From sjv at genoscope.cns.fr Mon Apr 6 16:20:14 2009 From: sjv at genoscope.cns.fr (Simon Vallet) Date: Mon, 6 Apr 2009 18:20:14 +0200 Subject: [Pki-users] dogtag can't establish SSL connection to LDAP server Message-ID: <20090406182014.6983281f@tx3.tx.local> Hi, I'm currently trying to integrate dogtag into our environment : building did go fine, but somehow it doesn't want to securely connect to our OpenLDAP server -- that's what I get in the logs at startup : CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate FAILURE: In Ldap (bound) connection pool to host ldap.genoscope.cns.fr port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) FAILURE: In Ldap (bound) connection pool to host ldap.genoscope.cns.fr port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) FAILURE: In Ldap (bound) connection pool to host ldap.genoscope.cns.fr port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Could not connect to LDAP server host ldap.genoscope.cns.fr port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Google is quite unhelpful on this one, so any hint would be greatly appreciated. Simon From jfenal at redhat.com Mon Apr 6 16:49:53 2009 From: jfenal at redhat.com (Jerome Fenal) Date: Mon, 06 Apr 2009 18:49:53 +0200 Subject: [Pki-users] dogtag can't establish SSL connection to LDAP server In-Reply-To: <20090406182014.6983281f@tx3.tx.local> References: <20090406182014.6983281f@tx3.tx.local> Message-ID: <1239036593.18289.83.camel@jfenal.f10> Le lundi 06 avril 2009 ? 18:20 +0200, Simon Vallet a ?crit : > Hi, > > I'm currently trying to integrate dogtag into our environment : > building did go fine, but somehow it doesn't want to securely connect > to our OpenLDAP server -- that's what I get in the logs at startup : > > CMS Warning: > FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate > FAILURE: In Ldap (bound) connection pool to host ldap.genoscope.cns.fr port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > FAILURE: In Ldap (bound) connection pool to host ldap.genoscope.cns.fr port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > FAILURE: In Ldap (bound) connection pool to host ldap.genoscope.cns.fr port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Could not connect to LDAP server host ldap.genoscope.cns.fr port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > > Google is quite unhelpful on this one, so any hint would be greatly > appreciated. Hi Simon, what are you trying to achieve ? What are you using OpenLDAP for ? Publishing certs, or config LDAP server ? Regards, J. -- J?r?me Fenal, RHCE Tel.: +33 1 41 91 23 37 Solution Architect Mob.: +33 6 88 06 51 15 Consultant Avant-ventes Fax.: +33 1 41 91 23 32 http://www.redhat.fr/ jfenal at redhat.com Red Hat France SARL Siret n? 421 199 464 00064 Le Linea, 1 rue du G?n?ral Leclerc 92047 Paris La D?fense C?dex Taillez dans vos co?ts avec Red Hat ! http://www.redhat.fr/promo/carveoutcosts From sjv at genoscope.cns.fr Mon Apr 6 16:56:55 2009 From: sjv at genoscope.cns.fr (Simon Vallet) Date: Mon, 6 Apr 2009 18:56:55 +0200 Subject: [Pki-users] dogtag can't establish SSL connection to LDAP server In-Reply-To: <1239036593.18289.83.camel@jfenal.f10> References: <20090406182014.6983281f@tx3.tx.local> <1239036593.18289.83.camel@jfenal.f10> Message-ID: <20090406185655.18814d63@tx3.tx.local> Hi Jer?me, On Mon, 06 Apr 2009 18:49:53 +0200 Jerome Fenal wrote: > what are you trying to achieve ? > > What are you using OpenLDAP for ? Publishing certs, or config LDAP > server ? I'm trying to configure it as the "internal database" in the configuration wizard : "Please provide information to an existing