From arpad.kunszt at andrews.hu Fri Apr 4 09:15:02 2008 From: arpad.kunszt at andrews.hu (=?ISO-8859-2?Q?Kunszt_=C1rp=E1d?=) Date: Fri, 04 Apr 2008 11:15:02 +0200 Subject: [Pki-users] Startup problem Message-ID: <47F5F196.9050707@andrews.hu> Hi! I tried to install the pki-ca as it mentioned in the documentation (yum install pki-ca). It finished successfully and /etc/init.d/pki-ca restart says OK but it doesn't run. I found only one relevant log file /var/log/pki-ca/catalina.out and it contains: java.lang.reflect.InvocationTargetException at java.lang.reflect.Method.invoke(libgcj.so.8rh) at org.apache.catalina.startup.Bootstrap.load(bootstrap.jar.so) at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so) Caused by: java.lang.ClassFormatError: org.apache.tomcat.util.net.jss.JSSImplementation (unrecognized class file version) at java.lang.VMClassLoader.defineClass(libgcj.so.8rh) at java.lang.ClassLoader.defineClass(libgcj.so.8rh) at java.security.SecureClassLoader.defineClass(libgcj.so.8rh) at java.net.URLClassLoader.findClass(libgcj.so.8rh) at java.lang.ClassLoader.loadClass(libgcj.so.8rh) at java.lang.ClassLoader.loadClass(libgcj.so.8rh) at java.lang.Class.forName(libgcj.so.8rh) at java.lang.Class.forName(libgcj.so.8rh) at org.apache.tomcat.util.net.SSLImplementation.getInstance(tomcat-util-5.5.26.jar.so) at org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(tomcat-http-5.5.26.jar.so) at org.apache.coyote.http11.Http11BaseProtocol.init(tomcat-http-5.5.26.jar.so) at org.apache.catalina.connector.Connector.initialize(catalina-5.5.26.jar.so) at org.apache.catalina.core.StandardService.initialize(catalina-5.5.26.jar.so) at org.apache.catalina.core.StandardServer.initialize(catalina-5.5.26.jar.so) at org.apache.catalina.startup.Catalina.load(catalina-5.5.26.jar.so) at org.apache.catalina.startup.Catalina.load(catalina-5.5.26.jar.so) at java.lang.reflect.Method.invoke(libgcj.so.8rh) ...2 more What did I wrong? The Google wasn't my friend in this question. Every help or idea is welcome! :-) Thanks, Arpad Kunszt PS: The pki-ca server application really need rhgb, gtk and some other desktop packages in dependency? From mharmsen at redhat.com Fri Apr 4 16:53:45 2008 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 04 Apr 2008 09:53:45 -0700 Subject: [Pki-users] Startup problem In-Reply-To: <47F5F196.9050707@andrews.hu> References: <47F5F196.9050707@andrews.hu> Message-ID: <47F65D19.1070308@redhat.com> Kunszt, From my first look at your log, my initial guess is that you are attempting to run pki-ca using an unsupported JVM. Please read and follow the instructions in http://pki.fedoraproject.org/wiki/PKI_Runtime_Environments to make sure that you have downloaded, installed, and selected the proper JVM. If you have further problems, please don't hesitate to contact this list. Thanks, -- Matt Kunszt ?rp?d wrote: > Hi! > > I tried to install the pki-ca as it mentioned in the documentation > (yum install pki-ca). It finished successfully and /etc/init.d/pki-ca > restart says OK but it doesn't run. I found only one relevant log file > /var/log/pki-ca/catalina.out and it contains: > > java.lang.reflect.InvocationTargetException > at java.lang.reflect.Method.invoke(libgcj.so.8rh) > at org.apache.catalina.startup.Bootstrap.load(bootstrap.jar.so) > at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so) > Caused by: java.lang.ClassFormatError: > org.apache.tomcat.util.net.jss.JSSImplementation (unrecognized class > file version) > at java.lang.VMClassLoader.defineClass(libgcj.so.8rh) > at java.lang.ClassLoader.defineClass(libgcj.so.8rh) > at java.security.SecureClassLoader.defineClass(libgcj.so.8rh) > at java.net.URLClassLoader.findClass(libgcj.so.8rh) > at java.lang.ClassLoader.loadClass(libgcj.so.8rh) > at java.lang.ClassLoader.loadClass(libgcj.so.8rh) > at java.lang.Class.forName(libgcj.so.8rh) > at java.lang.Class.forName(libgcj.so.8rh) > at > org.apache.tomcat.util.net.SSLImplementation.getInstance(tomcat-util-5.5.26.jar.so) > > at > org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(tomcat-http-5.5.26.jar.so) > > at > org.apache.coyote.http11.Http11BaseProtocol.init(tomcat-http-5.5.26.jar.so) > > at > org.apache.catalina.connector.Connector.initialize(catalina-5.5.26.jar.so) > > at > org.apache.catalina.core.StandardService.initialize(catalina-5.5.26.jar.so) > > at > org.apache.catalina.core.StandardServer.initialize(catalina-5.5.26.jar.so) > > at org.apache.catalina.startup.Catalina.load(catalina-5.5.26.jar.so) > at org.apache.catalina.startup.Catalina.load(catalina-5.5.26.jar.so) > at java.lang.reflect.Method.invoke(libgcj.so.8rh) > ...2 more > > What did I wrong? The Google wasn't my friend in this question. Every > help or idea is welcome! :-) > > Thanks, > > Arpad Kunszt > > PS: The pki-ca server application really need rhgb, gtk and some other > desktop packages in dependency? > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From fujyhluo at yahoo.com Fri Apr 4 17:58:18 2008 From: fujyhluo at yahoo.com (Fu-Jyh Luo) Date: Fri, 4 Apr 2008 10:58:18 -0700 (PDT) Subject: [Pki-users] ESC question Message-ID: <476678.3224.qm@web30307.mail.mud.yahoo.com> hi, Does RedHat release ESC(Enterprise Security Client) ? Fu ____________________________________________________________________________________ You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com From jmagne at redhat.com Fri Apr 4 18:17:00 2008 From: jmagne at redhat.com (Jack Magne) Date: Fri, 04 Apr 2008 11:17:00 -0700 Subject: [Pki-users] ESC question In-Reply-To: <476678.3224.qm@web30307.mail.mud.yahoo.com> References: <476678.3224.qm@web30307.mail.mud.yahoo.com> Message-ID: <47F6709C.5050509@redhat.com> Fu: If you are talking Fedora 8, ESC is available as part of the Extras package: It can be easily obtained with a: yum install Fu-Jyh Luo wrote: > hi, > > Does RedHat release ESC(Enterprise Security Client) ? > > Fu > > > ____________________________________________________________________________________ > You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. > http://tc.deals.yahoo.com/tc/blockbuster/text5.com > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From arpad.kunszt at andrews.hu Tue Apr 8 12:04:21 2008 From: arpad.kunszt at andrews.hu (=?ISO-8859-2?Q?Kunszt_=C1rp=E1d?=) Date: Tue, 08 Apr 2008 14:04:21 +0200 Subject: [Pki-users] Startup problem In-Reply-To: <47F65D19.1070308@redhat.com> References: <47F5F196.9050707@andrews.hu> <47F65D19.1070308@redhat.com> Message-ID: <47FB5F45.9060205@andrews.hu> > Kunszt, > > From my first look at your log, my initial guess is that you are > attempting to run pki-ca using an unsupported JVM. Please read and > follow the instructions in > http://pki.fedoraproject.org/wiki/PKI_Runtime_Environments to make sure > that you have downloaded, installed, and selected the proper JVM. If > you have further problems, please don't hesitate to contact this list. > Thanks. That was the problem. I didn't installed java-1.7.0-icedtea, I thought every dependency has been installed with the pki-ca. Thanks again, Arpad From fujyhluo at yahoo.com Wed Apr 9 06:03:28 2008 From: fujyhluo at yahoo.com (Fu-Jyh Luo) Date: Tue, 8 Apr 2008 23:03:28 -0700 (PDT) Subject: [Pki-users] ESC question In-Reply-To: <47F6709C.5050509@redhat.com> Message-ID: <70034.14803.qm@web30302.mail.mud.yahoo.com> hi Jack, I do found the esc for Fedora 8. How about ESC for Windows XP and Mac 10.4(Tiger)? Thanks, Fu > Fu: > > If you are talking Fedora 8, ESC is available as > part of the Extras package: > It can be easily obtained with a: > > yum install > > Fu-Jyh Luo wrote: > > hi, > > > > Does RedHat release ESC(Enterprise Security > Client) ? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From j.barber at dundee.ac.uk Wed Apr 9 14:28:28 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Wed, 9 Apr 2008 15:28:28 +0100 Subject: [Pki-users] Importing existing CA chain into new dogtag instance Message-ID: <20080409142827.GF32602@flea.lifesci.dundee.ac.uk> Hi, I've been playing with Dogtag for the last couple of days, and want to test it with our existing CA cert that we use locally. So I've been seting them up as subordinate CA's. I hit a minor glitch in setup when connecting to a remote FDS instance, it won't connect via SSL and I just get the error "Failed to connect to the internal database", presumably because the the SSL cert doesn't pass validation. After configuring the CA as a subordinate, I sign the CA cert CSR with our local CA, then provide our CA cert in PKSC7 form - generated with with the command: openssl crl2pkcs7 -nocrl -certfile cacert.pem Upon restarting the CA instance, everything works, but I can't find any trace of the issuer certificate in the certutil DB so I presume it failed. Where should it go? After setup, when I try and use the pkiconsole to load the CA cert (in PEM format) into the DB (as a CA or Local Certificate) I get the error "Certificate Error: Failed to decode", and PrettyPrintCrt gives me: PrettyPrintCert: Error encountered on parsing certificate : java.security.cert.CertificateParsingException: java.io.IOException: java.io.IOException: IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: No data available in passed DER encoded value. null I can load it into the instance certutil DB, but can't then see it in the pkiconsole. Any ideas? The certicate in question is: -----BEGIN CERTIFICATE----- MIIH4DCCBcigAwIBAgIJAKxtGsvJnqGGMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD VQQGEwJHQjERMA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsG A1UEChMUVW5pdmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2Yg TGlmZSBTY2llbmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsx JjAkBgkqhkiG9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrMB4XDTA3MDIx NjEwNTMzMFoXDTE3MDIxMzEwNTMzMFowgb0xCzAJBgNVBAYTAkdCMREwDwYDVQQI EwhTY290bGFuZDEPMA0GA1UEBxMGRHVuZGVlMR0wGwYDVQQKExRVbml2ZXJzaXR5 IG9mIER1bmRlZTEhMB8GA1UECxMYQ29sbGVnZSBvZiBMaWZlIFNjaWVuY2VzMSAw HgYDVQQDExdjYS5saWZlc2NpLmR1bmRlZS5hYy51azEmMCQGCSqGSIb3DQEJARYX Y2FAbGlmZXNjaS5kdW5kZWUuYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw ggIKAoICAQC3tIfCIag41x63OQF2etPa3gHFxT4JlGfEO0a8fV+tfqpSrwlWWqeR w8zOO/UCxAi0FNVBmB1peeQZU/026FZ8MWu1IhJyy5OF3PIjtKxzgEuVWD7pQw7Y i32dthr5pg6GnXB/dx3P5hEVgci/Gh9fij0BLF6iPsy6CkJB3/sD2OEHN3CKMgE7 kIQKZEM2XrSCNQ5KGCBzFqpowJQneVTi65pcVKIDpp56F1qrimIrFBgUbsJnswfI 1Kxi8FvSj7fuTibIyiPz9QUguRNjjbQzHlkOQJKy0j2ENxdqDN9vNoeQjGDh2RXL 4xovgkxW1YYHdxt5PdNtpwX8Vb7uYsZXGp5CB8xeLKSnvgZrms9EAvZvQHzMdIhb th9zCOPXAZTfeSEyMcsFY8bK+ic/JlWk/7Oo/em1dMPMi+UmXdYUD33F7Z5N9xsH x9Laz3YSuflrW8WrriVAe0xAWRjP9X205pnJbmJDgnUzHI9+qqkz7GQBxQenUjEu vTO0Dx4Psvby2j6sS0b0dVxAtZfnDutnRXc9+/9PSsSr+YLpbZh+7sPRWYynpDzy wjmBPClv+rm8o9MdkAE+8U9XoXXSU+5FG/TpzJmEFR65BYPR9BDKn8CVfhgE3flE n2l7V1hOzYFWMBu42byJx8tHzCvFPVjLbaPIMs6o1zmKC/2a+B6T+QIDAQABo4IB 3zCCAdswHQYDVR0OBBYEFKOZNeS+xtTc6reYfP8IT4HhvcskMIHyBgNVHSMEgeow geeAFKOZNeS+xtTc6reYfP8IT4HhvcskoYHDpIHAMIG9MQswCQYDVQQGEwJHQjER MA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsGA1UEChMUVW5p dmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2YgTGlmZSBTY2ll bmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsxJjAkBgkqhkiG 9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrggkArG0ay8meoYYwDwYDVR0T AQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADArBglghkgB hvhCAQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTA4BglghkgBhvhC AQMEKxYpaHR0cDovL2NhLmxpZmVzY2kuZHVuZGVlLmFjLnVrL2NybC12MS5jcmww IgYDVR0RBBswGYEXY2FAbGlmZXNjaS5kdW5kZWUuYWMudWswCwYDVR0PBAQDAgEG MA0GCSqGSIb3DQEBBQUAA4ICAQBWXSsapjd27zrz/5v7OSOQkFu7ZgiQK9oFT82M V8GyIH6KB86u17rpPZOPu3kr9M5YaY8Jil2ytKhR2/YacOYGMemUPf+dKvwIvu+J 9a7WIqVReCHl4S8j9amzLGqowJYHgvefNGJuSpFDsQpHkOo5wrZgP8KRn0SYDJf9 fbN+n5Rsr9SOPRs26LVuFamUX7//rYrQU42O8JR61nTZN0iFCsKLTc/ofFEgoW63 wzn0NEagnSAFDJMI5/YIcouwWbu64YXPL84jvn69LANWf7G2YnXwyeOF3TM71Jl3 3z5Qu7qOp56uLPZ9vTYuwkyAFzVqfwNJUEWybTbtp7s/SrBGbSLYv7Q6ZYpEq1mY diNPHhwfkXM2xjgaSom0kQf19rhBInrzsdb4yxNRceZuRQgh4A0zrL4vuTED9BEp rh9Rx3+UZB9+TQbeC8BqRxQYBP/Mh++OYqrmJRsG5ecm/OhD9zB+ikEx9xKoIEPx KocwtdUqOdWdS78QSmi+O/e7cBkApc/wCfpX4FZoBwvSVr4qtz71xMFqhxjx6ahm tT15+MQeaPUL2FDwKOcLTUp5N/dFLy8Dh2OKf2Qg+pXni0Ee4Jy9QP3xDS65XDeJ fx5I426trWldYtFwwlQ902/9/YRqFbzb9qzysqez1nW1Kdea5XTxl2A2I2o024sC Yan4Hw== -----END CERTIFICATE----- -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From cfu at redhat.com Wed Apr 9 15:30:04 2008 From: cfu at redhat.com (Christina Fu) Date: Wed, 09 Apr 2008 08:30:04 -0700 Subject: [Pki-users] Importing existing CA chain into new dogtag instance In-Reply-To: <20080409142827.GF32602@flea.lifesci.dundee.ac.uk> References: <20080409142827.GF32602@flea.lifesci.dundee.ac.uk> Message-ID: <47FCE0FC.1000902@redhat.com> Hi, first of all, thank you for playing with Dogtag. For the first question regarding doing SSL wiht FDS, you need to trust the CA that signed the FDS's ssl server cert. We should have information on how to do this in the documentation. If not, we need to add that. As for your issue(s) regarding linking to an external CA, I believe there could be some confusion. I'm only guessing here. Did you go three all the steps under "action required" for the CA certification at the "Requets and Certificates" panel during configuration? In Step 2, the pkcs7 chain it takes is only the CA chain, not the leaf certificate. And in a separate step (Step 3), it then takes a base64 encoded leaf cert. Could it be that you missed one of the steps? If you have gone through all three steps at this point, the whole chain should have been imported into the certdb with necessary trust marked. Finally, I don't think any part of our software takes PEM format. Try to convert PEM to DER format and it should help. Also, feel free to file bugs if you find any problem or inconvenience. Hope this helps. Christina Jonathan Barber wrote: > Hi, I've been playing with Dogtag for the last couple of days, and want > to test it with our existing CA cert that we use locally. So I've been > seting them up as subordinate CA's. > > I hit a minor glitch in setup when connecting to a remote FDS instance, > it won't connect via SSL and I just get the error "Failed to connect to > the internal database", presumably because the the SSL cert doesn't pass > validation. > > After configuring the CA as a subordinate, I sign the CA cert CSR with > our local CA, then provide our CA cert in PKSC7 form - generated with > with the command: > openssl crl2pkcs7 -nocrl -certfile cacert.pem > > Upon restarting the CA instance, everything works, but I can't find any > trace of the issuer certificate in the certutil DB so I presume it > failed. Where should it go? > > After setup, when I try and use the pkiconsole to load the CA cert (in > PEM format) into the DB (as a CA or Local Certificate) I get the error > "Certificate Error: Failed to decode", and PrettyPrintCrt gives me: > PrettyPrintCert: Error encountered on parsing certificate : java.security.cert.CertificateParsingException: java.io.IOException: java.io.IOException: IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: No data available in passed DER encoded value. > null > > I can load it into the instance certutil DB, but can't then see it in > the pkiconsole. > > Any ideas? The certicate in question is: > > -----BEGIN CERTIFICATE----- > MIIH4DCCBcigAwIBAgIJAKxtGsvJnqGGMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD > VQQGEwJHQjERMA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsG > A1UEChMUVW5pdmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2Yg > TGlmZSBTY2llbmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsx > JjAkBgkqhkiG9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrMB4XDTA3MDIx > NjEwNTMzMFoXDTE3MDIxMzEwNTMzMFowgb0xCzAJBgNVBAYTAkdCMREwDwYDVQQI > EwhTY290bGFuZDEPMA0GA1UEBxMGRHVuZGVlMR0wGwYDVQQKExRVbml2ZXJzaXR5 > IG9mIER1bmRlZTEhMB8GA1UECxMYQ29sbGVnZSBvZiBMaWZlIFNjaWVuY2VzMSAw > HgYDVQQDExdjYS5saWZlc2NpLmR1bmRlZS5hYy51azEmMCQGCSqGSIb3DQEJARYX > Y2FAbGlmZXNjaS5kdW5kZWUuYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw > ggIKAoICAQC3tIfCIag41x63OQF2etPa3gHFxT4JlGfEO0a8fV+tfqpSrwlWWqeR > w8zOO/UCxAi0FNVBmB1peeQZU/026FZ8MWu1IhJyy5OF3PIjtKxzgEuVWD7pQw7Y > i32dthr5pg6GnXB/dx3P5hEVgci/Gh9fij0BLF6iPsy6CkJB3/sD2OEHN3CKMgE7 > kIQKZEM2XrSCNQ5KGCBzFqpowJQneVTi65pcVKIDpp56F1qrimIrFBgUbsJnswfI > 1Kxi8FvSj7fuTibIyiPz9QUguRNjjbQzHlkOQJKy0j2ENxdqDN9vNoeQjGDh2RXL > 4xovgkxW1YYHdxt5PdNtpwX8Vb7uYsZXGp5CB8xeLKSnvgZrms9EAvZvQHzMdIhb > th9zCOPXAZTfeSEyMcsFY8bK+ic/JlWk/7Oo/em1dMPMi+UmXdYUD33F7Z5N9xsH > x9Laz3YSuflrW8WrriVAe0xAWRjP9X205pnJbmJDgnUzHI9+qqkz7GQBxQenUjEu > vTO0Dx4Psvby2j6sS0b0dVxAtZfnDutnRXc9+/9PSsSr+YLpbZh+7sPRWYynpDzy > wjmBPClv+rm8o9MdkAE+8U9XoXXSU+5FG/TpzJmEFR65BYPR9BDKn8CVfhgE3flE > n2l7V1hOzYFWMBu42byJx8tHzCvFPVjLbaPIMs6o1zmKC/2a+B6T+QIDAQABo4IB > 3zCCAdswHQYDVR0OBBYEFKOZNeS+xtTc6reYfP8IT4HhvcskMIHyBgNVHSMEgeow > geeAFKOZNeS+xtTc6reYfP8IT4HhvcskoYHDpIHAMIG9MQswCQYDVQQGEwJHQjER > MA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsGA1UEChMUVW5p > dmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2YgTGlmZSBTY2ll > bmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsxJjAkBgkqhkiG > 9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrggkArG0ay8meoYYwDwYDVR0T > AQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADArBglghkgB > hvhCAQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTA4BglghkgBhvhC > AQMEKxYpaHR0cDovL2NhLmxpZmVzY2kuZHVuZGVlLmFjLnVrL2NybC12MS5jcmww > IgYDVR0RBBswGYEXY2FAbGlmZXNjaS5kdW5kZWUuYWMudWswCwYDVR0PBAQDAgEG > MA0GCSqGSIb3DQEBBQUAA4ICAQBWXSsapjd27zrz/5v7OSOQkFu7ZgiQK9oFT82M > V8GyIH6KB86u17rpPZOPu3kr9M5YaY8Jil2ytKhR2/YacOYGMemUPf+dKvwIvu+J > 9a7WIqVReCHl4S8j9amzLGqowJYHgvefNGJuSpFDsQpHkOo5wrZgP8KRn0SYDJf9 > fbN+n5Rsr9SOPRs26LVuFamUX7//rYrQU42O8JR61nTZN0iFCsKLTc/ofFEgoW63 > wzn0NEagnSAFDJMI5/YIcouwWbu64YXPL84jvn69LANWf7G2YnXwyeOF3TM71Jl3 > 