sent: Wednesday, August 03, 2016 3:52 PM
>To: Marx, Peter; 'freeipa-devel at redhat.com'
>Subject: Re: [Freeipa-devel] certmonger proxy configuration not possible ?
>
>Marx, Peter wrote:
>> Hi,
>>
>> i have to access an external PKI server with SCEP protocol through our
>> corporate proxy.  On command line I can set the proxy and trigger a
>> CSR with the scep-submit helper successfully.
>
>What are you setting, environment variables I assume?
>
>> But same operation with getcert fails, as there is no proxy
>> configuration possibility in e.g. certmonger.conf.
>>
>> How can I work around this ?
>
>A quick kludge might be to replace scep-submit with a shell script that exports the proxy config and then calls the real scep-submit.
>
>A perhaps better and more supportable idea would be to add a CA pointing to this new helper, something like:
>
>getcert add-ca -c exampleSCEPca -e \
>     "/usr/libexec/certmonger/scep-submit-proxy -u http://ca.example.com/cgi-bin/pkiclient.exe"
>
>So scep-submit-proxy would setup the environment and call scep-submit.
>
>rob
>
>>
>> Peter
>>
>>
>>
>> Knorr-Bremse IT-Services GmbH
>> Sitz: München
>> Geschäftsführer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald
>> Schneider Registergericht München, HR B 167 268
>>
>> This transmission is intended solely for the addressee and contains
>> confidential information.
>> If you are not the intended recipient, please immediately inform the
>> sender and delete the message and any attachments from your system.
>> Furthermore, please do not copy the message or disclose the contents
>> to anyone unless agreed otherwise. To the extent permitted by law we
>> shall in no way be liable for any damages, whatever their nature,
>> arising out of transmission failures, viruses, external influence, delays and the like.
>>
>>
>
>
>automechanika - 13.09.-17.09.2016 - Messe Frankfurt - Hall 3.0 - Stand G98 + E91
>InnoTrans - 20.09.-23.09.2016 - Messe Berlin - Hall 1.2b - Stand 104 + 210
>IAA - 22.09.-29.09.2016 - Messe Hannover - Hall 17 - Stand A30 + D131
>
>Knorr-Bremse IT-Services GmbH
>Sitz: Muenchen
>Geschaeftsfuehrer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald Schneider
>Registergericht Muenchen, HR B 167 268
>
>This transmission is intended solely for the addressee and contains confidential information.
>If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system.
>Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like.
>
>-- 
>Manage your subscription for the Freeipa-devel mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-devel
>Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
/ Alexander Bokovoy