Fedora Directory Server that can be used as the internal database for this instance". Digging a bit further, it seems the PKI CA subsystem doesn't accept the LDAP server certificate: No. Time Source Destination Protocol Info 130 2009-04-06 18:34:20.537435 195.83.222.184 195.83.222.201 TLSv1 Alert (Level: Fatal, Description: Unknown CA) Frame 130 (73 bytes on wire, 73 bytes captured) Ethernet II, Src: SunMicro_9a:98:68 (00:14:4f:9a:98:68), Dst: SunMicro_40:95:14 (00:14:4f:40:95:14) Internet Protocol, Src: 195.83.222.184 (195.83.222.184), Dst: 195.83.222.201 (195.83.222.201) Transmission Control Protocol, Src Port: 52794 (52794), Dst Port: ldaps (636), Seq: 73, Ack: 3441, Len: 7 Secure Socket Layer TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA) Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 2 Alert Message Level: Fatal (2) Description: Unknown CA (48) So I guess I should add this CA as a trusted one in tomcat -- I've already tried adding it to the default keystore, to no avail. Would I have missed something ? Simon From jfenal at redhat.com Mon Apr 6 18:59:13 2009 From: jfenal at redhat.com (Jerome Fenal) Date: Mon, 06 Apr 2009 20:59:13 +0200 Subject: [Pki-users] dogtag can't establish SSL connection to LDAP server In-Reply-To: <20090406185655.18814d63@tx3.tx.local> References: <20090406182014.6983281f@tx3.tx.local> <1239036593.18289.83.camel@jfenal.f10> <20090406185655.18814d63@tx3.tx.local> Message-ID: <1239044354.18289.89.camel@jfenal.f10> Le lundi 06 avril 2009 ? 18:56 +0200, Simon Vallet a ?crit : > Hi Jer?me, > > On Mon, 06 Apr 2009 18:49:53 +0200 > Jerome Fenal wrote: > > > what are you trying to achieve ? > > > > What are you using OpenLDAP for ? Publishing certs, or config LDAP > > server ? > > I'm trying to configure it as the "internal database" in the > configuration wizard : "Please provide information to an existing > Fedora Directory Server that can be used as the internal database for ^^^^^^^^^^^^^^^^^^^^^^^ FDS != OpenLDAP... > this instance". OpenLDAP is not a supported backend for Dogtag internal database. It may work (or not), but definitely not supported. To avoid such hassles, you may want to attend tomorrow's Tech Happy hours, we'll discuss... Red Hat Certificate System. Fabien is already scheduled to come, and you'll be welcome as well. http://www.redhat.fr/events/happy-hour/agenda.php Regards, J. -- J?r?me Fenal, RHCE Tel.: +33 1 41 91 23 37 Solution Architect Mob.: +33 6 88 06 51 15 Consultant Avant-ventes Fax.: +33 1 41 91 23 32 http://www.redhat.fr/ jfenal at redhat.com Red Hat France SARL Siret n? 421 199 464 00064 Le Linea, 1 rue du G?n?ral Leclerc 92047 Paris La D?fense C?dex Taillez dans vos co?ts avec Red Hat ! http://www.redhat.fr/promo/carveoutcosts From sjv at genoscope.cns.fr Mon Apr 6 20:06:08 2009 From: sjv at genoscope.cns.fr (Simon Vallet) Date: Mon, 6 Apr 2009 22:06:08 +0200 Subject: [Pki-users] dogtag can't establish SSL connection to LDAP server In-Reply-To: <1239044354.18289.89.camel@jfenal.f10> References: <20090406182014.6983281f@tx3.tx.local> <1239036593.18289.83.camel@jfenal.f10> <20090406185655.18814d63@tx3.tx.local> <1239044354.18289.89.camel@jfenal.f10> Message-ID: <20090406220608.7dd6053c@ur.priv.castalie.org> On Mon, 06 Apr 2009 20:59:13 +0200 Jerome Fenal wrote: > FDS != OpenLDAP... > > OpenLDAP is not a supported backend for Dogtag internal database. It may > work (or not), but definitely not supported. While certainly aware of that, I'm still interested in a technical rationale. > To avoid such hassles, you may want to attend tomorrow's Tech Happy > hours, we'll discuss... Red Hat Certificate