[Pki-users] Importing existing CA chain into new dogtag instance

Jonathan Barber j.barber at dundee.ac.uk
Thu Apr 10 08:47:45 UTC 2008 

On Wed, Apr 09, 2008 at 10:38:47AM -0700, Christina Fu wrote:
> FYI, the following page should help in regards to handling PEM in Dogtag:
> http://pki.fedoraproject.org/wiki/PKI_TechNote_X509_Certificates

Interestingly, the NSS based pp tool works on my certificate, but the
java based PrettyPrintCert tool raises an exception. Is it a java
bug I wonder?

I've submitted a report under:
https://bugzilla.redhat.com/show_bug.cgi?id=441801

> Christina
> 
> Christina Fu wrote:
> >Hi, first of all, thank you for playing with Dogtag.
> >For the first question regarding doing SSL wiht FDS, you need to trust 
> >the CA that signed the FDS's ssl server cert. We should have 
> >information on  how to do this in the documentation.  If not, we need 
> >to add that.
> >As for your issue(s) regarding linking to an external CA, I believe 
> >there could be some confusion.  I'm only guessing here.  Did you go 
> >three all the steps under "action required" for the CA certification 
> >at the "Requets and Certificates" panel during configuration?  In Step 
> >2, the pkcs7 chain it takes is only the CA chain, not the leaf 
> >certificate.  And in a separate step (Step 3), it then takes a base64 
> >encoded leaf cert.  Could it be that you missed one of the steps?  If 
> >you have gone through all three steps at this point, the whole chain 
> >should have been imported into the certdb with necessary trust marked.

If the leaf certificate is the one returned from the request and the
"chain" being our self signed CA cert, then I have.

I wonder if the problem is related to the fact that the java tools seem
unable to read our CA cert.

> >Finally, I don't think any part of our software takes PEM format.  Try 
> >to convert PEM to DER format and it should help.

I thought PEM was the certificate encoded in base64, am I being to
liberal in the use of the term PEM?

> >Also, feel free to file bugs if you find any problem or inconvenience.

Sure, just wanted to make sure I'm not doing something stupid...