3z5Qu7qOp56uLPZ9vTYuwkyAFzVqfwNJUEWybTbtp7s/SrBGbSLYv7Q6ZYpEq1mY > diNPHhwfkXM2xjgaSom0kQf19rhBInrzsdb4yxNRceZuRQgh4A0zrL4vuTED9BEp > rh9Rx3+UZB9+TQbeC8BqRxQYBP/Mh++OYqrmJRsG5ecm/OhD9zB+ikEx9xKoIEPx > KocwtdUqOdWdS78QSmi+O/e7cBkApc/wCfpX4FZoBwvSVr4qtz71xMFqhxjx6ahm > tT15+MQeaPUL2FDwKOcLTUp5N/dFLy8Dh2OKf2Qg+pXni0Ee4Jy9QP3xDS65XDeJ > fx5I426trWldYtFwwlQ902/9/YRqFbzb9qzysqez1nW1Kdea5XTxl2A2I2o024sC > Yan4Hw== > -----END CERTIFICATE----- > From cfu at redhat.com Wed Apr 9 17:38:47 2008 From: cfu at redhat.com (Christina Fu) Date: Wed, 09 Apr 2008 10:38:47 -0700 Subject: [Pki-users] Importing existing CA chain into new dogtag instance In-Reply-To: <47FCE0FC.1000902@redhat.com> References: <20080409142827.GF32602@flea.lifesci.dundee.ac.uk> <47FCE0FC.1000902@redhat.com> Message-ID: <47FCFF27.6040705@redhat.com> FYI, the following page should help in regards to handling PEM in Dogtag: http://pki.fedoraproject.org/wiki/PKI_TechNote_X509_Certificates Christina Christina Fu wrote: > Hi, first of all, thank you for playing with Dogtag. > For the first question regarding doing SSL wiht FDS, you need to trust > the CA that signed the FDS's ssl server cert. We should have > information on how to do this in the documentation. If not, we need > to add that. > As for your issue(s) regarding linking to an external CA, I believe > there could be some confusion. I'm only guessing here. Did you go > three all the steps under "action required" for the CA certification > at the "Requets and Certificates" panel during configuration? In Step > 2, the pkcs7 chain it takes is only the CA chain, not the leaf > certificate. And in a separate step (Step 3), it then takes a base64 > encoded leaf cert. Could it be that you missed one of the steps? If > you have gone through all three steps at this point, the whole chain > should have been imported into the certdb with necessary trust marked. > > Finally, I don't think any part of our software takes PEM format. Try > to convert PEM to DER format and it should help. > > Also, feel free to file bugs if you find any problem or inconvenience. > > Hope this helps. > Christina > > > Jonathan Barber wrote: >> Hi, I've been playing with Dogtag for the last couple of days, and want >> to test it with our existing CA cert that we use locally. So I've been >> seting them up as subordinate CA's. >> >> I hit a minor glitch in setup when connecting to a remote FDS instance, >> it won't connect via SSL and I just get the error "Failed to connect to >> the internal database", presumably because the the SSL cert doesn't pass >> validation. >> >> After configuring the CA as a subordinate, I sign the CA cert CSR with >> our local CA, then provide our CA cert in PKSC7 form - generated with >> with the command: >> openssl crl2pkcs7 -nocrl -certfile cacert.pem >> >> Upon restarting the CA instance, everything works, but I can't find any >> trace of the issuer certificate in the certutil DB so I presume it >> failed. Where should it go? >> >> After setup, when I try and use the pkiconsole to load the CA cert (in >> PEM format) into the DB (as a CA or Local Certificate) I get the error >> "Certificate Error: Failed to decode", and PrettyPrintCrt gives me: >> PrettyPrintCert: Error encountered on parsing certificate : >> java.security.cert.CertificateParsingException: java.io.IOException: >> java.io.IOException: >> IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: >> No data available in passed DER encoded value. >> null >> >> I can load it into the instance certutil DB, but can't then see it in >> the pkiconsole. >> >> Any ideas? The certicate in question is: >> >> -----BEGIN CERTIFICATE----- >> MIIH4DCCBcigAwIBAgIJAKxtGsvJnqGGMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD >> VQQGEwJHQjERMA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsG >> A1UEChMUVW5pdmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2Yg >> TGlmZSBTY2llbmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsx >> JjAkBgkqhkiG9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrMB4XDTA3MDIx >> NjEwNTMzMFoXDTE3MDIxMzEwNTMzMFowgb0xCzAJBgNVBAYTAkdCMREwDwYDVQQI >> EwhTY290bGFuZDEPMA0GA1UEBxMGRHVuZGVlMR0wGwYDVQQKExRVbml2ZXJzaXR5 >> IG9mIER1bmRlZTEhMB8GA1UECxMYQ29sbGVnZSBvZiBMaWZlIFNjaWVuY2VzMSAw >> HgYDVQQDExdjYS5saWZlc2NpLmR1bmRlZS5hYy51azEmMCQGCSqGSIb3DQEJARYX >> Y2FAbGlmZXNjaS5kdW5kZWUuYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw >> ggIKAoICAQC3tIfCIag41x63OQF2etPa3gHFxT4JlGfEO0a8fV+tfqpSrwlWWqeR >> w8zOO/UCxAi0FNVBmB1peeQZU/026FZ8MWu1IhJyy5OF3PIjtKxzgEuVWD7pQw7Y >> i32dthr5pg6GnXB/dx3P5hEVgci/Gh9fij0BLF6iPsy6CkJB3/sD2OEHN3CKMgE7 >> kIQKZEM2XrSCNQ5KGCBzFqpowJQneVTi65pcVKIDpp56F1qrimIrFBgUbsJnswfI >> 1Kxi8FvSj7fuTibIyiPz9QUguRNjjbQzHlkOQJKy0j2ENxdqDN9vNoeQjGDh2RXL >> 4xovgkxW1YYHdxt5PdNtpwX8Vb7uYsZXGp5CB8xeLKSnvgZrms9EAvZvQHzMdIhb >> th9zCOPXAZTfeSEyMcsFY8bK+ic/JlWk/7Oo/em1dMPMi+UmXdYUD33F7Z5N9xsH >> x9Laz3YSuflrW8WrriVAe0xAWRjP9X205pnJbmJDgnUzHI9+qqkz7GQBxQenUjEu >> vTO0Dx4Psvby2j6sS0b0dVxAtZfnDutnRXc9+/9PSsSr+YLpbZh+7sPRWYynpDzy >> wjmBPClv+rm8o9MdkAE+8U9XoXXSU+5FG/TpzJmEFR65BYPR9BDKn8CVfhgE3flE >> n2l7V1hOzYFWMBu42byJx8tHzCvFPVjLbaPIMs6o1zmKC/2a+B6T+QIDAQABo4IB >> 3zCCAdswHQYDVR0OBBYEFKOZNeS+xtTc6reYfP8IT4HhvcskMIHyBgNVHSMEgeow >> geeAFKOZNeS+xtTc6reYfP8IT4HhvcskoYHDpIHAMIG9MQswCQYDVQQGEwJHQjER >> MA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsGA1UEChMUVW5p >> dmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2YgTGlmZSBTY2ll >> bmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsxJjAkBgkqhkiG >> 9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrggkArG0ay8meoYYwDwYDVR0T >> AQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADArBglghkgB >> hvhCAQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTA4BglghkgBhvhC >> AQMEKxYpaHR0cDovL2NhLmxpZmVzY2kuZHVuZGVlLmFjLnVrL2NybC12MS5jcmww >> IgYDVR0RBBswGYEXY2FAbGlmZXNjaS5kdW5kZWUuYWMudWswCwYDVR0PBAQDAgEG >> MA0GCSqGSIb3DQEBBQUAA4ICAQBWXSsapjd27zrz/5v7OSOQkFu7ZgiQK9oFT82M >> V8GyIH6KB86u17rpPZOPu3kr9M5YaY8Jil2ytKhR2/YacOYGMemUPf+dKvwIvu+J >> 9a7WIqVReCHl4S8j9amzLGqowJYHgvefNGJuSpFDsQpHkOo5wrZgP8KRn0SYDJf9 >> fbN+n5Rsr9SOPRs26LVuFamUX7//rYrQU42O8JR61nTZN0iFCsKLTc/ofFEgoW63 >> wzn0NEagnSAFDJMI5/YIcouwWbu64YXPL84jvn69LANWf7G2YnXwyeOF3TM71Jl3 >> 3z5Qu7qOp56uLPZ9vTYuwkyAFzVqfwNJUEWybTbtp7s/SrBGbSLYv7Q6ZYpEq1mY >> diNPHhwfkXM2xjgaSom0kQf19rhBInrzsdb4yxNRceZuRQgh4A0zrL4vuTED9BEp >> rh9Rx3+UZB9+TQbeC8BqRxQYBP/Mh++OYqrmJRsG5ecm/OhD9zB+ikEx9xKoIEPx >> KocwtdUqOdWdS78QSmi+O/e7cBkApc/wCfpX4FZoBwvSVr4qtz71xMFqhxjx6ahm >> tT15+MQeaPUL2FDwKOcLTUp5N/dFLy8Dh2OKf2Qg+pXni0Ee4Jy9QP3xDS65XDeJ >> fx5I426trWldYtFwwlQ902/9/YRqFbzb9qzysqez1nW1Kdea5XTxl2A2I2o024sC >> Yan4Hw== >> -----END CERTIFICATE----- >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From crc408 at gmail.com Wed Apr 9 18:38:04 2008 From: crc408 at gmail.com (Chris) Date: Wed, 9 Apr 2008 11:38:04 -0700 Subject: [Pki-users] Modify Certificate Profies Message-ID: I've succesfully installed Dogtag. The documentation was clear and I didn't have any issues. My question is in regards to customizing certificate profiles. In the current CA environment I manager, I deal with customizing profiles. Is there a way to create customized certificate profiles? The fields which apply are: CertificatePolicies ExtendedKeyUsage Also, in one profile, we've created a new field that -------------- next part -------------- An HTML attachment was scrubbed... URL: From crc408 at gmail.com Wed Apr 9 18:43:09 2008 From: crc408 at gmail.com (Chris) Date: Wed, 9 Apr 2008 11:43:09 -0700 Subject: [Pki-users] Modify Certificate Profies Message-ID: Sorry, hit the send by mistake.... I've succesfully installed Dogtag. The documentation was clear and I didn't have any issues. My question is in regards to customizing certificate profiles. In the current CA environment I manager, I deal with customizing profiles. Is there a way to create customized certificate profiles? The fields which apply are: CertificatePolicies - Policy Identifier - User Notice with custom text ExtendedKeyUsage - New Key Usage OID Also, in one profile, we've created a new field that programically ties to the EKU On our current CA software, a config file is modified to customize profiles. Also there is some DER encoding required to convert the appropriate text. Is this feature available? -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Wed Apr 9 19:10:20 2008 From: cfu at redhat.com (Christina Fu) Date: Wed, 09 Apr 2008 12:10:20 -0700 Subject: [Pki-users] Modify Certificate Profies In-Reply-To: References: Message-ID: <47FD149C.1000306@redhat.com> Profiles can be configured in /profiles/ca. If you add your own new profiles, you need to modify //conf/CS.cfg "profile.list" to contain the new profile name, and add the corresponding "class_id" and "config" (see the existing entries in CS.cfg as example), and restart the CA. In addition, Dogtag provides flexible plugin infrastructure that allows people to customize various areas. Profile is one of them. The standard profile related polugins code is in pki/base/common/src/com/netscape/cms/profile/. That's for advanced users who know what they are doing. Make sure the certs produced still comply. hope this helps. Christina Chris wrote: > > Sorry, hit the send by mistake.... > > I've succesfully installed Dogtag. The documentation was clear and I > didn't have any issues. > > My question is in regards to customizing certificate profiles. In the > current CA environment I manager, I deal with customizing profiles. Is > there a way to create customized certificate profiles? > > The fields which apply are: > > CertificatePolicies > - Policy Identifier > - User Notice with custom text > ExtendedKeyUsage > - New Key Usage OID > > > Also, in one profile, we've created a new field that programically > ties to the EKU > > On our current CA software, a config file is modified to customize > profiles. Also there is some DER encoding required to convert the > appropriate text. > > Is this feature available? > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From crc408 at gmail.com Thu Apr 10 05:09:31 2008 From: crc408 at gmail.com (Chris) Date: Wed, 9 Apr 2008 22:09:31 -0700 Subject: [Pki-users] Modify Certificate Profies In-Reply-To: <47FD149C.1000306@redhat.com> References: <47FD149C.1000306@redhat.com> Message-ID: Thanks. That worked. On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu wrote: > Profiles can be configured in /profiles/ca. If you > add your own new profiles, you need to modify root>//conf/CS.cfg "profile.list" to contain the new profile name, and add > the corresponding "class_id" and "config" (see the existing entries in > CS.cfg as example), and restart the CA. > > In addition, Dogtag provides flexible plugin infrastructure that allows > people to customize various areas. Profile is one of them. > The standard profile related polugins code is in > pki/base/common/src/com/netscape/cms/profile/. That's for advanced users > who know what they are doing. Make sure the certs produced still comply. > > hope this helps. > Christina > > Chris wrote: > > > > > Sorry, hit the send by mistake.... > > > > I've succesfully installed Dogtag. The documentation was clear and I > > didn't have any issues. > > My question is in regards to customizing certificate profiles. In the > > current CA environment I manager, I deal with customizing profiles. Is there > > a way to create customized certificate profiles? > > The fields which apply are: > > CertificatePolicies > > - Policy Identifier > > - User Notice with custom text > > ExtendedKeyUsage > > - New Key Usage OID > > Also, in one profile, we've created a new field that programically > > ties to the EKU > > > > On our current CA software, a config file is modified to customize > > profiles. Also there is some DER encoding required to convert the > > appropriate text. > > > > Is this feature available? > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From crc408 at gmail.com Thu Apr 10 05:22:41 2008 From: crc408 at gmail.com (Chris) Date: Wed, 9 Apr 2008 22:22:41 -0700 Subject: [Pki-users] pkiconsole? Message-ID: Will there be an similar 'pkiconsole' application for dogtag as there is in the Red Hat version? -------------- next part -------------- An HTML attachment was scrubbed... URL: From j.barber at dundee.ac.uk Thu Apr 10 07:59:08 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Thu, 10 Apr 2008 08:59:08 +0100 Subject: [Pki-users] pkiconsole? In-Reply-To: References: Message-ID: <20080410075908.GA13330@flea.lifesci.dundee.ac.uk> On Wed, Apr 09, 2008 at 10:22:41PM -0700, Chris wrote: > Will there be an similar 'pkiconsole' application for dogtag as there is in > the Red Hat version? On Fedora 8, after adding the yum repos [1] "yum install pki-console" [1] http://pki.fedoraproject.org/wiki/PKI_Install_Guide#Download_the_PKI_Yum_Repository_Configuration_File -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From j.barber at dundee.ac.uk Thu Apr 10 08:47:45 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Thu, 10 Apr 2008 09:47:45 +0100 Subject: [Pki-users] Importing existing CA chain into new dogtag instance In-Reply-To: <47FCFF27.6040705@redhat.com> References: <20080409142827.GF32602@flea.lifesci.dundee.ac.uk> <47FCE0FC.1000902@redhat.com> <47FCFF27.6040705@redhat.com> Message-ID: <20080410084745.GA25919@flea.lifesci.dundee.ac.uk> On Wed, Apr 09, 2008 at 10:38:47AM -0700, Christina Fu wrote: > FYI, the following page should help in regards to handling PEM in Dogtag: > http://pki.fedoraproject.org/wiki/PKI_TechNote_X509_Certificates Interestingly, the NSS based pp tool works on my certificate, but the java based PrettyPrintCert tool raises an exception. Is it a java bug I wonder? I've submitted a report under: https://bugzilla.redhat.com/show_bug.cgi?id=441801 > Christina > > Christina Fu wrote: > >Hi, first of all, thank you for playing with Dogtag. > >For the first question regarding doing SSL wiht FDS, you need to trust > >the CA that signed the FDS's ssl server cert. We should have > >information on how to do this in the documentation. If not, we need > >to add that. > >As for your issue(s) regarding linking to an external CA, I believe > >there could be some confusion. I'm only guessing here. Did you go > >three all the steps under "action required" for the CA certification > >at the "Requets and Certificates" panel during configuration? In Step > >2, the pkcs7 chain it takes is only the CA chain, not the leaf > >certificate. And in a separate step (Step 3), it then takes a base64 > >encoded leaf cert. Could it be that you missed one of the steps? If > >you have gone through all three steps at this point, the whole chain > >should have been imported into the certdb with necessary trust marked. If the leaf certificate is the one returned from the request and the "chain" being our self signed CA cert, then I have. I wonder if the problem is related to the fact that the java tools seem unable to read our CA cert. > >Finally, I don't think any part of our software takes PEM format. Try > >to convert PEM to DER format and it should help. I thought PEM was the certificate encoded in base64, am I being to liberal in the use of the term PEM? > >Also, feel free to file bugs if you find any problem or inconvenience. Sure, just wanted to make sure I'm not doing something stupid... > >Hope this helps. > >Christina > > > > > >Jonathan Barber wrote: > >>Hi, I've been playing with Dogtag for the last couple of days, and want > >>to test it with our existing CA cert that we use locally. So I've been > >>seting them up as subordinate CA's. > >> > >>I hit a minor glitch in setup when connecting to a remote FDS instance, > >>it won't connect via SSL and I just get the error "Failed to connect to > >>the internal database", presumably because the the SSL cert doesn't pass > >>validation. > >> > >>After configuring the CA as a subordinate, I sign the CA cert CSR with > >>our local CA, then provide our CA cert in PKSC7 form - generated with > >>with the command: > >>openssl crl2pkcs7 -nocrl -certfile cacert.pem > >> > >>Upon restarting the CA instance, everything works, but I can't find any > >>trace of the issuer certificate in the certutil DB so I presume it > >>failed. Where should it go? > >> > >>After setup, when I try and use the pkiconsole to load the CA cert (in > >>PEM format) into the DB (as a CA or Local Certificate) I get the error > >>"Certificate Error: Failed to decode", and PrettyPrintCrt gives me: > >>PrettyPrintCert: Error encountered on parsing certificate : > >>java.security.cert.CertificateParsingException: java.io.IOException: > >>java.io.IOException: > >>IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: > >>No data available in passed DER encoded value. > >>null > >> > >>I can load it into the instance certutil DB, but can't then see it in > >>the pkiconsole. > >> > >>Any ideas? The certicate in question is: > >> > >>-----BEGIN CERTIFICATE----- > >>MIIH4DCCBcigAwIBAgIJAKxtGsvJnqGGMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD > >>VQQGEwJHQjERMA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsG > >>A1UEChMUVW5pdmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2Yg > >>TGlmZSBTY2llbmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsx > >>JjAkBgkqhkiG9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrMB4XDTA3MDIx > >>NjEwNTMzMFoXDTE3MDIxMzEwNTMzMFowgb0xCzAJBgNVBAYTAkdCMREwDwYDVQQI > >>EwhTY290bGFuZDEPMA0GA1UEBxMGRHVuZGVlMR0wGwYDVQQKExRVbml2ZXJzaXR5 > >>IG9mIER1bmRlZTEhMB8GA1UECxMYQ29sbGVnZSBvZiBMaWZlIFNjaWVuY2VzMSAw > >>HgYDVQQDExdjYS5saWZlc2NpLmR1bmRlZS5hYy51azEmMCQGCSqGSIb3DQEJARYX > >>Y2FAbGlmZXNjaS5kdW5kZWUuYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw > >>ggIKAoICAQC3tIfCIag41x63OQF2etPa3gHFxT4JlGfEO0a8fV+tfqpSrwlWWqeR > >>w8zOO/UCxAi0FNVBmB1peeQZU/026FZ8MWu1IhJyy5OF3PIjtKxzgEuVWD7pQw7Y > >>i32dthr5pg6GnXB/dx3P5hEVgci/Gh9fij0BLF6iPsy6CkJB3/sD2OEHN3CKMgE7 > >>kIQKZEM2XrSCNQ5KGCBzFqpowJQneVTi65pcVKIDpp56F1qrimIrFBgUbsJnswfI > >>1Kxi8FvSj7fuTibIyiPz9QUguRNjjbQzHlkOQJKy0j2ENxdqDN9vNoeQjGDh2RXL > >>4xovgkxW1YYHdxt5PdNtpwX8Vb7uYsZXGp5CB8xeLKSnvgZrms9EAvZvQHzMdIhb > >>th9zCOPXAZTfeSEyMcsFY8bK+ic/JlWk/7Oo/em1dMPMi+UmXdYUD33F7Z5N9xsH > >>x9Laz3YSuflrW8WrriVAe0xAWRjP9X205pnJbmJDgnUzHI9+qqkz7GQBxQenUjEu > >>vTO0Dx4Psvby2j6sS0b0dVxAtZfnDutnRXc9+/9PSsSr+YLpbZh+7sPRWYynpDzy > >>wjmBPClv+rm8o9MdkAE+8U9XoXXSU+5FG/TpzJmEFR65BYPR9BDKn8CVfhgE3flE > >>n2l7V1hOzYFWMBu42byJx8tHzCvFPVjLbaPIMs6o1zmKC/2a+B6T+QIDAQABo4IB > >>3zCCAdswHQYDVR0OBBYEFKOZNeS+xtTc6reYfP8IT4HhvcskMIHyBgNVHSMEgeow > >>geeAFKOZNeS+xtTc6reYfP8IT4HhvcskoYHDpIHAMIG9MQswCQYDVQQGEwJHQjER > >>MA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsGA1UEChMUVW5p > >>dmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2YgTGlmZSBTY2ll > >>bmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsxJjAkBgkqhkiG > >>9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrggkArG0ay8meoYYwDwYDVR0T > >>AQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADArBglghkgB > >>hvhCAQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTA4BglghkgBhvhC > >>AQMEKxYpaHR0cDovL2NhLmxpZmVzY2kuZHVuZGVlLmFjLnVrL2NybC12MS5jcmww > >>IgYDVR0RBBswGYEXY2FAbGlmZXNjaS5kdW5kZWUuYWMudWswCwYDVR0PBAQDAgEG > >>MA0GCSqGSIb3DQEBBQUAA4ICAQBWXSsapjd27zrz/5v7OSOQkFu7ZgiQK9oFT82M > >>V8GyIH6KB86u17rpPZOPu3kr9M5YaY8Jil2ytKhR2/YacOYGMemUPf+dKvwIvu+J > >>9a7WIqVReCHl4S8j9amzLGqowJYHgvefNGJuSpFDsQpHkOo5wrZgP8KRn0SYDJf9 > >>fbN+n5Rsr9SOPRs26LVuFamUX7//rYrQU42O8JR61nTZN0iFCsKLTc/ofFEgoW63 > >>wzn0NEagnSAFDJMI5/YIcouwWbu64YXPL84jvn69LANWf7G2YnXwyeOF3TM71Jl3 > >>3z5Qu7qOp56uLPZ9vTYuwkyAFzVqfwNJUEWybTbtp7s/SrBGbSLYv7Q6ZYpEq1mY > >>diNPHhwfkXM2xjgaSom0kQf19rhBInrzsdb4yxNRceZuRQgh4A0zrL4vuTED9BEp > >>rh9Rx3+UZB9+TQbeC8BqRxQYBP/Mh++OYqrmJRsG5ecm/OhD9zB+ikEx9xKoIEPx > >>KocwtdUqOdWdS78QSmi+O/e7cBkApc/wCfpX4FZoBwvSVr4qtz71xMFqhxjx6ahm > >>tT15+MQeaPUL2FDwKOcLTUp5N/dFLy8Dh2OKf2Qg+pXni0Ee4Jy9QP3xDS65XDeJ > >>fx5I426trWldYtFwwlQ902/9/YRqFbzb9qzysqez1nW1Kdea5XTxl2A2I2o024sC > >>Yan4Hw== > >>-----END CERTIFICATE----- > >> > > > >_______________________________________________ > >Pki-users mailing list > >Pki-users at redhat.com > >https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From crc408 at gmail.com Fri Apr 11 18:54:13 2008 From: crc408 at gmail.com (Chris) Date: Fri, 11 Apr 2008 11:54:13 -0700 Subject: [Pki-users] pkiconsole? In-Reply-To: <20080410075908.GA13330@flea.lifesci.dundee.ac.uk> References: <20080410075908.GA13330@flea.lifesci.dundee.ac.uk> Message-ID: Thanks. A lot easier working with the certificate profiles in the console. On 4/10/08, Jonathan Barber wrote: > > On Wed, Apr 09, 2008 at 10:22:41PM -0700, Chris wrote: > > Will there be an similar 'pkiconsole' application for dogtag as there is > in > > the Red Hat version? > > On Fedora 8, after adding the yum repos [1] "yum install pki-console" > > [1] > http://pki.fedoraproject.org/wiki/PKI_Install_Guide#Download_the_PKI_Yum_Repository_Configuration_File > -- > Jonathan Barber > High Performance Computing Analyst > Tel. +44 (0) 1382 386389 > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From crc408 at gmail.com Fri Apr 11 18:56:24 2008 From: crc408 at gmail.com (Chris) Date: Fri, 11 Apr 2008 11:56:24 -0700 Subject: [Pki-users] No CDP by default? Message-ID: Unable to get the CDP in the issuing certificates. Taking the caUserCert profile, it looks like CDP isn't in the profiles by default, which appears to be the default for all certificates. Using the PKI Console, I added the CRL Distribution Points Extension Default with No Constraints * The information below was entered based on examples in the Red Hat documentation ( http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-CRL_Distribution_Points_Extension_Default.html). [Default] tab crlDistPointsCritical = false crlDistPointsPointType_0 = URIName crlDistPointsPointName_0 = http://crl.company.com:80 crlDistPointsReasons_0 = unused,superseded crlDistPointsIssuerType_0 = http://pkica.corp.company.com crlDistPointsIssueName_0 = URIName crlDistPointsEnable_0 = true When generating the certificate the CDP field is still not visible.I've attached a summary of the profile below with the new CDP field added. Any ideas? Thanks. Chris -- ------------------------------------ *Certificate Profile Information:* Certificate Profile Id: caUserCert Certificate Profile Name: Manual User Dual-Use Certificate Enrollment Description: This certificate profile is for enrolling user certificates. Approved: false Approved By: *Policy Information:* Policy Set: userCertSet *#* *Extensions / Fields* *Constraints* 1 This default populates a User-Supplied Certificate Subject Name to the request. This constraint accepts the subject name that matches CN=.* 2 This default populates a Certificate Validity to the request. The default values are Range=180 in days This constraint rejects the validity that is not between 365 days 3 This default populates a User-Supplied Certificate Key to the request. This constraint accepts the key only if Key Type=-, Key Min Length=256, Key Max Length=4096 4 This default populates an Authority Key Identifier Extension (2.5.29.35) to the request. No Constraint 5 This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:,Enable:true} No Constraint 6 This default populates a Key Usage Extension (2.5.29.15) to the request. The default values are Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false 7 This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 No Constraint 9 This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA1withRSA This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC 12 This default populates a CRL Distribution Points Extension (2.5.29.31) to the request. The default values are Criticality=false, Record #0{Point Type: http://crl.company.com:80 ,Point Name:URIName,Reasons:unused,superseded,Issuer Type:http://pkica.company.com,Issuer Name:URIName,Enable:true}Record #1{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #2{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #3{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #4{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false} No Constraint -------------- next part -------------- An HTML attachment was scrubbed... URL: From blord at redhat.com Fri Apr 11 20:16:20 2008 From: blord at redhat.com (Bob Lord) Date: Fri, 11 Apr 2008 13:16:20 -0700 Subject: [Pki-users] Modify Certificate Profies In-Reply-To: References: <47FD149C.1000306@redhat.com> Message-ID: <47FFC714.3080503@redhat.com> Chris wrote: > Thanks. That worked. > > On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu > wrote: > > Profiles can be configured in /profiles/ca. > If you add your own new profiles, you need to modify install root>//conf/CS.cfg "profile.list" to contain the new > profile name, and add the corresponding "class_id" and "config" > (see the existing entries in CS.cfg as example), and restart the CA. > > In addition, Dogtag provides flexible plugin infrastructure that > allows people to customize various areas. Profile is one of them. > The standard profile related polugins code is in > pki/base/common/src/com/netscape/cms/profile/. That's for > advanced users who know what they are doing. Make sure the certs > produced still comply. > Chris, Now that you understand this better, is there a place in the wiki you think we (or you!) might want to improve? Thanks, -Bob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3604 bytes Desc: S/MIME Cryptographic Signature URL: From crc408 at gmail.com Sun Apr 13 07:13:08 2008 From: crc408 at gmail.com (Chris Cayetano) Date: Sun, 13 Apr 2008 00:13:08 -0700 Subject: [Pki-users] Re: No CDP by default? In-Reply-To: References: Message-ID: Additional Info: Some entries from the debug log: [12/Apr/2008:23:54:42][http-9443-Processor20]: CRLDistribtionPointsExtDefault: createExtension Invalid Property http://pkica.company.com [12/Apr/2008:23:54:42][http-9443-Processor20]: CRLDistribtionPointsExtDefault: createExtension Invalid Property http://pkica.company.com >From the Red Hat documentation, when using the IssuerName_0=URIName, the IssuerType_n= should be: * For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com.* So based on the Red Hat documentation, not sure what the value to be. Thanks, Chris Cayetano On 4/11/08, Chris wrote: > > > Unable to get the CDP in the issuing certificates. Taking the caUserCert > profile, it looks like CDP isn't in the profiles by default, which appears > to be the default for all certificates. > > Using the PKI Console, I added the CRL Distribution Points Extension > Default with No Constraints > > * The information below was entered based on examples in the Red Hat > documentation ( > http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-CRL_Distribution_Points_Extension_Default.html). > > [Default] tab > crlDistPointsCritical = false > crlDistPointsPointType_0 = URIName > crlDistPointsPointName_0 = http://crl.company.com:80 > crlDistPointsReasons_0 = unused,superseded > crlDistPointsIssuerType_0 = http://pkica.corp.company.com > crlDistPointsIssueName_0 = URIName > crlDistPointsEnable_0 = true > > When generating the certificate the CDP field is still not visible.I've > attached a summary of the profile below with the new CDP field added. > > Any ideas? > > Thanks. > > Chris > > > -- > ------------------------------------ > > > *Certificate Profile Information:* > Certificate Profile Id: caUserCert Certificate Profile Name: Manual > User Dual-Use Certificate Enrollment > Description: This certificate > profile is for enrolling user certificates. Approved: false Approved By: > > > *Policy Information:* > > Policy Set: userCertSet > > *#* *Extensions / Fields* *Constraints* 1 This default populates a > User-Supplied Certificate Subject Name to the request. > This constraint accepts the subject name that matches CN=.* 2 This > default populates a Certificate Validity to the request. The default values > are Range=180 in days > This constraint rejects the validity that is not between 365 days 3 This > default populates a User-Supplied Certificate Key to the request. > This constraint accepts the key only if Key Type=-, Key Min Length=256, > Key Max Length=4096 4 This default populates an Authority Key Identifier > Extension (2.5.29.35) to the request. > No Constraint 5 This default populates a Authority Info Access Extension > (1.3.6.1.5.5.7.1.1) to the request. The default values are > Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location > Type:URIName,Location:,Enable:true} > No Constraint 6 This default populates a Key Usage Extension (2.5.29.15) > to the request. The default values are Criticality=true, Digital > Signature=true, Non-Repudiation=true, Key Encipherment=true, Data > Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL > Sign=false, Encipher Only=false, Decipher Only=false > This constraint accepts the Key Usage extension, if present, only when > Criticality=true, Digital Signature=true, Non-Repudiation=true, Key > Encipherment=true, Data Encipherment=false, Key Agreement=false, Key > Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher > Only=false 7 This default populates an Extended Key Usage Extension () to > the request. The default values are Criticality=false, > OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 > No Constraint 9 This default populates the Certificate Signing Algorithm. > The default values are Algorithm=SHA1withRSA > This constraint accepts only the Signing Algorithms of > SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC 12 > This default populates a CRL Distribution Points Extension (2.5.29.31) to > the request. The default values are Criticality=false, Record #0{Point Type: > http://crl.company.com:80 ,Point > Name:URIName,Reasons:unused,superseded,Issuer Type: > http://pkica.company.com,Issuer Name:URIName,Enable:true}Record #1{Point > Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record > #2{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer > Name:,Enable:false}Record #3{Point Type:,Point Name:,Reasons:,Issuer > Type:,Issuer Name:,Enable:false}Record #4{Point Type:,Point > Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false} > No Constraint > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Mon Apr 14 14:30:02 2008 From: cfu at redhat.com (Christina Fu) Date: Mon, 14 Apr 2008 07:30:02 -0700 Subject: [Pki-users] Re: No CDP by default? In-Reply-To: References: Message-ID: <48036A6A.1050006@redhat.com> Hi, your values for crlDistPointsIssuerType_0 and crlDistPointsIssueName_0 need to be switched. Let me know if this helps. Christina Chris Cayetano wrote: > Additional Info: > > Some entries from the debug log: > > [12/Apr/2008:23:54:42][http-9443-Processor20]: > CRLDistribtionPointsExtDefault: createExtension Invalid Property > http://pkica.company.com > [12/Apr/2008:23:54:42][http-9443-Processor20]: > CRLDistribtionPointsExtDefault: createExtension Invalid Property > http://pkica.company.com > > From the Red Hat documentation, when using the IssuerName_0=URIName, > the IssuerType_n= should be: > > / For URIName, the value must be a non-relative URI following the URL > syntax and encoding rules. The name must include both a scheme, such > as http, and a fully qualified domain name or IP address of the host. > For example, http://testCA.example.com./ > > So based on the Red Hat documentation, not sure what the value to be. > > Thanks, > Chris Cayetano > > > On 4/11/08, *Chris* > wrote: > > > Unable to get the CDP in the issuing certificates. Taking the > caUserCert profile, it looks like CDP isn't in the profiles by > default, which appears to be the default for all certificates. > > Using the PKI Console, I added the CRL Distribution Points > Extension Default with No Constraints > > * The information below was entered based on examples in the Red > Hat documentation ( > http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-CRL_Distribution_Points_Extension_Default.html > ). > > [Default] tab > crlDistPointsCritical = false > crlDistPointsPointType_0 = URIName > crlDistPointsPointName_0 = http://crl.company.com:80 > > crlDistPointsReasons_0 = unused,superseded > crlDistPointsIssuerType_0 = http://pkica.corp.company.com > > crlDistPointsIssueName_0 = URIName > crlDistPointsEnable_0 = true > > When generating the certificate the CDP field is still not > visible.I've attached a summary of the profile below with the new > CDP field added. > > Any ideas? > > Thanks. > > Chris > > > -- > ------------------------------------ > > > *Certificate Profile Information:* > Certificate Profile Id: caUserCert > Certificate Profile Name: Manual User Dual-Use Certificate > Enrollment > Description: This certificate profile is for enrolling user > certificates. > Approved: false > Approved By: > > *Policy Information:* > > Policy Set: userCertSet > > *#* *Extensions / Fields* *Constraints* > 1 This default populates a User-Supplied Certificate Subject Name > to the request. > This constraint accepts the subject name that matches CN=.* > 2 This default populates a Certificate Validity to the request. > The default values are Range=180 in days > This constraint rejects the validity that is not between 365 days > 3 This default populates a User-Supplied Certificate Key to the > request. > This constraint accepts the key only if Key Type=-, Key Min > Length=256, Key Max Length=4096 > 4 This default populates an Authority Key Identifier Extension > (2.5.29.35 ) to the request. > No Constraint > 5 This default populates a Authority Info Access Extension > (1.3.6.1.5.5.7.1.1) to the request. The default values are > Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location > Type:URIName,Location:,Enable:true} > No Constraint > 6 This default populates a Key Usage Extension (2.5.29.15 > ) to the request. The default values are > Criticality=true, Digital Signature=true, Non-Repudiation=true, > Key Encipherment=true, Data Encipherment=false, Key > Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, > Encipher Only=false, Decipher Only=false > This constraint accepts the Key Usage extension, if present, only > when Criticality=true, Digital Signature=true, > Non-Repudiation=true, Key Encipherment=true, Data > Encipherment=false, Key Agreement=false, Key Certificate > Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher > Only=false > 7 This default populates an Extended Key Usage Extension () to > the request. The default values are Criticality=false, > OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 > No Constraint > 9 This default populates the Certificate Signing Algorithm. The > default values are Algorithm=SHA1withRSA > This constraint accepts only the Signing Algorithms of > SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC > > 12 This default populates a CRL Distribution Points Extension > (2.5.29.31 ) to the request. The default values > are Criticality=false, Record #0{Point > Type:http://crl.company.com:80 ,Point > Name:URIName,Reasons:unused,superseded,Issuer > Type:http://pkica.company.com ,Issuer > Name:URIName,Enable:true}Record #1{Point Type:,Point > Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record > #2{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer > Name:,Enable:false}Record #3{Point Type:,Point > Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record > #4{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer > Name:,Enable:false} > No Constraint > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From chriscayetano at gmail.com Mon Apr 14 15:52:43 2008 From: chriscayetano at gmail.com (Chris Cayetano) Date: Mon, 14 Apr 2008 08:52:43 -0700 Subject: [Pki-users] Re: No CDP by default? In-Reply-To: <48036A6A.1050006@redhat.com> References: <48036A6A.1050006@redhat.com> Message-ID: <4daeaaa00804140852h50faad60pd0c5be3fa2687f36@mail.gmail.com> Hi Christina, That worked. Thanks for your help. Though minor, it appears the Red Hat documentation for IssuerType and IssuerName is also switched, correct? Thanks, Chris Cayetano http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-CRL_Distribution_Points_Extension_Default.html *IssuerName_ n * Specifies the name of the issuer that has signed the CRL maintained at the distribution point. The name can be in any of the following formats: - RFC822Name - DirectoryName - DNSName - EDIPartyName - *URIName* - IPAddress - OIDName - OtherName *IssuerType_ n * Specifies the general name type of the CRL issuer that signed the CRL. The permissible values are as follows: - For RFC822Name, the value must be a valid Internet mail address. For example, testCA at example.com. - For DirectoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, cn=SubCA, ou=Research Dept, o=Example Corporation, c=US. - For DNSName, the value must be a valid fully-qualified domain name. For example, testCA.example.com. - For EDIPartyName, the value must be an IA5String. For example, Example Corporation. - * For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com.