System. Fabien is already > scheduled to come, and you'll be welcome as well. > http://www.redhat.fr/events/happy-hour/agenda.php Unfortunately, such hassles are rarely completely avoidable. I'll probably attend, though. Simon From jfenal at redhat.com Mon Apr 6 20:58:52 2009 From: jfenal at redhat.com (Jerome Fenal) Date: Mon, 06 Apr 2009 22:58:52 +0200 Subject: [Pki-users] dogtag can't establish SSL connection to LDAP server In-Reply-To: <20090406220608.7dd6053c@ur.priv.castalie.org> References: <20090406182014.6983281f@tx3.tx.local> <1239036593.18289.83.camel@jfenal.f10> <20090406185655.18814d63@tx3.tx.local> <1239044354.18289.89.camel@jfenal.f10> <20090406220608.7dd6053c@ur.priv.castalie.org> Message-ID: <1239051532.29131.8.camel@jfenal.f10> Le lundi 06 avril 2009 ? 22:06 +0200, Simon Vallet a ?crit : > On Mon, 06 Apr 2009 20:59:13 +0200 > Jerome Fenal wrote: > > > FDS != OpenLDAP... > > > > OpenLDAP is not a supported backend for Dogtag internal database. It may > > work (or not), but definitely not supported. > > While certainly aware of that, I'm still interested in a technical > rationale. OpenLDAP does not support VLV operations, which is needed by the PKI. Furthermore, this couple (PKI + DS) has been working successfully for years, QA'd as well, so changing this critical part of the architecture to lose in functionality would be rewardless. > > To avoid such hassles, you may want to attend tomorrow's Tech Happy > > hours, we'll discuss... Red Hat Certificate System. Fabien is already > > scheduled to come, and you'll be welcome as well. > > http://www.redhat.fr/events/happy-hour/agenda.php > > Unfortunately, such hassles are rarely completely avoidable. I'll > probably attend, though. See you tomorrow then. Regards, J. -- J?r?me Fenal, RHCE Tel.: +33 1 41 91 23 37 Solution Architect Mob.: +33 6 88 06 51 15 Consultant Avant-ventes Fax.: +33 1 41 91 23 32 http://www.redhat.fr/ jfenal at redhat.com Red Hat France SARL Siret n? 421 199 464 00064 Le Linea, 1 rue du G?n?ral Leclerc 92047 Paris La D?fense C?dex Taillez dans vos co?ts avec Red Hat ! http://www.redhat.fr/promo/carveoutcosts From luis.f.gonzalez at earthlink.net Tue Apr 7 04:29:55 2009 From: luis.f.gonzalez at earthlink.net (Luis F. Gonzalez) Date: Mon, 6 Apr 2009 21:29:55 -0700 (GMT-07:00) Subject: [Pki-users] problem with nss Message-ID: <6907865.1239078595792.JavaMail.root@mswamui-swiss.atl.sa.earthlink.net> Hi all, It looks like I'm having a problem with a fresh Fedora 9 installation of pki components. I've already installed fedora-ds-base: -------------- # yum info fedora-ds-base Loaded plugins: refresh-packagekit Available Packages Name : fedora-ds-base Arch : i386 Version : 1.1.0.1 Release : 4.fc9 Size : 1.6 M Repo : fedora Summary : Fedora Directory Server (base) URL : http://directory.fedoraproject.org/ License : GPLv2 with exceptions Description: Fedora Directory Server is an LDAPv3 compliant server. The base : package includes the LDAP server and command line utilities for : server administration. -------------- Here' the crux of the problem after, yum install pki-ca: -------------- --> Missing Dependency: nss >= 3.12.0 is needed by package osutil-1.1.0-1.fc9.i386 (pki) symkey-1.1.0-1.fc9.i386 from pki has depsolving problems --> Missing Dependency: nss >= 3.12.0 is needed by package symkey-1.1.0-1.fc9.i386 (pki) pki-native-tools-1.1.0-1.fc9.i386 from pki has depsolving problems --> Missing Dependency: nss-tools >= 3.12.0 is needed by package pki-native-tools-1.1.0-1.fc9.i386 (pki) pki-selinux-1.1.0-1.fc9.noarch from pki has depsolving problems --> Missing Dependency: selinux-policy-targeted >= 