[Pki-users] Importing existing CA chain into new dogtag instance
Christina Fu
cfu at redhat.com
Wed Apr 9 17:38:47 UTC 2008
FYI, the following page should help in regards to handling PEM in Dogtag:
http://pki.fedoraproject.org/wiki/PKI_TechNote_X509_Certificates
Christina
Christina Fu wrote:
> Hi, first of all, thank you for playing with Dogtag.
> For the first question regarding doing SSL wiht FDS, you need to trust
> the CA that signed the FDS's ssl server cert. We should have
> information on how to do this in the documentation. If not, we need
> to add that.
> As for your issue(s) regarding linking to an external CA, I believe
> there could be some confusion. I'm only guessing here. Did you go
> three all the steps under "action required" for the CA certification
> at the "Requets and Certificates" panel during configuration? In Step
> 2, the pkcs7 chain it takes is only the CA chain, not the leaf
> certificate. And in a separate step (Step 3), it then takes a base64
> encoded leaf cert. Could it be that you missed one of the steps? If
> you have gone through all three steps at this point, the whole chain
> should have been imported into the certdb with necessary trust marked.
>
> Finally, I don't think any part of our software takes PEM format. Try
> to convert PEM to DER format and it should help.
>
> Also, feel free to file bugs if you find any problem or inconvenience.
>
> Hope this helps.
> Christina
>
>
> Jonathan Barber wrote:
>> Hi, I've been playing with Dogtag for the last couple of days, and want
>> to test it with our existing CA cert that we use locally. So I've been
>> seting them up as subordinate CA's.
>>
>> I hit a minor glitch in setup when connecting to a remote FDS instance,
>> it won't connect via SSL and I just get the error "Failed to connect to
>> the internal database", presumably because the the SSL cert doesn't pass
>> validation.
>>
>> After configuring the CA as a subordinate, I sign the CA cert CSR with
>> our local CA, then provide our CA cert in PKSC7 form - generated with
>> with the command:
>> openssl crl2pkcs7 -nocrl -certfile cacert.pem
>>
>> Upon restarting the CA instance, everything works, but I can't find any
>> trace of the issuer certificate in the certutil DB so I presume it
>> failed. Where should it go?
>>
>> After setup, when I try and use the pkiconsole to load the CA cert (in
>> PEM format) into the DB (as a CA or Local Certificate) I get the error
>> "Certificate Error: Failed to decode", and PrettyPrintCrt gives me:
>> PrettyPrintCert: Error encountered on parsing certificate :
>> java.security.cert.CertificateParsingException: java.io.IOException:
>> java.io.IOException:
>> IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException:
>> No data available in passed DER encoded value.
>> null
>>
>> I can load it into the instance certutil DB, but can't then see it in
>> the pkiconsole.
>>
>> Any ideas? The certicate in question is:
>>
>> -----BEGIN CERTIFICATE-----