* - For IPAddress, the value must be a valid IP address. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv 6 address with netmask is separated by a comma. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF: 255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. - For OIDName, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99. - OtherName is used for names with any other format; this supports PrintableString, IA5String, UTF8String, BMPString, Any, and KerberosName. PrintableString, IA5String, UTF8String, BMPString, and Any set a string to a base-64 encoded file specifying the subtree, such as /var/lib/rhpki-ca/othername.txt. KerberosName has the format * Realm|NameType|NameStrings*, such as realm1|0|userID1,userID2. The value for this parameter must correspond to the value in the issuerNamefield. On Mon, Apr 14, 2008 at 7:30 AM, Christina Fu wrote: > Hi, your values for crlDistPointsIssuerType_0 and crlDistPointsIssueName_0 > need to be switched. Let me know if this helps. > > Christina -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Mon Apr 14 17:30:05 2008 From: cfu at redhat.com (Christina Fu) Date: Mon, 14 Apr 2008 10:30:05 -0700 Subject: [Pki-users] Re: No CDP by default? In-Reply-To: <4daeaaa00804140852h50faad60pd0c5be3fa2687f36@mail.gmail.com> References: <48036A6A.1050006@redhat.com> <4daeaaa00804140852h50faad60pd0c5be3fa2687f36@mail.gmail.com> Message-ID: <4803949D.4050406@redhat.com> Hi! Thank you for reading the manual! We encourage our community members to file bugs not just for bugs in the software, but also for clarity in documentations. See http://pki.fedoraproject.org/wiki/PKI_Bugs.I encourage you to file a bug. thanks! Christina Chris Cayetano wrote: > Hi Christina, > > That worked. Thanks for your help. Though minor, it appears the Red > Hat documentation for IssuerType and IssuerName is also switched, correct? > > Thanks, > Chris Cayetano > > http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Defaults_Reference-CRL_Distribution_Points_Extension_Default.html > > > *IssuerName_ /n/ * > > Specifies the name of the issuer that has signed the CRL maintained at > the distribution point. The name can be in any of the following formats: > > * > > RFC822Name > > * > > DirectoryName > > * > > DNSName > > * > > EDIPartyName > > * > > *URIName* > > * > > IPAddress > > * > > OIDName > > * > > OtherName > > *IssuerType_ /n/ * > > Specifies the general name type of the CRL issuer that signed the CRL. > The permissible values are as follows: > > * > > For RFC822Name, the value must be a valid Internet mail address. > For example, testCA at example.com . > > * > > For DirectoryName, the value must be a string form of X.500 > name, similar to the subject name in a certificate. For example, > cn=SubCA, ou=Research Dept, o=Example Corporation, c=US. > > * > > For DNSName, the value must be a valid fully-qualified domain > name. For example, testCA.example.com . > > * > > For EDIPartyName, the value must be an IA5String. For example, > Example Corporation. > > * > > * For URIName, the value must be a non-relative URI following > the URL syntax and encoding rules. The name must include both a > scheme, such as http, and a fully qualified domain name or IP > address of the host. For example, http://testCA.example.com.* > > * > > For IPAddress, the value must be a valid IP address. An IPv4 > address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For > example, 128.21.39.40 or 128.21.39.40 > ,255.255.255.00 . An > IPv 6 address with netmask is separated by a comma. For example, > 0:0:0:0:0:0:13.1.68.3 , FF01::43, > 0:0:0:0:0:0:13.1.68.3 > ,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0 > , and > FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. > > * > > For OIDName, the value must be a unique, valid OID specified in > dot-separated numeric component notation. For example, > 1.2.3.4.55.6.5.99. > > * > > OtherName is used for names with any other format; this supports > PrintableString, IA5String, UTF8String, BMPString, Any, and > KerberosName. PrintableString, IA5String, UTF8String, BMPString, > and Any set a string to a base-64 encoded file specifying the > subtree, such as /var/lib/rhpki-ca/othername.txt. KerberosName > has the format /Realm|NameType|NameStrings/, such as > realm1|0|userID1,userID2. > > The value for this parameter must correspond to the value in the > issuerName field. > > > > > > > On Mon, Apr 14, 2008 at 7:30 AM, Christina Fu > wrote: > > Hi, your values for crlDistPointsIssuerType_0 and > crlDistPointsIssueName_0 need to be switched. Let me know if this > helps. > > Christina > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From sam at vpac.org Wed Apr 16 01:45:17 2008 From: sam at vpac.org (Sam Morrison) Date: Wed, 16 Apr 2008 11:45:17 +1000 Subject: [Pki-users] CMC enrollment using CMS Message-ID: Hi, I am currently testing out the Dogtag CA. I am wanting to get a certificate automatically using CMC. Is there an HTTPS interface where I can get a certificate from another machine with a CMC client? Does dogtag support CMS to be able to do this? Thanks, Sam Morrison Systems Administrator Victorian Partnership for Advanced Computing 110 Victoria St. Carlton South, VIC, 3053 Phone: (03) 9925 8372 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2405 bytes Desc: not available URL: From jmagne at redhat.com Wed Apr 16 01:54:54 2008 From: jmagne at redhat.com (Jack Magne) Date: Tue, 15 Apr 2008 18:54:54 -0700 Subject: [Pki-users] CMC enrollment using CMS In-Reply-To: References: Message-ID: <48055C6E.3010707@redhat.com> Sam: We have some of our own CMC command line tools used to make requests to the server here: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Command_Line_Tools_Guide/index.html Above is a doc for our CS 7.3 product which should give you the information. thanks, jack Sam Morrison wrote: > Hi, > > I am currently testing out the Dogtag CA. > I am wanting to get a certificate automatically using CMC. > Is there an HTTPS interface where I can get a certificate from another > machine with a CMC client? > Does dogtag support CMS to be able to do this? > > Thanks, > > > Sam Morrison > > Systems Administrator > Victorian Partnership for Advanced Computing > 110 Victoria St. Carlton South, VIC, 3053 > Phone: (03) 9925 8372 > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From sam at vpac.org Wed Apr 16 02:08:34 2008 From: sam at vpac.org (Sam Morrison) Date: Wed, 16 Apr 2008 12:08:34 +1000 Subject: [Pki-users] CMC enrollment using CMS In-Reply-To: <48055C6E.3010707@redhat.com> References: <48055C6E.3010707@redhat.com> Message-ID: Hi Jack, I already have an application with a CMC client build in, it uses CMS to talk to the CA over an HTTPS connection. I was wondering if dogtag has such a "portal" Sam On 16/04/2008, at 11:54 AM, Jack Magne wrote: > Sam: > > We have some of our own CMC command line tools used to make requests > to the server here: > > http://www.redhat.com/docs/manuals/cert-system/7.3/html/Command_Line_Tools_Guide/index.html > > Above is a doc for our CS 7.3 product which should give you the > information. > > thanks, > jack > > > Sam Morrison wrote: >> Hi, >> >> I am currently testing out the Dogtag CA. >> I am wanting to get a certificate automatically using CMC. >> Is there an HTTPS interface where I can get a certificate from >> another machine with a CMC client? >> Does dogtag support CMS to be able to do this? >> >> Thanks, >> >> >> Sam Morrison >> >> Systems Administrator >> Victorian Partnership for Advanced Computing >> 110 Victoria St. Carlton South, VIC, 3053 >> Phone: (03) 9925 8372 >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> Sam Morrison Systems Administrator Victorian Partnership for Advanced Computing 110 Victoria St. Carlton South, VIC, 3053 Phone: (03) 9925 8372 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2405 bytes Desc: not available URL: From fujyhluo at yahoo.com Thu Apr 17 17:59:23 2008 From: fujyhluo at yahoo.com (Fu-Jyh Luo) Date: Thu, 17 Apr 2008 10:59:23 -0700 (PDT) Subject: [Pki-users] how to add new TPS Agent? Message-ID: <778443.97177.qm@web30303.mail.mud.yahoo.com> hi, What is right procedure to add new TPS Agent? Thanks, Fu ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From cfu at redhat.com Mon Apr 21 16:53:00 2008 From: cfu at redhat.com (Christina Fu) Date: Mon, 21 Apr 2008 09:53:00 -0700 Subject: [Pki-users] how to add new TPS Agent? In-Reply-To: <778443.97177.qm@web30303.mail.mud.yahoo.com> References: <778443.97177.qm@web30303.mail.mud.yahoo.com> Message-ID: <480CC66C.1050207@redhat.com> Fu-Jyh Luo wrote: > hi, > > What is right procedure to add new TPS Agent? > > Thanks, > Fu > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > Hi Fu, Currently, TPS does not support that. However, we encourage our community members to file bugs and request for features (RFE's). You are more than welcome to contribute by going to http://pki.fedoraproject.org/wiki/PKI_Bugs and file away. thank you very much! Christina From ehansen at spyrus.com Fri Apr 25 21:58:33 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Fri, 25 Apr 2008 14:58:33 -0700 Subject: [Pki-users] Invalid Credential / User not found Message-ID: After using the DogTag WEB Agent client once (based upon "preop.pin" value) the WEB Agent fail to continue to operate with error message= "Invalid Credential" . The "/var/lib//logs/system" file reports an "User not found" error. NOTE: During the CA configuration setup the following Alert is displayed when the administrator certificate is installed: "This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved." Suggestions on what to try next will be appreciated? Ebbe Hansen @ SPYRUS "This message and any attached documents contain SPYRUS confidential and/or proprietary information and may be subject to privilege or exempt from disclosure under applicable law. These materials are intended only for the use of the intended recipient. If you are not the intended recipient of this electronic message, you are hereby notified that any use of this message is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not constitute any waiver of any privilege. If you have received this message in error, please delete this message from your system and notify the sender immediately. Thank you." -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Fri Apr 25 23:19:31 2008 From: jmagne at redhat.com (Jack Magne) Date: Fri, 25 Apr 2008 16:19:31 -0700 Subject: [Pki-users] Invalid Credential / User not found In-Reply-To: References: Message-ID: <48126703.3000600@redhat.com> Ebbe: Thanks for trying out Dogtag. A few tips to help out below. During the wizard when you saw the message "This certificate can?t be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved.", you most probably had your agent certificate imported OK. We have a bug for this that we are working on. This message shows up despite an actual successful import. The "preop.pin" you speak of is used in the case that one has not yet completed the installation wizard. Here are few things you can try: 1. If you have already finished the wizard, you should be able to simply proceed to the agent interface URL without any pin, provided you have successfully imported the Admin cert. Simply go to "https://host.example.com:9443" and see if you can proceed using the agent interface. 2. If the nasty error message from above scared you off of actually finishing the configuration wizard, go back and do so. This is done with the URL that gets printed when the instance is installed. It looks something like: http://host.example.com:9080/ca/admin/console/config/login? 3. If everything is too confused, you can start the process over by using our "pkiremove" tool which removes an existing instance. Try something like, as root: pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca The "pki-ca" at the end is the name of the instance you are trying to remove. The very first instance that is installed when you install the RPM is in fact "pki-ca". From here you can try again by doing the following as root: rpm -ev pki-ca yum install pki-ca This will reinstall your RPM for the CA and create a brand new instance. Note: Make sure you have used "pkiremove" to remove all instances you may have created before trying this. 4. If the above is too confusing, we can hash it out on the "#dogtag-pi" IRC channel. thanks, jack Ebbe Hansen wrote: > > After using the DogTag WEB Agent client once (based upon ?preop.pin? > value) the WEB Agent fail to continue to operate with error message= > ?Invalid Credential? . > > The ?/var/lib//logs/system? file reports an ?User not found? > error. > > NOTE: During the CA configuration setup the following Alert is > displayed when the administrator certificate is installed: > > ?This certificate can?t be verified and will not be imported. The > certificate issuer might be unknown or untrusted, the certificate > might have expired or been revoked, or the certificate might not have > been approved.? > > Suggestions on what to try next will be appreciated? > > Ebbe Hansen @ SPYRUS > > "This message and any attached documents contain SPYRUS confidential > and/or proprietary information and may be subject to privilege or > exempt from disclosure under applicable law. These materials are > intended only for the use of the intended recipient. If you are not > the intended recipient of this electronic message, you are hereby > notified that any use of this message is strictly prohibited. Delivery > of this message to any person other than the intended recipient shall > not constitute any waiver of any privilege. If you have received this > message in error, please delete this message from your system and > notify the sender immediately. Thank you." > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From ehansen at spyrus.com Fri Apr 25 23:33:25 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Fri, 25 Apr 2008 16:33:25 -0700 Subject: [Pki-users] Invalid Credential / User not found In-Reply-To: <48126703.3000600@redhat.com> Message-ID: Thanks for the advice -- so far I have created three CA instances using different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all three and start all over! With respect to directory server instance(s) - should I also remove them? If yes -- what command(s) should I use? Ebbe "This message and any attached documents contain SPYRUS confidential and/or proprietary information and may be subject to privilege or exempt from disclosure under applicable law. These materials are intended only for the use of the intended recipient. If you are not the intended recipient of this electronic message, you are hereby notified that any use of this message is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not constitute any waiver of any privilege. If you have received this message in error, please delete this message from your system and notify the sender immediately. Thank you." -----Original Message----- From: Jack Magne [mailto:jmagne at redhat.com] Sent: Friday, April 25, 2008 4:20 PM To: Ebbe Hansen; pki-users at redhat.com Subject: Re: [Pki-users] Invalid Credential / User not found Ebbe: Thanks for trying out Dogtag. A few tips to help out below. During the wizard when you saw the message "This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved.", you most probably had your agent certificate imported OK. We have a bug for this that we are working on. This message shows up despite an actual successful import. The "preop.pin" you speak of is used in the case that one has not yet completed the installation wizard. Here are few things you can try: 1. If you have already finished the wizard, you should be able to simply proceed to the agent interface URL without any pin, provided you have successfully imported the Admin cert. Simply go to "https://host.example.com:9443" and see if you can proceed using the agent interface. 2. If the nasty error message from above scared you off of actually finishing the configuration wizard, go back and do so. This is done with the URL that gets printed when the instance is installed. It looks something like: http://host.example.com:9080/ca/admin/console/config/login? 