3.3.1-118 is needed by package pki-selinux-1.1.0-1.fc9.noarch (pki) pki-native-tools-1.1.0-1.fc9.i386 from pki has depsolving problems --> Missing Dependency: nss >= 3.12.0 is needed by package pki-native-tools-1.1.0-1.fc9.i386 (pki) Error: Missing Dependency: nss >= 3.12.0 is needed by package symkey-1.1.0-1.fc9.i386 (pki) Error: Missing Dependency: selinux-policy-targeted >= 3.3.1-118 is needed by package pki-selinux-1.1.0-1.fc9.noarch (pki) Error: Missing Dependency: nss >= 3.12.0 is needed by package osutil-1.1.0-1.fc9.i386 (pki) Error: Missing Dependency: nss >= 3.12.0 is needed by package pki-native-tools-1.1.0-1.fc9.i386 (pki) Error: Missing Dependency: nss-tools >= 3.12.0 is needed by package pki-native-tools-1.1.0-1.fc9.i386 (pki) --------------- Any ideas before I get on an rpm dependency hunt? Regards, From fortunato.montresor at earthlink.net Sat Apr 11 00:24:31 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Fri, 10 Apr 2009 17:24:31 -0700 (GMT-07:00) Subject: [Pki-users] yum remove Message-ID: <7464356.1239409471954.JavaMail.root@elwamui-little.atl.sa.earthlink.net> Hi list, Just want to let those concerned that yum remove leave a lot of files and dirs lying around for 1.1.0 Example: /etc/pki* /var/log/pki* /etc/init.d/pki* Also it may be related but rpm (rpm -qf) does not claim ownership of of those files. Hopefully someone can work their magic. Have a good weekend! From ckannan at redhat.com Sat Apr 11 01:05:02 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Fri, 10 Apr 2009 21:05:02 -0400 (EDT) Subject: [Pki-users] yum remove In-Reply-To: <7464356.1239409471954.JavaMail.root@elwamui-little.atl.sa.earthlink.net> Message-ID: <1739474812.1490141239411902748.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Have you tried the pkiremove command ? ----- Fortunato wrote: > Hi list, > > Just want to let those concerned that yum remove leave a lot of files and dirs lying around for 1.1.0 > > Example: > /etc/pki* > /var/log/pki* > /etc/init.d/pki* > > Also it may be related but rpm (rpm -qf) does not claim ownership of of those files. > > Hopefully someone can work their magic. > > Have a good weekend! > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From fortunato.montresor at earthlink.net Mon Apr 13 18:25:35 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Mon, 13 Apr 2009 14:25:35 -0400 (EDT) Subject: [Pki-users] yum remove Message-ID: <20097680.1239647135787.JavaMail.root@elwamui-darkeyed.atl.sa.earthlink.net> Sadly no, I removed the packages first and got all kinds of error messages when I tried to reinstall using yum. I was trying to start over with the Configuration Wizard with the one-time PIN: preop.pin=[PKI_RANDOM_NUMBER] in the CS.cfg file. -----Original Message----- >From: Chandrasekar Kannan >Sent: Apr 10, 2009 9:05 PM >To: Fortunato >Cc: pki-users at redhat.com >Subject: Re: [Pki-users] yum remove > > >Have you tried the pkiremove command ? > > >----- Fortunato wrote: >> Hi list, >> >> Just want to let those concerned that yum remove leave a lot of files and dirs lying around for 1.1.0 >> >> Example: >> /etc/pki* >> /var/log/pki* >> /etc/init.d/pki* >> >> Also it may be related but rpm (rpm -qf) does not claim ownership of of those files. >> >> Hopefully someone can work their magic. >> >> Have a good weekend! >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > From fortunato.montresor at earthlink.net Mon Apr 13 20:47:21 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Mon, 13 Apr 2009 16:47:21 -0400 (EDT) Subject: [Pki-users] pki-ca services on IPv6 Message-ID: <10888949.1239655641808.JavaMail.root@elwamui-rustique.atl.sa.earthlink.net> Hello