[Pki-users] Importing existing CA chain into new dogtag instance
Christina Fu
cfu at redhat.com
Wed Apr 9 15:30:04 UTC 2008
Hi, first of all, thank you for playing with Dogtag.
For the first question regarding doing SSL wiht FDS, you need to trust
the CA that signed the FDS's ssl server cert. We should have information
on how to do this in the documentation. If not, we need to add that.
As for your issue(s) regarding linking to an external CA, I believe
there could be some confusion. I'm only guessing here. Did you go
three all the steps under "action required" for the CA certification at
the "Requets and Certificates" panel during configuration? In Step 2,
the pkcs7 chain it takes is only the CA chain, not the leaf
certificate. And in a separate step (Step 3), it then takes a base64
encoded leaf cert. Could it be that you missed one of the steps? If
you have gone through all three steps at this point, the whole chain
should have been imported into the certdb with necessary trust marked.
Finally, I don't think any part of our software takes PEM format. Try
to convert PEM to DER format and it should help.
Also, feel free to file bugs if you find any problem or inconvenience.
Hope this helps.
Christina
Jonathan Barber wrote:
> Hi, I've been playing with Dogtag for the last couple of days, and want
> to test it with our existing CA cert that we use locally. So I've been
> seting them up as subordinate CA's.
>
> I hit a minor glitch in setup when connecting to a remote FDS instance,
> it won't connect via SSL and I just get the error "Failed to connect to
> the internal database", presumably because the the SSL cert doesn't pass
> validation.
>
> After configuring the CA as a subordinate, I sign the CA cert CSR with
> our local CA, then provide our CA cert in PKSC7 form - generated with
> with the command:
> openssl crl2pkcs7 -nocrl -certfile cacert.pem
>
> Upon restarting the CA instance, everything works, but I can't find any
> trace of the issuer certificate in the certutil DB so I presume it
> failed. Where should it go?
>
> After setup, when I try and use the pkiconsole to load the CA cert (in
> PEM format) into the DB (as a CA or Local Certificate) I get the error
> "Certificate Error: Failed to decode", and PrettyPrintCrt gives me:
> PrettyPrintCert: Error encountered on parsing certificate : java.security.cert.CertificateParsingException: java.io.IOException: java.io.IOException: IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: No data available in passed DER encoded value.
> null
>
> I can load it into the instance certutil DB, but can't then see it in
> the pkiconsole.
>
> Any ideas? The certicate in question is:
>
> -----BEGIN CERTIFICATE-----
> MIIH4DCCBcigAwIBAgIJAKxtGsvJnqGGMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
> VQQGEwJHQjERMA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsG
> A1UEChMUVW5pdmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2Yg
> TGlmZSBTY2llbmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsx
> JjAkBgkqhkiG9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrMB4XDTA3MDIx
> NjEwNTMzMFoXDTE3MDIxMzEwNTMzMFowgb0xCzAJBgNVBAYTAkdCMREwDwYDVQQI
> EwhTY290bGFuZDEPMA0GA1UEBxMGRHVuZGVlMR0wGwYDVQQKExRVbml2ZXJzaXR5
> IG9mIER1bmRlZTEhMB8GA1UECxMYQ29sbGVnZSBvZiBMaWZlIFNjaWVuY2VzMSAw
> HgYDVQQDExdjYS5saWZlc2NpLmR1bmRlZS5hYy51azEmMCQGCSqGSIb3DQEJARYX
> Y2FAbGlmZXNjaS5kdW5kZWUuYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
> ggIKAoICAQC3tIfCIag41x63OQF2etPa3gHFxT4JlGfEO0a8fV+tfqpSrwlWWqeR
> w8zOO/UCxAi0FNVBmB1peeQZU/026FZ8MWu1IhJyy5OF3PIjtKxzgEuVWD7pQw7Y
> i32dthr5pg6GnXB/dx3P5hEVgci/Gh9fij0BLF6iPsy6CkJB3/sD2OEHN3CKMgE7
> kIQKZEM2XrSCNQ5KGCBzFqpowJQneVTi65pcVKIDpp56F1qrimIrFBgUbsJnswfI
> 1Kxi8FvSj7fuTibIyiPz9QUguRNjjbQzHlkOQJKy0j2ENxdqDN9vNoeQjGDh2RXL
> 4xovgkxW1YYHdxt5PdNtpwX8Vb7uYsZXGp5CB8xeLKSnvgZrms9EAvZvQHzMdIhb
> th9zCOPXAZTfeSEyMcsFY8bK+ic/JlWk/7Oo/em1dMPMi+UmXdYUD33F7Z5N9xsH
> x9Laz3YSuflrW8WrriVAe0xAWRjP9X205pnJbmJDgnUzHI9+qqkz7GQBxQenUjEu
> vTO0Dx4Psvby2j6sS0b0dVxAtZfnDutnRXc9+/9PSsSr+YLpbZh+7sPRWYynpDzy
> wjmBPClv+rm8o9MdkAE+8U9XoXXSU+5FG/TpzJmEFR65BYPR9BDKn8CVfhgE3flE
> n2l7V1hOzYFWMBu42byJx8tHzCvFPVjLbaPIMs6o1zmKC/2a+B6T+QIDAQABo4IB
> 3zCCAdswHQYDVR0OBBYEFKOZNeS+xtTc6reYfP8IT4HhvcskMIHyBgNVHSMEgeow
> geeAFKOZNeS+xtTc6reYfP8IT4HhvcskoYHDpIHAMIG9MQswCQYDVQQGEwJHQjER
> MA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsGA1UEChMUVW5p
> dmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2YgTGlmZSBTY2ll
> bmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsxJjAkBgkqhkiG
> 9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrggkArG0ay8meoYYwDwYDVR0T
> AQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADArBglghkgB
> hvhCAQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTA4BglghkgBhvhC
> AQMEKxYpaHR0cDovL2NhLmxpZmVzY2kuZHVuZGVlLmFjLnVrL2NybC12MS5jcmww
> IgYDVR0RBBswGYEXY2FAbGlmZXNjaS5kdW5kZWUuYWMudWswCwYDVR0PBAQDAgEG
> MA0GCSqGSIb3DQEBBQUAA4ICAQBWXSsapjd27zrz/5v7OSOQkFu7ZgiQK9oFT82M
> V8GyIH6KB86u17rpPZOPu3kr9M5YaY8Jil2ytKhR2/YacOYGMemUPf+dKvwIvu+J
> 9a7WIqVReCHl4S8j9amzLGqowJYHgvefNGJuSpFDsQpHkOo5wrZgP8KRn0SYDJf9
> fbN+n5Rsr9SOPRs26LVuFamUX7//rYrQU42O8JR61nTZN0iFCsKLTc/ofFEgoW63
> wzn0NEagnSAFDJMI5/YIcouwWbu64YXPL84jvn69LANWf7G2YnXwyeOF3TM71Jl3
> 3z5Qu7qOp56uLPZ9vTYuwkyAFzVqfwNJUEWybTbtp7s/SrBGbSLYv7Q6ZYpEq1mY
> diNPHhwfkXM2xjgaSom0kQf19rhBInrzsdb4yxNRceZuRQgh4A0zrL4vuTED9BEp
> rh9Rx3+UZB9+TQbeC8BqRxQYBP/Mh++OYqrmJRsG5ecm/OhD9zB+ikEx9xKoIEPx
> KocwtdUqOdWdS78QSmi+O/e7cBkApc/wCfpX4FZoBwvSVr4qtz71xMFqhxjx6ahm
> tT15+MQeaPUL2FDwKOcLTUp5N/dFLy8Dh2OKf2Qg+pXni0Ee4Jy9QP3xDS65XDeJ
> fx5I426trWldYtFwwlQ902/9/YRqFbzb9qzysqez1nW1Kdea5XTxl2A2I2o024sC
> Yan4Hw==
> -----END CERTIFICATE-----
>
More information about the Pki-users
mailing list