3. If everything is too confused, you can start the process over by using our "pkiremove" tool which removes an existing instance. Try something like, as root: pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca The "pki-ca" at the end is the name of the instance you are trying to remove. The very first instance that is installed when you install the RPM is in fact "pki-ca". From here you can try again by doing the following as root: rpm -ev pki-ca yum install pki-ca This will reinstall your RPM for the CA and create a brand new instance. Note: Make sure you have used "pkiremove" to remove all instances you may have created before trying this. 4. If the above is too confusing, we can hash it out on the "#dogtag-pi" IRC channel. thanks, jack Ebbe Hansen wrote: > > After using the DogTag WEB Agent client once (based upon "preop.pin" > value) the WEB Agent fail to continue to operate with error message= > "Invalid Credential" . > > The "/var/lib//logs/system" file reports an "User not found" > error. > > NOTE: During the CA configuration setup the following Alert is > displayed when the administrator certificate is installed: > > "This certificate can't be verified and will not be imported. The > certificate issuer might be unknown or untrusted, the certificate > might have expired or been revoked, or the certificate might not have > been approved." > > Suggestions on what to try next will be appreciated? > > Ebbe Hansen @ SPYRUS > > "This message and any attached documents contain SPYRUS confidential > and/or proprietary information and may be subject to privilege or > exempt from disclosure under applicable law. These materials are > intended only for the use of the intended recipient. If you are not > the intended recipient of this electronic message, you are hereby > notified that any use of this message is strictly prohibited. Delivery > of this message to any person other than the intended recipient shall > not constitute any waiver of any privilege. If you have received this > message in error, please delete this message from your system and > notify the sender immediately. Thank you." > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From caverett at corecodec.net Fri Apr 25 21:27:31 2008 From: caverett at corecodec.net (caverett at corecodec.net) Date: Fri, 25 Apr 2008 14:27:31 -0700 (PDT) Subject: [Pki-users] Unable to complete setup Message-ID: <3486.72.1.130.151.1209158851.squirrel@housingdoom.com> I am trying to get the pki-ca setup completed; however, I can't get the "Administrator" section to complete. I enter a UID, name, email, and password, and hit next.? Depending on the on the browser, I get different things. IE6: Spinning circle, javascript error. Line 267: Object doesn't support this property or method: TheForm.uid.Value Firefox: Just hangs Safari: Spins forever Anyone had something like this happen? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Fri Apr 25 23:47:35 2008 From: jmagne at redhat.com (Jack Magne) Date: Fri, 25 Apr 2008 16:47:35 -0700 Subject: [Pki-users] Invalid Credential / User not found In-Reply-To: References: Message-ID: <48126D97.8040107@redhat.com> Ebbe: You can leave your current directory instance. When you re-do the config wizard, you will just have to give unique names for the new directory trees it will have to create. Removing instances is a great idea for us to work on. thanks, jack Ebbe Hansen wrote: > Thanks for the advice -- so far I have created three CA instances using > different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all > three and start all over! > > With respect to directory server instance(s) - should I also remove > them? > > If yes -- what command(s) should I use? > > Ebbe > > "This message and any attached documents contain SPYRUS confidential > and/or proprietary information and may be subject to privilege or exempt > from disclosure under applicable law. These materials are intended only > for the use of the intended recipient. If you are not the intended > recipient of this electronic message, you are hereby notified that any > use of this message is strictly prohibited. Delivery of this message to > any person other than the intended recipient shall not constitute any > waiver of any privilege. If you have received this message in error, > please delete this message from your system and notify the sender > immediately. Thank you." > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Friday, April 25, 2008 4:20 PM > To: Ebbe Hansen; pki-users at redhat.com > Subject: Re: [Pki-users] Invalid Credential / User not found > > Ebbe: > > Thanks for trying out Dogtag. A few tips to help out below. > > During the wizard when you saw the message "This certificate can't be > verified and will not be imported. The certificate issuer might be > unknown or untrusted, the certificate might have expired or been > revoked, or the certificate might not have been approved.", you most > probably had your agent certificate imported OK. We have a bug for this > that we are working on. This message shows up despite an actual > successful import. > > The "preop.pin" you speak of is used in the case that one has not yet > completed the installation wizard. > > Here are few things you can try: > > 1. If you have already finished the wizard, you should be able to simply > > proceed to the agent interface URL without any pin, provided you have > successfully imported the Admin cert. Simply go to > "https://host.example.com:9443" and see if you can proceed using the > agent interface. > > 2. If the nasty error message from above scared you off of actually > finishing the configuration wizard, go back and do so. This is done with > > the URL that gets printed when the instance is installed. It looks > something like: > > http://host.example.com:9080/ca/admin/console/config/login? > > 3. If everything is too confused, you can start the process over by > using our "pkiremove" tool which removes an existing instance. Try > something like, as root: > > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca > > The "pki-ca" at the end is the name of the instance you are trying to > remove. The very first instance that is installed when you install the > RPM is in fact "pki-ca". > > From here you can try again by doing the following as root: > > rpm -ev pki-ca > yum install pki-ca > > This will reinstall your RPM for the CA and create a brand new instance. > > Note: Make sure you have used "pkiremove" to remove all instances you > may have created before trying this. > > 4. If the above is too confusing, we can hash it out on the "#dogtag-pi" > > IRC channel. > > thanks, > jack > > > Ebbe Hansen wrote: > >> After using the DogTag WEB Agent client once (based upon "preop.pin" >> value) the WEB Agent fail to continue to operate with error message= >> "Invalid Credential" . >> >> The "/var/lib//logs/system" file reports an "User not found" >> > > >> error. >> >> NOTE: During the CA configuration setup the following Alert is >> displayed when the administrator certificate is installed: >> >> "This certificate can't be verified and will not be imported. The >> certificate issuer might be unknown or untrusted, the certificate >> might have expired or been revoked, or the certificate might not have >> been approved." >> >> Suggestions on what to try next will be appreciated? >> >> Ebbe Hansen @ SPYRUS >> >> "This message and any attached documents contain SPYRUS confidential >> and/or proprietary information and may be subject to privilege or >> exempt from disclosure under applicable law. These materials are >> intended only for the use of the intended recipient. If you are not >> the intended recipient of this electronic message, you are hereby >> notified that any use of this message is strictly prohibited. Delivery >> > > >> of this message to any person other than the intended recipient shall >> not constitute any waiver of any privilege. If you have received this >> message in error, please delete this message from your system and >> notify the sender immediately. Thank you." >> >> >> > ------------------------------------------------------------------------ > >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From mharmsen at redhat.com Fri Apr 25 23:59:37 2008 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 25 Apr 2008 16:59:37 -0700 Subject: [Pki-users] Invalid Credential / User not found In-Reply-To: <48126D97.8040107@redhat.com> References: <48126D97.8040107@redhat.com> Message-ID: <48127069.2030206@redhat.com> Ebbe, Actually, I have an update for you on your request. Please see https://bugzilla.redhat.com/show_bug.cgi?id=440141. If you checkout the subversion source, we now include a Perl script that will let you remove DS instances. It's use is documented in the Dogtag Wiki at http://pki.fedoraproject.org/wiki/PKI_Components_Collectively_via_Subversion. Once again, thanks for using Dogtag! -- Matt Jack Magne wrote: > Ebbe: > > You can leave your current directory instance. When you re-do the > config wizard, you will just have to give unique names for the new > directory trees it will have to create. Removing instances is a great > idea for us to work on. > > thanks, > jack > > Ebbe Hansen wrote: >> Thanks for the advice -- so far I have created three CA instances using >> different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all >> three and start all over! >> >> With respect to directory server instance(s) - should I also remove >> them? >> >> If yes -- what command(s) should I use? >> >> Ebbe >> >> "This message and any attached documents contain SPYRUS confidential >> and/or proprietary information and may be subject to privilege or exempt >> from disclosure under applicable law. These materials are intended only >> for the use of the intended recipient. If you are not the intended >> recipient of this electronic message, you are hereby notified that any >> use of this message is strictly prohibited. Delivery of this message to >> any person other than the intended recipient shall not constitute any >> waiver of any privilege. If you have received this message in error, >> please delete this message from your system and notify the sender >> immediately. Thank you." >> >> -----Original Message----- >> From: Jack Magne [mailto:jmagne at redhat.com] Sent: Friday, April 25, >> 2008 4:20 PM >> To: Ebbe Hansen; pki-users at redhat.com >> Subject: Re: [Pki-users] Invalid Credential / User not found >> >> Ebbe: >> >> Thanks for trying out Dogtag. A few tips to help out below. >> >> During the wizard when you saw the message "This certificate can't be >> verified and will not be imported. The certificate issuer might be >> unknown or untrusted, the certificate might have expired or been >> revoked, or the certificate might not have been approved.", you most >> probably had your agent certificate imported OK. We have a bug for >> this that we are working on. This message shows up despite an actual >> successful import. >> >> The "preop.pin" you speak of is used in the case that one has not yet >> completed the installation wizard. >> >> Here are few things you can try: >> >> 1. If you have already finished the wizard, you should be able to simply >> >> proceed to the agent interface URL without any pin, provided you have >> successfully imported the Admin cert. Simply go to >> "https://host.example.com:9443" and see if you can proceed using the >> agent interface. >> >> 2. If the nasty error message from above scared you off of actually >> finishing the configuration wizard, go back and do so. This is done with >> >> the URL that gets printed when the instance is installed. It looks >> something like: >> >> http://host.example.com:9080/ca/admin/console/config/login? >> >> 3. If everything is too confused, you can start the process over by >> using our "pkiremove" tool which removes an existing instance. Try >> something like, as root: >> >> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca >> >> The "pki-ca" at the end is the name of the instance you are trying to >> remove. The very first instance that is installed when you install >> the RPM is in fact "pki-ca". >> >> From here you can try again by doing the following as root: >> >> rpm -ev pki-ca >> yum install pki-ca >> >> This will reinstall your RPM for the CA and create a brand new instance. >> >> Note: Make sure you have used "pkiremove" to remove all instances you >> may have created before trying this. >> >> 4. If the above is too confusing, we can hash it out on the "#dogtag-pi" >> >> IRC channel. >> >> thanks, >> jack >> >> >> Ebbe Hansen wrote: >> >>> After using the DogTag WEB Agent client once (based upon "preop.pin" >>> value) the WEB Agent fail to continue to operate with error message= >>> "Invalid Credential" . >>> >>> The "/var/lib//logs/system" file reports an "User not found" >>> >> >> >>> error. >>> >>> NOTE: During the CA configuration setup the following Alert is >>> displayed when the administrator certificate is installed: >>> >>> "This certificate can't be verified and will not be imported. The >>> certificate issuer might be unknown or untrusted, the certificate >>> might have expired or been revoked, or the certificate might not >>> have been approved." >>> >>> Suggestions on what to try next will be appreciated? >>> >>> Ebbe Hansen @ SPYRUS >>> >>> "This message and any attached documents contain SPYRUS confidential >>> and/or proprietary information and may be subject to privilege or >>> exempt from disclosure under applicable law. These materials are >>> intended only for the use of the intended recipient. If you are not >>> the intended recipient of this electronic message, you are hereby >>> notified that any use of this message is strictly prohibited. Delivery >>> >> >> >>> of this message to any person other than the intended recipient >>> shall not constitute any waiver of any privilege. If you have >>> received this message in error, please delete this message from your >>> system and notify the sender immediately. Thank you." >>> >>> >>> >> ------------------------------------------------------------------------ >> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> >> > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ehansen at spyrus.com Mon Apr 28 22:58:40 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Mon, 28 Apr 2008 15:58:40 -0700 Subject: [Pki-users] Invalid Credential / User not found In-Reply-To: <48126D97.8040107@redhat.com> Message-ID: DogTag support, By enabling the Linux LDAP authentication option, I was successful eliminating the "Invalid Credential" error message when starting the "DogTag" WEB Agent. My question is now, how do I "enable" the LDAP authentication option when executing the WEB Agent via a FireFox browser that executes on a windows-XP perform? I have found some Internet sites that mention a "LDAP plug-in" -- is such module available for FireFox/windows so I can execute the "DogTag" WEB Agent from windows?? Ebbe Hansen @ SPYRUS "This message and any attached documents contain SPYRUS confidential and/or proprietary information and may be subject to privilege or exempt from disclosure under applicable law. These materials are intended only for the use of the intended recipient. If you are not the intended recipient of this electronic message, you are hereby notified that any use of this message is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not constitute any waiver of any privilege. If you have received this message in error, please delete this message from your system and notify the sender immediately. Thank you." -----Original Message----- From: Jack Magne [mailto:jmagne at redhat.com] Sent: Friday, April 25, 2008 4:48 PM To: Ebbe Hansen Cc: pki-users at redhat.com Subject: Re: [Pki-users] Invalid Credential / User not found Ebbe: You can leave your current directory instance. When you re-do the config wizard, you will just have to give unique names for the new directory trees it will have to create. Removing instances is a great idea for us to work on. thanks, jack Ebbe Hansen wrote: > Thanks for the advice -- so far I have created three CA instances using > different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all > three and start all over! > > With respect to directory server instance(s) - should I also remove > them? > > If yes -- what command(s) should I use? > > Ebbe > > "This message and any attached documents contain SPYRUS confidential > and/or proprietary information and may be subject to privilege or exempt > from disclosure under applicable law. These materials are intended only > for the use of the intended recipient. If you are not the intended > recipient of this electronic message, you are hereby notified that any > use of this message is strictly prohibited. Delivery of this message to > any person other than the intended recipient shall not constitute any > waiver of any privilege. If you have received this message in error, > please delete this message from your system and notify the sender > immediately. Thank you." > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Friday, April 25, 2008 4:20 PM > To: Ebbe Hansen; pki-users at redhat.com > Subject: Re: [Pki-users] Invalid Credential / User not found > > Ebbe: > > Thanks for trying out Dogtag. A few tips to help out below. > > During the wizard when you saw the message "This certificate can't be > verified and will not be imported. The certificate issuer might be > unknown or untrusted, the certificate might have expired or been > revoked, or the certificate might not have been approved.", you most > probably had your agent certificate imported OK. We have a bug for this > that we are working on. This message shows up despite an actual > successful import. > > The "preop.pin" you speak of is used in the case that one has not yet > completed the installation wizard. > > Here are few things you can try: > > 1. If you have already finished the wizard, you should be able to simply > > proceed to the agent interface URL without any pin, provided you have > successfully imported the Admin cert. Simply