>> MIIH4DCCBcigAwIBAgIJAKxtGsvJnqGGMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
>> VQQGEwJHQjERMA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsG
>> A1UEChMUVW5pdmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2Yg
>> TGlmZSBTY2llbmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsx
>> JjAkBgkqhkiG9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrMB4XDTA3MDIx
>> NjEwNTMzMFoXDTE3MDIxMzEwNTMzMFowgb0xCzAJBgNVBAYTAkdCMREwDwYDVQQI
>> EwhTY290bGFuZDEPMA0GA1UEBxMGRHVuZGVlMR0wGwYDVQQKExRVbml2ZXJzaXR5
>> IG9mIER1bmRlZTEhMB8GA1UECxMYQ29sbGVnZSBvZiBMaWZlIFNjaWVuY2VzMSAw
>> HgYDVQQDExdjYS5saWZlc2NpLmR1bmRlZS5hYy51azEmMCQGCSqGSIb3DQEJARYX
>> Y2FAbGlmZXNjaS5kdW5kZWUuYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
>> ggIKAoICAQC3tIfCIag41x63OQF2etPa3gHFxT4JlGfEO0a8fV+tfqpSrwlWWqeR
>> w8zOO/UCxAi0FNVBmB1peeQZU/026FZ8MWu1IhJyy5OF3PIjtKxzgEuVWD7pQw7Y
>> i32dthr5pg6GnXB/dx3P5hEVgci/Gh9fij0BLF6iPsy6CkJB3/sD2OEHN3CKMgE7
>> kIQKZEM2XrSCNQ5KGCBzFqpowJQneVTi65pcVKIDpp56F1qrimIrFBgUbsJnswfI
>> 1Kxi8FvSj7fuTibIyiPz9QUguRNjjbQzHlkOQJKy0j2ENxdqDN9vNoeQjGDh2RXL
>> 4xovgkxW1YYHdxt5PdNtpwX8Vb7uYsZXGp5CB8xeLKSnvgZrms9EAvZvQHzMdIhb
>> th9zCOPXAZTfeSEyMcsFY8bK+ic/JlWk/7Oo/em1dMPMi+UmXdYUD33F7Z5N9xsH
>> x9Laz3YSuflrW8WrriVAe0xAWRjP9X205pnJbmJDgnUzHI9+qqkz7GQBxQenUjEu
>> vTO0Dx4Psvby2j6sS0b0dVxAtZfnDutnRXc9+/9PSsSr+YLpbZh+7sPRWYynpDzy
>> wjmBPClv+rm8o9MdkAE+8U9XoXXSU+5FG/TpzJmEFR65BYPR9BDKn8CVfhgE3flE
>> n2l7V1hOzYFWMBu42byJx8tHzCvFPVjLbaPIMs6o1zmKC/2a+B6T+QIDAQABo4IB
>> 3zCCAdswHQYDVR0OBBYEFKOZNeS+xtTc6reYfP8IT4HhvcskMIHyBgNVHSMEgeow
>> geeAFKOZNeS+xtTc6reYfP8IT4HhvcskoYHDpIHAMIG9MQswCQYDVQQGEwJHQjER
>> MA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsGA1UEChMUVW5p
>> dmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2YgTGlmZSBTY2ll
>> bmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsxJjAkBgkqhkiG
>> 9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrggkArG0ay8meoYYwDwYDVR0T
>> AQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADArBglghkgB
>> hvhCAQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTA4BglghkgBhvhC
>> AQMEKxYpaHR0cDovL2NhLmxpZmVzY2kuZHVuZGVlLmFjLnVrL2NybC12MS5jcmww
>> IgYDVR0RBBswGYEXY2FAbGlmZXNjaS5kdW5kZWUuYWMudWswCwYDVR0PBAQDAgEG
>> MA0GCSqGSIb3DQEBBQUAA4ICAQBWXSsapjd27zrz/5v7OSOQkFu7ZgiQK9oFT82M
>> V8GyIH6KB86u17rpPZOPu3kr9M5YaY8Jil2ytKhR2/YacOYGMemUPf+dKvwIvu+J
>> 9a7WIqVReCHl4S8j9amzLGqowJYHgvefNGJuSpFDsQpHkOo5wrZgP8KRn0SYDJf9
>> fbN+n5Rsr9SOPRs26LVuFamUX7//rYrQU42O8JR61nTZN0iFCsKLTc/ofFEgoW63
>> wzn0NEagnSAFDJMI5/YIcouwWbu64YXPL84jvn69LANWf7G2YnXwyeOF3TM71Jl3
>> 3z5Qu7qOp56uLPZ9vTYuwkyAFzVqfwNJUEWybTbtp7s/SrBGbSLYv7Q6ZYpEq1mY
>> diNPHhwfkXM2xjgaSom0kQf19rhBInrzsdb4yxNRceZuRQgh4A0zrL4vuTED9BEp
>> rh9Rx3+UZB9+TQbeC8BqRxQYBP/Mh++OYqrmJRsG5ecm/OhD9zB+ikEx9xKoIEPx
>> KocwtdUqOdWdS78QSmi+O/e7cBkApc/wCfpX4FZoBwvSVr4qtz71xMFqhxjx6ahm
>> tT15+MQeaPUL2FDwKOcLTUp5N/dFLy8Dh2OKf2Qg+pXni0Ee4Jy9QP3xDS65XDeJ
>> fx5I426trWldYtFwwlQ902/9/YRqFbzb9qzysqez1nW1Kdea5XTxl2A2I2o024sC
>> Yan4Hw==
>> -----END CERTIFICATE-----
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list