again, I have DTags 1.1.0.1.fc10: # rpm -qi pki-ca Name : pki-ca Relocations: (not relocatable) Version : 1.1.0 Vendor: Red Hat, Inc. Release : 1.fc10 Build Date: Sat 04 Apr 2009 10:00:35 AM PDT Install Date: Mon 13 Apr 2009 10:55:06 AM PDT Build Host: localhost.localdomain Group : System Environment/Daemons Source RPM: pki-ca-1.1.0-1.fc10.src.rpm Size : 830321 License: GPLv2 with exceptions Signature : (none) Packager : Red Hat, Inc. URL : http://pki.fedoraproject.org/wiki/PKI_Documentation Summary : Dogtag Certificate System - Certificate Authority Is there a 'relatively easy' way to configure the pki-ca webserver to respond to an IPv6 address? (I'll take the hard way too!) # netstat -tlpn is only listing the default installation listening to IPv4 (but not the IPv6 address): tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 16960/java >From the browser I'd expect something like the following to work. https://[2001::5]:9443/ca/services BTW, I have DNS to resolve for both IPv4 and IPv6. From fortunato.montresor at earthlink.net Thu Apr 16 20:12:53 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Thu, 16 Apr 2009 13:12:53 -0700 (GMT-07:00) Subject: [Pki-users] No SCEP Enrollment option in the SSL End Users Services page Message-ID: <20163187.1239912773644.JavaMail.root@mswamui-swiss.atl.sa.earthlink.net> Hello list, I don't know exactly where the differences are between Dogtag 1.1.0 and the documentation (currently 7.3), but under SSL End Users Services there's no SCEP Enrollment option. Am I missing an option/config? pki-ra 1.1.0 is installed. There are what appear to be 3 tabs: Enrollment, Revocation and Retrieval - under the ca pkiconsole. Do any of the listed Certificate Profiles match to what the manual refers to as SCEP Enrollment and the Request Submission - Manager? Regards, From msauton at redhat.com Mon Apr 20 20:31:18 2009 From: msauton at redhat.com (Marc Sauton) Date: Mon, 20 Apr 2009 13:31:18 -0700 Subject: [Pki-users] No SCEP Enrollment option in the SSL End Users Services page In-Reply-To: <20163187.1239912773644.JavaMail.root@mswamui-swiss.atl.sa.earthlink.net> References: <20163187.1239912773644.JavaMail.root@mswamui-swiss.atl.sa.earthlink.net> Message-ID: <49ECDB96.2080302@redhat.com> Fortunato wrote: > Hello list, > > I don't know exactly where the differences are between Dogtag 1.1.0 and the documentation (currently 7.3) Dogtag 1.1.0 is the open source development project of the released commercial product RHCS 7.3. One way to get an idea of the changes, is to go through the archive lists: https://www.redhat.com/mailman/private/pki-commits/ > , but under SSL End Users Services there's no SCEP Enrollment option. In the RA's "SSL End Users Services" page, there should be a "SCEP Enrollment" link, url looks like this: https:///ee/index.cgi (default port 12899) Also by default, a CA EE enrollment pages and "List Certificate Profiles" will list the caRouterCert and caRARouterCert profiles. ** > Am I missing an option/config? Should not, seem quite strange if you do not see those. > pki-ra 1.1.0 is installed. > ok, so you want to use SCEP with a RA. > There are what appear to be 3 tabs: Enrollment, Revocation and Retrieval - under the ca pkiconsole. > Those are for SSL sub system certificates. > Do any of the listed Certificate Profiles match to what the manual refers to as SCEP Enrollment and the Request Submission - Manager? > The Request Submission is to get the one time pin for the device. The SCEP Enrollment page shows the link to configure on the device. Those 2 are listed in the "EE" pages of the RA instance. See the