go to > "https://host.example.com:9443" and see if you can proceed using the > agent interface. > > 2. If the nasty error message from above scared you off of actually > finishing the configuration wizard, go back and do so. This is done with > > the URL that gets printed when the instance is installed. It looks > something like: > > http://host.example.com:9080/ca/admin/console/config/login? > > 3. If everything is too confused, you can start the process over by > using our "pkiremove" tool which removes an existing instance. Try > something like, as root: > > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca > > The "pki-ca" at the end is the name of the instance you are trying to > remove. The very first instance that is installed when you install the > RPM is in fact "pki-ca". > > From here you can try again by doing the following as root: > > rpm -ev pki-ca > yum install pki-ca > > This will reinstall your RPM for the CA and create a brand new instance. > > Note: Make sure you have used "pkiremove" to remove all instances you > may have created before trying this. > > 4. If the above is too confusing, we can hash it out on the "#dogtag-pi" > > IRC channel. > > thanks, > jack > > > Ebbe Hansen wrote: > >> After using the DogTag WEB Agent client once (based upon "preop.pin" >> value) the WEB Agent fail to continue to operate with error message= >> "Invalid Credential" . >> >> The "/var/lib//logs/system" file reports an "User not found" >> > > >> error. >> >> NOTE: During the CA configuration setup the following Alert is >> displayed when the administrator certificate is installed: >> >> "This certificate can't be verified and will not be imported. The >> certificate issuer might be unknown or untrusted, the certificate >> might have expired or been revoked, or the certificate might not have >> been approved." >> >> Suggestions on what to try next will be appreciated? >> >> Ebbe Hansen @ SPYRUS >> >> "This message and any attached documents contain SPYRUS confidential >> and/or proprietary information and may be subject to privilege or >> exempt from disclosure under applicable law. These materials are >> intended only for the use of the intended recipient. If you are not >> the intended recipient of this electronic message, you are hereby >> notified that any use of this message is strictly prohibited. Delivery >> > > >> of this message to any person other than the intended recipient shall >> not constitute any waiver of any privilege. If you have received this >> message in error, please delete this message from your system and >> notify the sender immediately. Thank you." >> >> >> > ------------------------------------------------------------------------ > >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3916 bytes Desc: not available URL: From jmagne at redhat.com Tue Apr 29 00:07:52 2008 From: jmagne at redhat.com (Jack Magne) Date: Mon, 28 Apr 2008 17:07:52 -0700 Subject: [Pki-users] Invalid Credential / User not found In-Reply-To: References: Message-ID: <481666D8.3050400@redhat.com> Ebbe: I think I may have an idea what the issue is. If I'm off track, please let me know. It sounds like you made it successfully through the installation wizard of the Dogtag CA, and was able to successfully import the "Admin" Cert into the browser you used to perform the wizard. This means that the identity of the "Admin" or "Agent" can be presented to the server when requested. This explains why you were able to get to the Agent page ok. It sounds like you are now trying to get to the Agent interface using perhaps another browser on some other machine. If this is the case, you are being denied because the other browser/machine does not have the "Admin/Agent" certificate imported. To fix this do the following: 1. Open the browser (I assume Firefox) on the machine where you can get to the Agent page. 2. Click Edit->Preferences->View Certificates. Note on different OS's and different versions of Firefox, this procedure may vary. 3. Click "Your Certificates". 4. In the list, you should have one called "Administrator". Click on this cert. 5. Click the "export" button. This will enable you to export your certificate to the PKCS#12 format. 6. Grab this XXXXX.p12 file and move it over to the other machine you want to be able to get to the Agent page from. 7. Open Firefox and clock on Edit->Preferences->View Certificates->Your Certificates. 8. Click on "import". 9. Find the XXXXXX.p12 file you created and following the instructions. 10. After successfully importing your certificate, you should be able to get to the Dogtag Agent page from this other machine. thanks, jack Ebbe Hansen wrote: > DogTag support, > > By enabling the Linux LDAP authentication option, I was successful > eliminating the "Invalid Credential" error message when starting the > "DogTag" WEB Agent. > > My question is now, how do I "enable" the LDAP authentication option when > executing the WEB Agent via a FireFox browser that executes on a windows-XP > perform? > > I have found some Internet sites that mention a "LDAP plug-in" -- is such > module available for FireFox/windows so I can execute the "DogTag" WEB Agent > from windows?? > > Ebbe Hansen @ SPYRUS > > > > "This message and any attached documents contain SPYRUS confidential and/or > proprietary information and may be subject to privilege or exempt from > disclosure under applicable law. These materials are intended only for the > use of the intended recipient. If you are not the intended recipient of this > electronic message, you are hereby notified that any use of this message is > strictly prohibited. Delivery of this message to any person other than the > intended recipient shall not constitute any waiver of any privilege. If you > have received this message in error, please delete this message from your > system and notify the sender immediately. Thank you." > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Friday, April 25, 2008 4:48 PM > To: Ebbe Hansen > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] Invalid Credential / User not found > > Ebbe: > > You can leave your current directory instance. When you re-do the config > wizard, you will just have to give unique names for the new directory > trees it will have to create. Removing instances is a great idea for us > to work on. > > thanks, > jack > > Ebbe Hansen wrote: > >> Thanks for the advice -- so far I have created three CA instances using >> different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all >> three and start all over! >> >> With respect to directory server instance(s) - should I also remove >> them? >> >> If yes -- what command(s) should I use? >> >> Ebbe >> >> "This message and any attached documents contain SPYRUS confidential >> and/or proprietary information and may be subject to privilege or exempt >> from disclosure under applicable law. These materials are intended only >> for the use of the intended recipient. If you are not the intended >> recipient of this electronic message, you are hereby notified that any >> use of this message is strictly prohibited. Delivery of this message to >> any person other than the intended recipient shall not constitute any >> waiver of any privilege. If you have received this message in error, >> please delete this message from your system and notify the sender >> immediately. Thank you." >> >> -----Original Message----- >> From: Jack Magne [mailto:jmagne at redhat.com] >> Sent: Friday, April 25, 2008 4:20 PM >> To: Ebbe Hansen; pki-users at redhat.com >> Subject: Re: [Pki-users] Invalid Credential / User not found >> >> Ebbe: >> >> Thanks for trying out Dogtag. A few tips to help out below. >> >> During the wizard when you saw the message "This certificate can't be >> verified and will not be imported. The certificate issuer might be >> unknown or untrusted, the certificate might have expired or been >> revoked, or the certificate might not have been approved.", you most >> probably had your agent certificate imported OK. We have a bug for this >> that we are working on. This message shows up despite an actual >> successful import. >> >> The "preop.pin" you speak of is used in the case that one has not yet >> completed the installation wizard. >> >> Here are few things you can try: >> >> 1. If you have already finished the wizard, you should be able to simply >> >> proceed to the agent interface URL without any pin, provided you have >> successfully imported the Admin cert. Simply go to >> "https://host.example.com:9443" and see if you can proceed using the >> agent interface. >> >> 2. If the nasty error message from above scared you off of actually >> finishing the configuration wizard, go back and do so. This is done with >> >> the URL that gets printed when the instance is installed. It looks >> something like: >> >> http://host.example.com:9080/ca/admin/console/config/login? >> >> 3. If everything is too confused, you can start the process over by >> using our "pkiremove" tool which removes an existing instance. Try >> something like, as root: >> >> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca >> >> The "pki-ca" at the end is the name of the instance you are trying to >> remove. The very first instance that is installed when you install the >> RPM is in fact "pki-ca". >> >> From here you can try again by doing the following as root: >> >> rpm -ev pki-ca >> yum install pki-ca >> >> This will reinstall your RPM for the CA and create a brand new instance. >> >> Note: Make sure you have used "pkiremove" to remove all instances you >> may have created before trying this. >> >> 4. If the above is too confusing, we can hash it out on the "#dogtag-pi" >> >> IRC channel. >> >> thanks, >> jack >> >> >> Ebbe Hansen wrote: >> >> >>> After using the DogTag WEB Agent client once (based upon "preop.pin" >>> value) the WEB Agent fail to continue to operate with error message= >>> "Invalid Credential" . >>> >>> The "/var/lib//logs/system" file reports an "User not found" >>> >>> >> >> >>> error. >>> >>> NOTE: During the CA configuration setup the following Alert is >>> displayed when the administrator certificate is installed: >>> >>> "This certificate can't be verified and will not be imported. The >>> certificate issuer might be unknown or untrusted, the certificate >>> might have expired or been revoked, or the certificate might not have >>> been approved." >>> >>> Suggestions on what to try next will be appreciated? >>> >>> Ebbe Hansen @ SPYRUS >>> >>> "This message and any attached documents contain SPYRUS confidential >>> and/or proprietary information and may be subject to privilege or >>> exempt from disclosure under applicable law. These materials are >>> intended only for the use of the intended recipient. If you are not >>> the intended recipient of this electronic message, you are hereby >>> notified that any use of this message is strictly prohibited. Delivery >>> >>> >> >> >>> of this message to any person other than the intended recipient shall >>> not constitute any waiver of any privilege. If you have received this >>> message in error, please delete this message from your system and >>> notify the sender immediately. Thank you." >>> >>> >>> >>> >> ------------------------------------------------------------------------ >> >> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >>> >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From jmagne at redhat.com Tue Apr 29 00:23:55 2008 From: jmagne at redhat.com (Jack Magne) Date: Mon, 28 Apr 2008 17:23:55 -0700 Subject: [Pki-users] Unable to complete setup In-Reply-To: <3486.72.1.130.151.1209158851.squirrel@housingdoom.com> References: <3486.72.1.130.151.1209158851.squirrel@housingdoom.com> Message-ID: <48166A9B.4050805@redhat.com> Hello: Thanks for the interest in Dogtag. First of all, we support Firefox when running the configuration Wizard to set up the the product. For using the product, we support Firefox and IE. We do not claim support for Safari. Thus we can concentrate on your issue with Firefox hanging when trying to finish the "Adminstrator" section. This is not something we have seen reported or in ordinary use, so a few questions might help us. 1. Were there any other strange things reported during the other parts of the wizard? 2. Did you get past the screen ok where you configure your directory server instance? 3. On the panel before the Administrator panel, there are panels dealing with getting a bunch of certificates from the CA server. Was there anything unsual there? One screen shows you all the certificates that you have obtained. 4. You might try removing the instance you created and try again. More info on the tools to do this are found here: http://pki.fedoraproject.org/wiki/PKI_Install_Guide thanks, jack caverett at corecodec.net wrote: > I am trying to get the pki-ca setup completed; however, I can't get > the "Administrator" section to complete. > > I enter a UID, name, email, and password, and hit next. Depending on > the on the browser, I get different things. > > IE6: Spinning circle, javascript error. > Line 267: Object doesn't support this property or method: > TheForm.uid.Value > > Firefox: Just hangs > > Safari: Spins forever > > Anyone had something like this happen? > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From sam at vpac.org Tue Apr 29 01:00:49 2008 From: sam at vpac.org (Sam Morrison) Date: Tue, 29 Apr 2008 11:00:49 +1000 Subject: [Pki-users] CMC enrolment Message-ID: <076BF5EB-0634-4DA9-8C51-528F7F602699@vpac.org> I have an application that generates certificates using CMC to talk to a CA server. I read that Dogtag supports CMC so I have downloaded and installed it. Problem I have is that I have no idea how to get my application and Dogtag CA to talk. (and that I am just learning what CMC actually is!) My application has an RFC2797 compliant CMC client and to configure it I need to enter the url of the CA and some java keystore files. Help would be greatly appreciated. Thanks, Sam Morrison Systems Administrator Victorian Partnership for Advanced Computing 110 Victoria St. Carlton South, VIC, 3053 Australia Phone: +61 3 9925 8372 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2405 bytes Desc: not available URL: From ehansen at spyrus.com Tue Apr 29 01:14:48 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Mon, 28 Apr 2008 18:14:48 -0700 Subject: [Pki-users] Invalid Credential / User not found In-Reply-To: <481666D8.3050400@redhat.com> Message-ID: Thanks Jack, I will try to export Agent's the PKCS#12 and then import it into another client platform. My initial problem "Invalid Credentials" may have occurred because I issued a user-type certificate to the Agent itself when running the Agent for the first time. This second certificate may hereafter have hindered a default authentication session each time I restarted the Agent services (resulting in the "Invalid Credentials" message). Only after I enabled the Linux/Fedora LDAP authentication option was I presented with a choice so I could select the proper Agent/Admin certificate needed for the initial authentication as the WEB page is opened. Instead of "cloning" the Agent/Admin certificate (and key - via use of the PKCS#12) to another location, I would prefer to use a dedicated Agent (assistance type) certificate template and apply for such certificate using the EE WEB page from this alternative platform (to be approved by the original Agent of course). Is such "Agent delegation" possible using the current DogTag software? Ebbe "This message and any attached documents contain SPYRUS confidential and/or proprietary information and may be subject to privilege or exempt from disclosure under applicable law. These materials are intended only for the use of the intended recipient. If you are not the intended recipient of this electronic message, you are hereby notified that any use of this message is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not constitute any waiver of any privilege. If you have received this message in error, please delete this message from your system and notify the sender immediately. Thank you." -----Original Message----- From: Jack Magne [mailto:jmagne at redhat.com] Sent: Monday, April 28, 2008 5:08 PM To: Ebbe Hansen Cc: pki-users at redhat.com Subject: Re: [Pki-users] Invalid Credential / User not found Ebbe: I think I may have an idea what the issue is. If I'm off track, please let me know. It sounds like you made it successfully through the installation wizard of the Dogtag CA, and was able to successfully import the "Admin" Cert into the browser you used to perform the wizard. This means that the identity of the "Admin" or "Agent" can be presented to the server when requested. This explains why you were able to get to the Agent page ok. It sounds like you are now trying to get to the Agent interface using perhaps another browser on some other machine. If this is the case, you are being denied because the other browser/machine does not have the "Admin/Agent" certificate imported. To fix this do the following: 1. Open the browser (I assume Firefox) on the machine where you can get to the Agent page. 2. Click Edit->Preferences->View Certificates. Note on different OS's and different versions of Firefox, this procedure may vary. 3. Click "Your Certificates". 4. In the list, you should have one called "Administrator". Click on this cert. 5. Click the "export" button. This will enable you to export your certificate to the PKCS#12 format. 6. Grab this XXXXX.p12 file and move it over to the other machine you want to be able to get to the Agent page from. 7. Open Firefox and clock on Edit->Preferences->View Certificates->Your Certificates. 8. Click on "import". 9. Find the XXXXXX.p12 file you created and following the instructions. 