> >Hope this helps.
> >Christina
> >
> >
> >Jonathan Barber wrote:
> >>Hi, I've been playing with Dogtag for the last couple of days, and want
> >>to test it with our existing CA cert that we use locally. So I've been
> >>seting them up as subordinate CA's.
> >>
> >>I hit a minor glitch in setup when connecting to a remote FDS instance,
> >>it won't connect via SSL and I just get the error "Failed to connect to
> >>the internal database", presumably because the the SSL cert doesn't pass
> >>validation.
> >>
> >>After configuring the CA as a subordinate, I sign the CA cert CSR with
> >>our local CA, then provide our CA cert in PKSC7 form - generated with
> >>with the command:
> >>openssl crl2pkcs7 -nocrl -certfile cacert.pem
> >>
> >>Upon restarting the CA instance, everything works, but I can't find any
> >>trace of the issuer certificate in the certutil DB so I presume it
> >>failed. Where should it go?
> >>
> >>After setup, when I try and use the pkiconsole to load the CA cert (in
> >>PEM format) into the DB (as a CA or Local Certificate) I get the error
> >>"Certificate Error: Failed to decode", and PrettyPrintCrt gives me:
> >>PrettyPrintCert:  Error encountered on parsing certificate : 
> >>java.security.cert.CertificateParsingException: java.io.IOException: 
> >>java.io.IOException: 
> >>IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: 
> >>No data available in passed DER encoded value.
> >>null
> >>
> >>I can load it into the instance certutil DB, but can't then see it in
> >>the pkiconsole.
> >>
> >>Any ideas? The certicate in question is:
> >>
> >>-----BEGIN CERTIFICATE-----
> >>MIIH4DCCBcigAwIBAgIJAKxtGsvJnqGGMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
> >>VQQGEwJHQjERMA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsG
> >>A1UEChMUVW5pdmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2Yg
> >>TGlmZSBTY2llbmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsx
> >>JjAkBgkqhkiG9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrMB4XDTA3MDIx
> >>NjEwNTMzMFoXDTE3MDIxMzEwNTMzMFowgb0xCzAJBgNVBAYTAkdCMREwDwYDVQQI
> >>EwhTY290bGFuZDEPMA0GA1UEBxMGRHVuZGVlMR0wGwYDVQQKExRVbml2ZXJzaXR5
> >>IG9mIER1bmRlZTEhMB8GA1UECxMYQ29sbGVnZSBvZiBMaWZlIFNjaWVuY2VzMSAw
> >>HgYDVQQDExdjYS5saWZlc2NpLmR1bmRlZS5hYy51azEmMCQGCSqGSIb3DQEJARYX
> >>Y2FAbGlmZXNjaS5kdW5kZWUuYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
> >>ggIKAoICAQC3tIfCIag41x63OQF2etPa3gHFxT4JlGfEO0a8fV+tfqpSrwlWWqeR
> >>w8zOO/UCxAi0FNVBmB1peeQZU/026FZ8MWu1IhJyy5OF3PIjtKxzgEuVWD7pQw7Y
> >>i32dthr5pg6GnXB/dx3P5hEVgci/Gh9fij0BLF6iPsy6CkJB3/sD2OEHN3CKMgE7
> >>kIQKZEM2XrSCNQ5KGCBzFqpowJQneVTi65pcVKIDpp56F1qrimIrFBgUbsJnswfI
> >>1Kxi8FvSj7fuTibIyiPz9QUguRNjjbQzHlkOQJKy0j2ENxdqDN9vNoeQjGDh2RXL
> >>4xovgkxW1YYHdxt5PdNtpwX8Vb7uYsZXGp5CB8xeLKSnvgZrms9EAvZvQHzMdIhb
> >>th9zCOPXAZTfeSEyMcsFY8bK+ic/JlWk/7Oo/em1dMPMi+UmXdYUD33F7Z5N9xsH
> >>x9Laz3YSuflrW8WrriVAe0xAWRjP9X205pnJbmJDgnUzHI9+qqkz7GQBxQenUjEu
> >>vTO0Dx4Psvby2j6sS0b0dVxAtZfnDutnRXc9+/9PSsSr+YLpbZh+7sPRWYynpDzy
> >>wjmBPClv+rm8o9MdkAE+8U9XoXXSU+5FG/TpzJmEFR65BYPR9BDKn8CVfhgE3flE
> >>n2l7V1hOzYFWMBu42byJx8tHzCvFPVjLbaPIMs6o1zmKC/2a+B6T+QIDAQABo4IB
> >>3zCCAdswHQYDVR0OBBYEFKOZNeS+xtTc6reYfP8IT4HhvcskMIHyBgNVHSMEgeow
> >>geeAFKOZNeS+xtTc6reYfP8IT4HhvcskoYHDpIHAMIG9MQswCQYDVQQGEwJHQjER
> >>MA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsGA1UEChMUVW5p
> >>dmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2YgTGlmZSBTY2ll
> >>bmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsxJjAkBgkqhkiG
> >>9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrggkArG0ay8meoYYwDwYDVR0T
> >>AQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADArBglghkgB
> >>hvhCAQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTA4BglghkgBhvhC
> >>AQMEKxYpaHR0cDovL2NhLmxpZmVzY2kuZHVuZGVlLmFjLnVrL2NybC12MS5jcmww
> >>IgYDVR0RBBswGYEXY2FAbGlmZXNjaS5kdW5kZWUuYWMudWswCwYDVR0PBAQDAgEG
> >>MA0GCSqGSIb3DQEBBQUAA4ICAQBWXSsapjd27zrz/5v7OSOQkFu7ZgiQK9oFT82M
> >>V8GyIH6KB86u17rpPZOPu3kr9M5YaY8Jil2ytKhR2/YacOYGMemUPf+dKvwIvu+J
> >>9a7WIqVReCHl4S8j9amzLGqowJYHgvefNGJuSpFDsQpHkOo5wrZgP8KRn0SYDJf9
> >>fbN+n5Rsr9SOPRs26LVuFamUX7//rYrQU42O8JR61nTZN0iFCsKLTc/ofFEgoW63
> >>wzn0NEagnSAFDJMI5/YIcouwWbu64YXPL84jvn69LANWf7G2YnXwyeOF3TM71Jl3
> >>3z5Qu7qOp56uLPZ9vTYuwkyAFzVqfwNJUEWybTbtp7s/SrBGbSLYv7Q6ZYpEq1mY
> >>diNPHhwfkXM2xjgaSom0kQf19rhBInrzsdb4yxNRceZuRQgh4A0zrL4vuTED9BEp
> >>rh9Rx3+UZB9+TQbeC8BqRxQYBP/Mh++OYqrmJRsG5ecm/OhD9zB+ikEx9xKoIEPx
> >>KocwtdUqOdWdS78QSmi+O/e7cBkApc/wCfpX4FZoBwvSVr4qtz71xMFqhxjx6ahm
> >>tT15+MQeaPUL2FDwKOcLTUp5N/dFLy8Dh2OKf2Qg+pXni0Ee4Jy9QP3xDS65XDeJ
> >>fx5I426trWldYtFwwlQ902/9/YRqFbzb9qzysqez1nW1Kdea5XTxl2A2I2o024sC
> >>Yan4Hw==
> >>-----END CERTIFICATE-----
> >>  
> >
> >_______________________________________________
> >Pki-users mailing list
> >Pki-users at redhat.com
> >https://www.redhat.com/mailman/listinfo/pki-users
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-- 
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

More information about the Pki-users mailing list