From mharmsen at redhat.com Sat Jun 7 01:55:52 2008 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 06 Jun 2008 18:55:52 -0700 Subject: [Pki-users] RE: Failing to install directory server on Fedora9-live USB-stick using the Data Persistence option. In-Reply-To: References: Message-ID: <4849EAA8.30503@redhat.com> Ebbe Hansen wrote: > > I finally succeeded getting a Fedora Directory service installed on a > ?persistent? Fedora9 USB drive (DNS lookup issues caused previous > reported startup problem). > > I am now attempting to install the DogTag PKI package on the USB drive > using ?yum? -- but is prevented to do so ? apparently a PKI repository > for Fedora9 has not yet been built. > > Any suggestions? Should I may attempt a manual ?piecemeal? type > installation of individual PKI-RPM packages ? if I knew the > dependency-sequence, such task may be easier? Even if successful with > such ?piecemeal? installation, I assume there is no guarantee the > Fedora8 built DogTag PKI system will ?behave? properly under Fedora9! > > When can I expect a Fedora9 version of the DogTag PKI to become available? > Ebbe, I have published both 32-bit and 64-bit RPMS and SRPMS of Fedora 9. Please see https://bugzilla.redhat.com/show_bug.cgi?id=450345 for details. -- Matt > > E. Hansen @ SPYRUS > > ------------------------------------------------------------------------ > > *From:* Ebbe Hansen > *Sent:* Thursday, May 29, 2008 3:01 PM > *To:* 'pki-users at redhat.com' > *Subject:* Failing to install directory server on Fedora9-live > USB-stick using the Data Persistence option. > > The ?livecd-iso-to-disk? command appears to work OK when loading > Fedora9 on-to a USB thumb-drive with ?persistence? option (with an > appropriately sized overlay ? I used 1 GBY overlay). Custom changes to > file-system and installation of new applications appears to survive > subsequent reboot sessions. > > However, while attempting to install the DogTag system on the > ?persistent? USB, I run unto trouble getting the Directory Server to > startup properly. The log-file indicates the configuration session > went OK ? but the resulting instance does not start (or remain on > running state) ? the log-file does not indicate any errors! > > Have anyone on the list been successful getting the Directory Server > (and DogTag PKI) to install on a ?persistent? live USB? I am using > fedora9 version 2.6.25-14.fc9.i686 ? downloaded a few days ago. Any > comments & suggestions appreciated! > > E. Hansen @ SPYRUS > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ehansen at spyrus.com Fri Jun 13 00:04:13 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Thu, 12 Jun 2008 17:04:13 -0700 Subject: [Pki-users] How do I issue 2048-bit RSA certificates to End Entity users? In-Reply-To: Message-ID: I am currently testing the WEB enrollment features (https://:/ca/ee/ca) using the IE as well as the FireFox browsers. When requesting a Dual-Use certificate (Certificate Profile - Manual User Dual-Use Certificate Enrollment) I have the choice of invoking use of smart-cards / hard-tokens via a CSP or a PKCS#11 crypto provider. However, the keys generated always defaults to RSA 1024 bit! Has anyone found the place to modify/configure the DogTag Certificate Request WEB pages to default to (or enable selection of) other key-sizes e.g. 2048 bits? E. Hansen @ SPYRUS -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Mon Jun 23 16:37:55 2008 From: cfu at redhat.com (Christina Fu) Date: Mon, 23 Jun 2008 09:37:55 -0700 Subject: [Pki-users] How do I issue 2048-bit RSA certificates to End Entity users? In-Reply-To: References: Message-ID: <485FD163.7030906@redhat.com> Ebbe Hansen wrote: > > I am currently testing the WEB enrollment features > (https://:/ca/ee/ca) using the IE as well as > the FireFox browsers. When requesting a Dual-Use certificate > (Certificate Profile - Manual User Dual-Use Certificate Enrollment) I > have the choice of invoking use of smart-cards / hard-tokens via a CSP > or a PKCS#11 crypto provider. > > > > However, the keys generated always defaults to RSA 1024 bit! Has > anyone found the place to modify/configure the DogTag Certificate > Request WEB pages to default to (or enable selection of) other > key-sizes e.g. 2048 bits? > > > > E. Hansen @ SPYRUS > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > The CRMF generation requests come from a template file call ProfileSelect.template in the directory /weapps/ca/ee/ca. Search for the "generateCRMFRequest" string in the file and you will find the key size 1024 that you can modify. Hope this helps. Christina From paul.nana at gmail.com Wed Jun 25 13:28:22 2008 From: paul.nana at gmail.com (Paul-Marcelin N. NANA) Date: Wed, 25 Jun 2008 15:28:22 +0200 Subject: [Pki-users] Error. Authentication Error on RA and SegFault on TPS Message-ID: <81902b7d0806250628h327b17bet1cb897097e68ba1e@mail.gmail.com> Hi there, I'm trying out to set up dogtag. i've been able to install everything but I'm struggling on RA while after configuring it, i can just go through the SSL End Users Services and neither the Agent Services nor Administrator Services. I always got the following error: "You are not authorized to access the requested page. Error. Authentication Error" Looks like something wrong with the certificate. Do somebody already experienced this before ? Thanks BTW, when i'm trying to start the TPS module, evrything seems fine but i got this error and it's impossible to connect to the module to configure it via the web browser: "Starting pki-tps: /bin/bash: line 1: 23817 Segmentation fault /usr/sbin/httpd.worker -f /etc/pki-tps/https.conf" -------------- next part -------------- An HTML attachment was scrubbed... URL: From stephen.hamilton at us.army.mil Wed Jun 25 14:57:43 2008 From: stephen.hamilton at us.army.mil (Stephen Hamilton) Date: Wed, 25 Jun 2008 09:57:43 -0500 Subject: [Pki-users] Error. Authentication Error on RA and SegFault on TPS In-Reply-To: <81902b7d0806250628h327b17bet1cb897097e68ba1e@mail.gmail.com> References: <81902b7d0806250628h327b17bet1cb897097e68ba1e@mail.gmail.com> Message-ID: <48625CE7.6060502@us.army.mil> I had the segfault error when I started TPS when running on Fedora 9, however on Fedora 8, I didn't have that problem. I was able to get it to start by commenting out one of the entries in httpd.conf that loaded a TPS module, but I don't think this solves anything other than letting the httpd process start. Paul-Marcelin N. NANA wrote: > Hi there, > > I'm trying out to set up dogtag. i've been able to install everything > but I'm struggling on RA while after configuring it, i can just go > through the SSL End Users Services and neither the Agent Services nor > Administrator Services. I always got the following error: > "You are not authorized to access the requested page. > Error. Authentication Error" > > Looks like something wrong with the certificate. Do somebody already > experienced this before ? > > Thanks > > BTW, when i'm trying to start the TPS module, evrything seems fine but > i got this error and it's impossible to connect to the module to > configure it via the web browser: > "Starting pki-tps: /bin/bash: line 1: 23817 Segmentation fault > /usr/sbin/httpd.worker -f /etc/pki-tps/https.conf" From netnoticias at gmail.com Thu Jun 26 12:05:10 2008 From: netnoticias at gmail.com (D R E) Date: Thu, 26 Jun 2008 14:05:10 +0200 Subject: [Pki-users] problem with OCSP setup Message-ID: <31fa2cdc0806260505j17816be3wa9bd75e101442568@mail.gmail.com> Hello, I'm trying to setup a Dogtag Certificate System. No problem to setup CA and OCSP in the same machine, but If I try to deploy OCSP on other machine I always get stalled in the same part of the configuration process: "Subject Names". There, I leave the default values of "OCSP Signing Certificate", "SSL Server Certificate" and "Subsystem Certificate" or even I change to other values. I pass to next step and setup the Admin password and finally the wizard come back to "Subject Names" screen, it's a endless process. In "catalina.out" file always appears: "Exception caught: java.io.IOException: Error: remote certificate is null" So it seems to be that OCSP doesn't received a certificate from CA. I have searched on Google but I can't find anything to end the OCSP process successfully. Does anybody known what it's happening with OCSP? Daniel Rodr?guez. -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.nana at gmail.com Thu Jun 26 18:22:39 2008 From: paul.nana at gmail.com (Paul-marcelin NANA) Date: Thu, 26 Jun 2008 20:22:39 +0200 Subject: [Pki-users] OpenSCEP Message-ID: <21B68960-511F-434F-8EEF-EE7C63FF5D9D@gmail.com> Hi there, I'm trying to install OpenSCEP on Fedora 8, in addition to the PKI. I can't compile the sources due to an BER library error: "BER library not found". Do you have any idea ? Did somebody experience successfully OpenSCEP ? Thanks