10. After successfully importing your certificate, you should be able to get to the Dogtag Agent page from this other machine. thanks, jack Ebbe Hansen wrote: > DogTag support, > > By enabling the Linux LDAP authentication option, I was successful > eliminating the "Invalid Credential" error message when starting the > "DogTag" WEB Agent. > > My question is now, how do I "enable" the LDAP authentication option when > executing the WEB Agent via a FireFox browser that executes on a windows-XP > perform? > > I have found some Internet sites that mention a "LDAP plug-in" -- is such > module available for FireFox/windows so I can execute the "DogTag" WEB Agent > from windows?? > > Ebbe Hansen @ SPYRUS > > > > "This message and any attached documents contain SPYRUS confidential and/or > proprietary information and may be subject to privilege or exempt from > disclosure under applicable law. These materials are intended only for the > use of the intended recipient. If you are not the intended recipient of this > electronic message, you are hereby notified that any use of this message is > strictly prohibited. Delivery of this message to any person other than the > intended recipient shall not constitute any waiver of any privilege. If you > have received this message in error, please delete this message from your > system and notify the sender immediately. Thank you." > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Friday, April 25, 2008 4:48 PM > To: Ebbe Hansen > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] Invalid Credential / User not found > > Ebbe: > > You can leave your current directory instance. When you re-do the config > wizard, you will just have to give unique names for the new directory > trees it will have to create. Removing instances is a great idea for us > to work on. > > thanks, > jack > > Ebbe Hansen wrote: > >> Thanks for the advice -- so far I have created three CA instances using >> different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all >> three and start all over! >> >> With respect to directory server instance(s) - should I also remove >> them? >> >> If yes -- what command(s) should I use? >> >> Ebbe >> >> "This message and any attached documents contain SPYRUS confidential >> and/or proprietary information and may be subject to privilege or exempt >> from disclosure under applicable law. These materials are intended only >> for the use of the intended recipient. If you are not the intended >> recipient of this electronic message, you are hereby notified that any >> use of this message is strictly prohibited. Delivery of this message to >> any person other than the intended recipient shall not constitute any >> waiver of any privilege. If you have received this message in error, >> please delete this message from your system and notify the sender >> immediately. Thank you." >> >> -----Original Message----- >> From: Jack Magne [mailto:jmagne at redhat.com] >> Sent: Friday, April 25, 2008 4:20 PM >> To: Ebbe Hansen; pki-users at redhat.com >> Subject: Re: [Pki-users] Invalid Credential / User not found >> >> Ebbe: >> >> Thanks for trying out Dogtag. A few tips to help out below. >> >> During the wizard when you saw the message "This certificate can't be >> verified and will not be imported. The certificate issuer might be >> unknown or untrusted, the certificate might have expired or been >> revoked, or the certificate might not have been approved.", you most >> probably had your agent certificate imported OK. We have a bug for this >> that we are working on. This message shows up despite an actual >> successful import. >> >> The "preop.pin" you speak of is used in the case that one has not yet >> completed the installation wizard. >> >> Here are few things you can try: >> >> 1. If you have already finished the wizard, you should be able to simply >> >> proceed to the agent interface URL without any pin, provided you have >> successfully imported the Admin cert. Simply go to >> "https://host.example.com:9443" and see if you can proceed using the >> agent interface. >> >> 2. If the nasty error message from above scared you off of actually >> finishing the configuration wizard, go back and do so. This is done with >> >> the URL that gets printed when the instance is installed. It looks >> something like: >> >> http://host.example.com:9080/ca/admin/console/config/login? >> >> 3. If everything is too confused, you can start the process over by >> using our "pkiremove" tool which removes an existing instance. Try >> something like, as root: >> >> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca >> >> The "pki-ca" at the end is the name of the instance you are trying to >> remove. The very first instance that is installed when you install the >> RPM is in fact "pki-ca". >> >> From here you can try again by doing the following as root: >> >> rpm -ev pki-ca >> yum install pki-ca >> >> This will reinstall your RPM for the CA and create a brand new instance. >> >> Note: Make sure you have used "pkiremove" to remove all instances you >> may have created before trying this. >> >> 4. If the above is too confusing, we can hash it out on the "#dogtag-pi" >> >> IRC channel. >> >> thanks, >> jack >> >> >> Ebbe Hansen wrote: >> >> >>> After using the DogTag WEB Agent client once (based upon "preop.pin" >>> value) the WEB Agent fail to continue to operate with error message= >>> "Invalid Credential" . >>> >>> The "/var/lib//logs/system" file reports an "User not found" >>> >>> >> >> >>> error. >>> >>> NOTE: During the CA configuration setup the following Alert is >>> displayed when the administrator certificate is installed: >>> >>> "This certificate can't be verified and will not be imported. The >>> certificate issuer might be unknown or untrusted, the certificate >>> might have expired or been revoked, or the certificate might not have >>> been approved." >>> >>> Suggestions on what to try next will be appreciated? >>> >>> Ebbe Hansen @ SPYRUS >>> >>> "This message and any attached documents contain SPYRUS confidential >>> and/or proprietary information and may be subject to privilege or >>> exempt from disclosure under applicable law. These materials are >>> intended only for the use of the intended recipient. If you are not >>> the intended recipient of this electronic message, you are hereby >>> notified that any use of this message is strictly prohibited. Delivery >>> >>> >> >> >>> of this message to any person other than the intended recipient shall >>> not constitute any waiver of any privilege. If you have received this >>> message in error, please delete this message from your system and >>> notify the sender immediately. Thank you." >>> >>> >>> >>> >> ------------------------------------------------------------------------ >> >> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >>> >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3916 bytes Desc: not available URL: From jmagne at redhat.com Tue Apr 29 01:17:42 2008 From: jmagne at redhat.com (Jack Magne) Date: Mon, 28 Apr 2008 18:17:42 -0700 Subject: [Pki-users] CMC enrolment In-Reply-To: <076BF5EB-0634-4DA9-8C51-528F7F602699@vpac.org> References: <076BF5EB-0634-4DA9-8C51-528F7F602699@vpac.org> Message-ID: <48167736.8000808@redhat.com> Hello Sam: Our server does support CMC. At this time it requires using one of our web based "certificate enrollment profiles" whereby you fill in a form field with a blob of CMC request data. We have some stand alone tools used to create such requests. More information here: http://pki.fedoraproject.org/wiki/PKI_Java_Tools thanks, jack Sam Morrison wrote: > I have an application that generates certificates using CMC to talk to > a CA server. I read that Dogtag supports CMC so I have downloaded and > installed it. > Problem I have is that I have no idea how to get my application and > Dogtag CA to talk. (and that I am just learning what CMC actually is!) > My application has an RFC2797 compliant CMC client and to configure it > I need to enter the url of the CA and some java keystore files. > > Help would be greatly appreciated. > > Thanks, > > > Sam Morrison > > Systems Administrator > Victorian Partnership for Advanced Computing > 110 Victoria St. > Carlton South, VIC, 3053 > Australia > Phone: +61 3 9925 8372 > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From smsharif at hotmail.com Wed Apr 30 02:09:51 2008 From: smsharif at hotmail.com (Shahid Sharif) Date: Tue, 29 Apr 2008 22:09:51 -0400 Subject: [Pki-users] unable to find pkiconsole command Message-ID: I am unable to find pkiconsole command in /usr/bin?Shahid Sharifhttp://www.1and1.com/?k_id=6833318 _________________________________________________________________ Turn every day into $1000. Learn more at SignInAndWIN.ca http://g.msn.ca/ca55/213 -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Wed Apr 30 14:47:05 2008 From: msauton at redhat.com (Marc Sauton) Date: Wed, 30 Apr 2008 07:47:05 -0700 Subject: [Pki-users] unable to find pkiconsole command In-Reply-To: References: Message-ID: <48188669.4070807@redhat.com> Shahid Sharif wrote: > I am unable to find pkiconsole command in /usr/bin? How did you install DogTag ? (Did you run a yum install pki-ca command ?) http://pki.fedoraproject.org/wiki/PKI_Install_Guide /usr/bin/pkiconsole is provided by the pki-console rpm Make sure you have installed pki-console yum info pki-console yum install pki-console > > Shahid Sharif > http://www.1and1.com/?k_id=6833318 > > > ------------------------------------------------------------------------ > Sign in and you could WIN! Enter for your chance to win $1000 every > day. Visit SignInAndWIN.ca today to learn more! > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From ehansen at spyrus.com Wed Apr 30 16:28:54 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Wed, 30 Apr 2008 09:28:54 -0700 Subject: [Pki-users] pkiconsole? In-Reply-To: <20080410075908.GA13330@flea.lifesci.dundee.ac.uk> Message-ID: After installing, how do I access/start the console? Ebbe @ SPYRUS "This message and any attached documents contain SPYRUS confidential and/or proprietary information and may be subject to privilege or exempt from disclosure under applicable law. These materials are intended only for the use of the intended recipient. If you are not the intended recipient of this electronic message, you are hereby notified that any use of this message is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not constitute any waiver of any privilege. If you have received this message in error, please delete this message from your system and notify the sender immediately. Thank you." -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Jonathan Barber Sent: Thursday, April 10, 2008 12:59 AM To: pki-users at redhat.com Subject: Re: [Pki-users] pkiconsole? On Wed, Apr 09, 2008 at 10:22:41PM -0700, Chris wrote: > Will there be an similar 'pkiconsole' application for dogtag as there is in > the Red Hat version? On Fedora 8, after adding the yum repos [1] "yum install pki-console" [1] http://pki.fedoraproject.org/wiki/PKI_Install_Guide#Download_the_PKI_Yum_Repository_Configuration_File -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3916 bytes Desc: not available URL: From mharmsen at redhat.com Wed Apr 30 16:45:00 2008 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 30 Apr 2008 09:45:00 -0700 Subject: [Pki-users] pkiconsole? In-Reply-To: References: Message-ID: <4818A20C.6090906@redhat.com> Ebbe Hansen wrote: > After installing, how do I access/start the console? > > Invoke it from the command line specifying the URL to the administration port of your CA: Usage: /usr/bin/pkiconsole where is the url to the administration port of your Certificate Subsystem. For example: https://water:9443/ca Replace "water:9443" with your "hostname:port". You must specify the "https://" URL portion in your invocation. > Ebbe @ SPYRUS > > "This message and any attached documents contain SPYRUS confidential and/or > proprietary information and may be subject to privilege or exempt from > disclosure under applicable law. These materials are intended only for the use > of the intended recipient. If you are not the intended recipient of this > electronic message, you are hereby notified that any use of this message is > strictly prohibited. Delivery of this message to any person other than the > intended recipient shall not constitute any waiver of any privilege. If you > have received this message in error, please delete this message from your > system and notify the sender immediately. Thank you." > > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On > Behalf Of Jonathan Barber > Sent: Thursday, April 10, 2008 12:59 AM > To: pki-users at redhat.com > Subject: Re: [Pki-users] pkiconsole? > > On Wed, Apr 09, 2008 at 10:22:41PM -0700, Chris wrote: > >> Will there be an similar 'pkiconsole' application for dogtag as there is in >> the Red Hat version? >> > > On Fedora 8, after adding the yum repos [1] "yum install pki-console" > > [1] > http://pki.fedoraproject.org/wiki/PKI_Install_Guide#Download_the_PKI_Yum_Repository_Configuration_File > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ehansen at spyrus.com Wed Apr 30 16:57:50 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Wed, 30 Apr 2008 09:57:50 -0700 Subject: [Pki-users] Modify Certificate Profies - include SubjectAltName In-Reply-To: Message-ID: Looking at the 'CAUserCert.cfg' profile (first profile on the WEB Agent profile-list) it appears it should trigger the inclusion of the "SubjectAltName" extension. I have not been successful generating any certicites where the SubjectAltName extension is included! In the Agents display the SubjectAltName is listed as 'Null' - even after editing the 'Null' to the desired RFC822 value, the issued certificate always comes without any SubjectAtltName extension? What can I do to get the CA to include the SubjectAltName extension? I am always specifying an email value in the request field! Ebbe "This message and any attached documents contain SPYRUS confidential and/or proprietary information and may be subject to privilege or exempt from disclosure under applicable law. These materials are intended only for the use of the intended recipient. If you are not the intended recipient of this electronic message, you are hereby notified that any use of this message is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not constitute any waiver of any privilege. If you have received this message in error, please delete this message from your system and notify the sender immediately. Thank you." _____ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Chris Sent: Wednesday, April 09, 2008 10:10 PM To: pki-users at redhat.com Subject: Re: [Pki-users] Modify Certificate Profies Thanks. That worked. On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu wrote: Profiles can be configured in /profiles/ca. If you add your own new profiles, you need to modify //conf/CS.cfg "profile.list" to contain the new profile name, and add the corresponding "class_id" and "config" (see the existing entries in CS.cfg as example), and restart the CA. In addition, Dogtag provides flexible plugin infrastructure that allows people to customize various areas. Profile is one of them. The standard profile related polugins code is in pki/base/common/src/com/netscape/cms/profile/. That's for advanced users who know what they are doing. Make sure the certs produced still comply. hope this helps. Christina Chris wrote: Sorry, hit the send by mistake.... I've succesfully installed Dogtag. The documentation was clear and I didn't have any issues. My question is in regards to customizing certificate profiles. In the current CA environment I manager, I deal with customizing profiles. Is there a way to create customized certificate profiles? The fields which apply are: CertificatePolicies - Policy Identifier - User Notice with custom text ExtendedKeyUsage - New Key Usage OID Also, in one profile, we've created a new field that programically ties to the EKU On our current CA software, a config file is modified to customize profiles. Also there is some DER encoding required to convert the appropriate text. Is this feature available? ------------------------------------------------------------------------ _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3916 bytes Desc: not available URL: From msauton at redhat.com Wed Apr 30 17:16:59 2008 From: msauton at redhat.com (Marc Sauton) Date: Wed, 30 Apr 2008 10:16:59 -0700 Subject: [Pki-users] Modify Certificate Profies - include SubjectAltName In-Reply-To: References: Message-ID: <4818A98B.5010607@redhat.com> If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg has policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true and the enrollment request has an e-mail, the subject alt name extension field should be correctly initialized upon certificate issuance. You may want to turn on some debug in CS.cfg debug.enabled=true debug.level=0 and see your debug log for more details. M. It depends how the request hadEbbe Hansen wrote: > > Looking at the ?CAUserCert.cfg? profile (first profile on the WEB > Agent profile-list) it appears it should trigger the inclusion of the > ?SubjectAltName? extension. I have not been successful generating any > certicites where the SubjectAltName extension is included! > > In the Agents display the SubjectAltName is listed as ?Null? ? even > after editing the ?Null? to the desired RFC822 value, the issued > certificate always comes without any SubjectAtltName extension? > > What can I do to get the CA to include the SubjectAltName extension? I > am always specifying an email value in the request field! > > Ebbe > > "This message and any attached documents contain SPYRUS confidential > and/or proprietary information and may be subject to privilege or > exempt from disclosure under applicable law. These materials are > intended only for the use of the intended recipient. If you are not > the intended recipient of this electronic message, you are hereby > notified that any use of this message is strictly prohibited. Delivery > of this message to any person other than the intended recipient shall > not constitute any waiver of any privilege. If you have received this > message in error, please delete this message from your system and > notify the sender immediately. Thank you." > > ------------------------------------------------------------------------ > > *From:* pki-users-bounces at redhat.com > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Chris > *Sent:* Wednesday, April 09, 2008 10:10 PM > *To:* pki-users at redhat.com > *Subject:* Re: [Pki-users] Modify Certificate Profies > > Thanks. That worked. > > On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu > wrote: > > Profiles can be configured in /profiles/ca. If > you add your own new profiles, you need to modify root>//conf/CS.cfg "profile.list" to contain the new profile name, and > add the corresponding "class_id" and "config" (see the existing > entries in CS.cfg as example), and restart the CA. > > In addition, Dogtag provides flexible plugin infrastructure that > allows people to customize various areas. Profile is one of them. > The standard profile related polugins code is in > pki/base/common/src/com/netscape/cms/profile/. That's for advanced > users who know what they are doing. Make sure the certs produced still > comply. > > hope this helps. > Christina > > Chris wrote: > > > Sorry, hit the send by mistake.... > > I've succesfully installed Dogtag. The documentation was clear and I > didn't have any issues. > My question is in regards to customizing certificate profiles. In the > current CA environment I manager, I deal with customizing profiles. Is > there a way to create customized certificate profiles? > The fields which apply are: > CertificatePolicies > - Policy Identifier > - User Notice with custom text > ExtendedKeyUsage > - New Key Usage OID > Also, in one profile, we've created a new field that programically > ties to the EKU > > On our current CA software, a config file is modified to customize > profiles. Also there is some DER encoding required to convert the > appropriate text. > > Is this feature available? > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From smsharif at hotmail.com Wed Apr 30 18:38:26 2008 From: smsharif at hotmail.com (Shahid Sharif) Date: Wed, 30 Apr 2008 14:38:26 -0400 Subject: [Pki-users] unable to find pkiconsole command In-Reply-To: <48188669.4070807@redhat.com> References: <48188669.4070807@redhat.com> Message-ID: when I run yum info pki-console, I get: [root at localhost yum.repos.d]# yum info pki-consolehttp://pki-svn.fedora.redhat.com/pki/download/pki/1.0.0/fc8/RPMS/i386/repodata/repomd.xml: [Errno 4] IOError: Trying other mirror.Error: Cannot retrieve repository metadata (repomd.xml) for repository: pki. Please verify its path and try againShahid Sharifhttp://www.1and1.com/?k_id=6833318> Date: Wed, 30 Apr 2008 07:47:05 -0700> From: msauton at redhat.com> To: smsharif at hotmail.com> CC: pki-users at redhat.com> Subject: Re: [Pki-users] unable to find pkiconsole command> > Shahid Sharif wrote:> > I am unable to find pkiconsole command in /usr/bin?> How did you install DogTag ? (Did you run a yum install pki-ca command ?)> http://pki.fedoraproject.org/wiki/PKI_Install_Guide> > /usr/bin/pkiconsole is provided by the pki-console rpm> Make sure you have installed pki-console> yum info pki-console> yum install pki-console> >> > Shahid Sharif> > http://www.1and1.com/?k_id=6833318> >> >> > ------------------------------------------------------------------------> > Sign in and you could WIN! Enter for your chance to win $1000 every > > day. Visit SignInAndWIN.ca today to learn more! > > > > ------------------------------------------------------------------------> >> > _______________________________________________> > Pki-users mailing list> > Pki-users at redhat.com> > https://www.redhat.com/mailman/listinfo/pki-users> > > _________________________________________________________________ Try Chicktionary, a game that tests how many words you can form from the letters given. Find this and more puzzles at Live Search Games! http://g.msn.ca/ca55/207 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehansen at spyrus.com Wed Apr 30 20:50:45 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Wed, 30 Apr 2008 13:50:45 -0700 Subject: [Pki-users] Modify Certificate Profies - include SubjectAltName In-Reply-To: <4818A98B.5010607@redhat.com> Message-ID: I have succeeded adding the SubjectAltName extension - it turns out the Policy settings in the DogTac CA is set to capture the "Requestor Email" field while the Subject's Email field is the value that go into the 'E=' part of the DN! Is this by "intend" or can/should the Profile file(s) be modified to guarantee the email values in the DN and the SubjectAltName cannot be different (i.e. abounding a typical user-introduced error). Ebbe @ SPYRUS "This message and any attached documents contain SPYRUS confidential and/or proprietary information and may be subject to privilege or exempt from disclosure under applicable law. These materials are intended only for the use of the intended recipient. If you are not the intended recipient of this electronic message, you are hereby notified that any use of this message is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not constitute any waiver of any privilege. If you have received this message in error, please delete this message from your system and notify the sender immediately. Thank you." -----Original Message----- From: Marc Sauton [mailto:msauton at redhat.com] Sent: Wednesday, April 30, 2008 10:17 AM To: Ebbe Hansen Cc: pki-users at redhat.com Subject: Re: [Pki-users] Modify Certificate Profies - include SubjectAltName If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg has policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ estor_email$ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true and the enrollment request has an e-mail, the subject alt name extension field should be correctly initialized upon certificate issuance. You may want to turn on some debug in CS.cfg debug.enabled=true debug.level=0 and see your debug log for more details. M. It depends how the request hadEbbe Hansen wrote: > > Looking at the 'CAUserCert.cfg' profile (first profile on the WEB > Agent profile-list) it appears it should trigger the inclusion of the > "SubjectAltName" extension. I have not been successful generating any > certicites where the SubjectAltName extension is included! > > In the Agents display the SubjectAltName is listed as 'Null' - even > after editing the 'Null' to the desired RFC822 value, the issued > certificate always comes without any SubjectAtltName extension? > > What can I do to get the CA to include the SubjectAltName extension? I > am always specifying an email value in the request field! > > Ebbe > > "This message and any attached documents contain SPYRUS confidential > and/or proprietary information and may be subject to privilege or > exempt from disclosure under applicable law. These materials are > intended only for the use of the intended recipient. If you are not > the intended recipient of this electronic message, you are hereby > notified that any use of this message is strictly prohibited. Delivery > of this message to any person other than the intended recipient shall > not constitute any waiver of any privilege. If you have received this > message in error, please delete this message from your system and > notify the sender immediately. Thank you." > > ------------------------------------------------------------------------ > > *From:* pki-users-bounces at redhat.com > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Chris > *Sent:* Wednesday, April 09, 2008 10:10 PM > *To:* pki-users at redhat.com > *Subject:* Re: [Pki-users] Modify Certificate Profies > > Thanks. That worked. > > On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu > wrote: > > Profiles can be configured in /profiles/ca. If > you add your own new profiles, you need to modify root>//conf/CS.cfg "profile.list" to contain the new profile name, and > add the corresponding "class_id" and "config" (see the existing > entries in CS.cfg as example), and restart the CA. > > In addition, Dogtag provides flexible plugin infrastructure that > allows people to customize various areas. Profile is one of them. > The standard profile related polugins code is in > pki/base/common/src/com/netscape/cms/profile/. That's for advanced > users who know what they are doing. Make sure the certs produced still > comply. > > hope this helps. > Christina > > Chris wrote: > > > Sorry, hit the send by mistake.... > > I've succesfully installed Dogtag. The documentation was clear and I > didn't have any issues. > My question is in regards to customizing certificate profiles. In the > current CA environment I manager, I deal with customizing profiles. Is > there a way to create customized certificate profiles? > The fields which apply are: > CertificatePolicies > - Policy Identifier > - User Notice with custom text > ExtendedKeyUsage > - New Key Usage OID > Also, in one profile, we've created a new field that programically > ties to the EKU > > On our current CA software, a config file is modified to customize > profiles. Also there is some DER encoding required to convert the > appropriate text. > > Is this feature available? > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From ehansen at spyrus.com Wed Apr 30 21:14:27 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Wed, 30 Apr 2008 14:14:27 -0700 Subject: [Pki-users] Modify Certificate Profies - removing 'Critical' key-usage indication In-Reply-To: <4818A98B.5010607@redhat.com> Message-ID: While attempting to test various Email clients in a windows environment (including Outlook Express and Outlook), I am having trouble getting the Email client (Outlook Express) to accept the certificates generated by the RedHat/DogTag CA. I am using the 'CAUserCert.cfg' profile and I am adding a SubjectAltName extension as described in my earlier message. However, I am still not successful getting the Email client to use the DogTag user certificates for signature purposes. Is there a documented procedure that describes how to generate user certificates accepted by the windows-based Outlook Express client? Comparing the RadHat user certificate with a Microsoft user certificate reveals that the RedHat CA sets the 'KeyUsage' extension to 'Critical' -- while the Microsoft CA does not! After modifying the DogTag CA Profile ('CAUserCert.cfg') to specify a "non critical" 'KeyUsage' extension, any new request using the modified profile fails - error message is: "Sorry, your request has been rejected. The reason is "Request Rejected - Criticality Not Matched". Are there multiple places I need to adjust the Profile -- so far I have only modified the 'CAUserCert.cfg' file in the '/profiles/ca' directory. Ebbe @ SPYRUS "This message and any attached documents contain SPYRUS confidential and/or proprietary information and may be subject to privilege or exempt from disclosure under applicable law. These materials are intended only for the use of the intended recipient. If you are not the intended recipient of this electronic message, you are hereby notified that any use of this message is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not constitute any waiver of any privilege. If you have received this message in error, please delete this message from your system and notify the sender immediately. Thank you." -----Original Message----- From: Marc Sauton [mailto:msauton at redhat.com] Sent: Wednesday, April 30, 2008 10:17 AM To: Ebbe Hansen Cc: pki-users at redhat.com Subject: Re: [Pki-users] Modify Certificate Profies - include SubjectAltName If in /var/lib/pki-ca/profiles/ca/caUserCert.cfg has policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requ estor_email$ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true and the enrollment request has an e-mail, the subject alt name extension field should be correctly initialized upon certificate issuance. You may want to turn on some debug in CS.cfg debug.enabled=true debug.level=0 and see your debug log for more details. M. It depends how the request hadEbbe Hansen wrote: > > Looking at the 'CAUserCert.cfg' profile (first profile on the WEB > Agent profile-list) it appears it should trigger the inclusion of the > "SubjectAltName" extension. I have not been successful generating any > certicites where the SubjectAltName extension is included! > > In the Agents display the SubjectAltName is listed as 'Null' - even > after editing the 'Null' to the desired RFC822 value, the issued > certificate always comes without any SubjectAtltName extension? > > What can I do to get the CA to include the SubjectAltName extension? I > am always specifying an email value in the request field! > > Ebbe > > "This message and any attached documents contain SPYRUS confidential > and/or proprietary information and may be subject to privilege or > exempt from disclosure under applicable law. These materials are > intended only for the use of the intended recipient. If you are not > the intended recipient of this electronic message, you are hereby > notified that any use of this message is strictly prohibited. Delivery > of this message to any person other than the intended recipient shall > not constitute any waiver of any privilege. If you have received this > message in error, please delete this message from your system and > notify the sender immediately. Thank you." > > ------------------------------------------------------------------------ > > *From:* pki-users-bounces at redhat.com > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Chris > *Sent:* Wednesday, April 09, 2008 10:10 PM > *To:* pki-users at redhat.com > *Subject:* Re: [Pki-users] Modify Certificate Profies > > Thanks. That worked. > > On Wed, Apr 9, 2008 at 12:10 PM, Christina Fu > wrote: > > Profiles can be configured in /profiles/ca. If > you add your own new profiles, you need to modify root>//conf/CS.cfg "profile.list" to contain the new profile name, and > add the corresponding "class_id" and "config" (see the existing > entries in CS.cfg as example), and restart the CA. > > In addition, Dogtag provides flexible plugin infrastructure that > allows people to customize various areas. Profile is one of them. > The standard profile related polugins code is in > pki/base/common/src/com/netscape/cms/profile/. That's for advanced > users who know what they are doing. Make sure the certs produced still > comply. > > hope this helps. > Christina > > Chris wrote: > > > Sorry, hit the send by mistake.... > > I've succesfully installed Dogtag. The documentation was clear and I > didn't have any issues. > My question is in regards to customizing certificate profiles. In the > current CA environment I manager, I deal with customizing profiles. Is > there a way to create customized certificate profiles? > The fields which apply are: > CertificatePolicies > - Policy Identifier > - User Notice with custom text > ExtendedKeyUsage > - New Key Usage OID > Also, in one profile, we've created a new field that programically > ties to the EKU > > On our current CA software, a config file is modified to customize > profiles. Also there is some DER encoding required to convert the > appropriate text. > > Is this feature available? > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From msauton at redhat.com Wed Apr 30 23:35:48 2008 From: msauton at redhat.com (Marc Sauton) Date: Wed, 30 Apr 2008 16:35:48 -0700 Subject: [Pki-users] unable to find pkiconsole command In-Reply-To: References: <48188669.4070807@redhat.com> Message-ID: <48190254.5010404@redhat.com> This error seem to indicate a local dns issue, please verify your system can resolve and reach pki-svn.fedora.redhat.com I assume you are using a Fedora 8 system. M. Shahid Sharif wrote: > when I run yum info pki-console, I get: > > [root at localhost yum.repos.d]# yum info pki-console > http://pki-svn.fedora.redhat.com/pki/download/pki/1.0.0/fc8/RPMS/i386/repodata/repomd.xml: > [Errno 4] IOError: resolution')> > Trying other mirror. > Error: Cannot retrieve repository metadata (repomd.xml) for > repository: pki. Please verify its path and try again > > > Shahid Sharif > http://www.1and1.com/?k_id=6833318 > > > > > Date: Wed, 30 Apr 2008 07:47:05 -0700 > > From: msauton at redhat.com > > To: smsharif at hotmail.com > > CC: pki-users at redhat.com > > Subject: Re: [Pki-users] unable to find pkiconsole command > > > > Shahid Sharif wrote: > > > I am unable to find pkiconsole command in /usr/bin? > > How did you install DogTag ? (Did you run a yum install pki-ca > command ?) > > http://pki.fedoraproject.org/wiki/PKI_Install_Guide > > > > /usr/bin/pkiconsole is provided by the pki-console rpm > > Make sure you have installed pki-console > > yum info pki-console > > yum install pki-console > > > > > > Shahid Sharif > > > http://www.1and1.com/?k_id=6833318 > > > > > > > > > > ------------------------------------------------------------------------ > > > Sign in and you could WIN! Enter for your chance to win $1000 every > > > day. Visit SignInAndWIN.ca today to learn more! > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > ------------------------------------------------------------------------ > Sign in today. When you sign in to Windows Live Messenger you could > win $1000 a day until May 12th. Learn more at SignInAndWIN.ca >