profiles like in the directory /var/lib/rhpki-/profiles/ca/caRA* Specially caRARouterCert profile on the CA instance (caRouterCert s for CA mode). Some pointers: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html http://pki.fedoraproject.org/wiki/PKI_SCEP_Support_In_Certificate_System http://pki.fedoraproject.org/wiki/PKI_Cisco_Routers_%28IOS%29 > Regards, > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From fortunato.montresor at earthlink.net Tue Apr 21 19:13:21 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Tue, 21 Apr 2009 12:13:21 -0700 (GMT-07:00) Subject: [Pki-users] No SCEP Enrollment option in the SSL End Users Services page Message-ID: <4144618.1240341201899.JavaMail.root@elwamui-karabash.atl.sa.earthlink.net> >From: Marc Sauton >Sent: Apr 20, 2009 1:31 PM >To: Fortunato >Cc: pki-users at redhat.com >Subject: Re: [Pki-users] No SCEP Enrollment option in the SSL End Users Services page > >Fortunato wrote: >> Hello list, >> >> I don't know exactly where the differences are between Dogtag 1.1.0 and the documentation (currently 7.3) >Dogtag 1.1.0 is the open source development project of the released >commercial product RHCS 7.3. >One way to get an idea of the changes, is to go through the archive lists: >https://www.redhat.com/mailman/private/pki-commits/ I'm not a big coder, so going thru the commits is kind of torturous for me. :( But I subscribed to pki-commits list and will try. Part of my interest revolves around the IPv6 configuration, on which the documentation is rather scarce. I'd like to get the cert manager to listen on IPv6 addresses. LDAP is listening on localhost6, but how about the other CA services? # netstat -tlpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 3411/java tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN 3411/java tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN 3411/java tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 2452/httpd.worker tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2017/rpcbind tcp 0 0 0.0.0.0:11443 0.0.0.0:* LISTEN 4025/java tcp 0 0 0.0.0.0:11444 0.0.0.0:* LISTEN 4025/java tcp 0 0 0.0.0.0:11445 0.0.0.0:* LISTEN 4025/java tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2766/sshd tcp 0 0 0.0.0.0:33558 0.0.0.0:* LISTEN 2030/rpc.statd tcp 0 0 0.0.0.0:12888 0.0.0.0:* LISTEN 4445/httpd.worker tcp 0 0 0.0.0.0:12889 0.0.0.0:* LISTEN 4445/httpd.worker tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2800/sendmail: acce tcp 0 0 0.0.0.0:12890 0.0.0.0:* LISTEN 4445/httpd.worker tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 3411/java tcp 0 0 :::389 :::* LISTEN 2350/ns-slapd tcp 0 0 :::11180 :::* LISTEN 4025/java tcp 0 0 :::111 :::* LISTEN 2017/rpcbind tcp 0 0 ::ffff:127.0.0.1:11701 :::* LISTEN 4025/java tcp 0 0 :::22 :::* LISTEN 2766/sshd tcp 0 0 :::9180 :::* LISTEN 3411/java >> , but under SSL End Users Services there's no SCEP Enrollment option. >In the RA's "SSL End Users Services" page, there should be a "SCEP >Enrollment" link, url looks like this: >https:///ee/index.cgi (default port 12899) >Also by default, a CA EE enrollment pages and "List Certificate >Profiles" will list the caRouterCert and caRARouterCert profiles. >** I was looking at the wrong http[s]::// I have the SCEP web gui now under: https://:12889/ee/scep/index.cgi >> Am I missing an option/config? >Should not, seem quite strange if you do not see those. >> pki-ra 1.1.0 is installed. >> >ok, so you want to use SCEP with a RA. Maybe a better description on the CA SCEP versus RA SCEP would be helpfull? I'll try to comment on the document soon. >> There are what appear to be 3 tabs: Enrollment, Revocation and Retrieval - under the ca pkiconsole. >> >Those are for SSL sub system certificates. >> Do any of the listed Certificate Profiles match to what the manual refers to as SCEP Enrollment and the Request Submission - Manager? >> >The Request Submission is to get the one time pin for the device. >The SCEP Enrollment page shows the link to configure on the device. >Those 2 are listed in the "EE" pages on the RA instance. >See the profiles like in the directory >/var/lib/rhpki-/profiles/ca/caRA* >Specially caRARouterCert profile on the CA instance (caRouterCert s for >CA mode). >Some pointers: >http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html SCEP screenshots would help. The different ports available for all CM services makes things confusing. >http://pki.fedoraproject.org/wiki/PKI_SCEP_Support_In_Certificate_System >http://pki.fedoraproject.org/wiki/PKI_Cisco_Routers_%28IOS%29 Are there any easily available SCEP clients out there? >> Regards, >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > From ckannan at redhat.com Wed Apr 22 00:02:27 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Tue, 21 Apr 2009 17:02:27 -0700 Subject: [Pki-users] No SCEP Enrollment option in the SSL End Users Services page In-Reply-To: <4144618.1240341201899.JavaMail.root@elwamui-karabash.atl.sa.earthlink.net> References: <4144618.1240341201899.JavaMail.root@elwamui-karabash.atl.sa.earthlink.net> Message-ID: <1240358547.7259.11.camel@localhost.localdomain> On Tue, 2009-04-21 at 12:13 -0700, Fortunato wrote: > >From: Marc Sauton > >Sent: Apr 20, 2009 1:31 PM > >To: Fortunato > >Cc: pki-users at redhat.com > >Subject: Re: [Pki-users] No SCEP Enrollment option in the SSL End Users Services page > > > >Fortunato wrote: > >> Hello list, > >> > >> I don't know exactly where the differences are between Dogtag 1.1.0 and the documentation (currently 7.3) > >Dogtag 1.1.0 is the open source development project of the released > >commercial product RHCS 7.3. > >One way to get an idea of the changes, is to go through the archive lists: > >https://www.redhat.com/mailman/private/pki-commits/ > > I'm not a big coder, so going thru the commits is kind of torturous for me. :( > But I subscribed to pki-commits list and will try. Part of my interest revolves around the IPv6 configuration, on which the documentation is rather scarce. I'd like to get the cert manager to listen on IPv6 addresses. LDAP is listening on localhost6, but how about the other CA services? > > # netstat -tlpn > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 3411/java > tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN 3411/java > tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN 3411/java > tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 2452/httpd.worker > tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2017/rpcbind > tcp 0 0 0.0.0.0:11443 0.0.0.0:* LISTEN 4025/java > tcp 0 0 0.0.0.0:11444 0.0.0.0:* LISTEN 4025/java > tcp 0 0 0.0.0.0:11445 0.0.0.0:* LISTEN 4025/java > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2766/sshd > tcp 0 0 0.0.0.0:33558 0.0.0.0:* LISTEN 2030/rpc.statd > tcp 0 0 0.0.0.0:12888 0.0.0.0:* LISTEN 4445/httpd.worker > tcp 0 0 0.0.0.0:12889 0.0.0.0:* LISTEN 4445/httpd.worker > tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2800/sendmail: acce > tcp 0 0 0.0.0.0:12890 0.0.0.0:* LISTEN 4445/httpd.worker > tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 3411/java > tcp 0 0 :::389 :::* LISTEN 2350/ns-slapd > tcp 0 0 :::11180 :::* LISTEN 4025/java > tcp 0 0 :::111 :::* LISTEN 2017/rpcbind > tcp 0 0 ::ffff:127.0.0.1:11701 :::* LISTEN 4025/java > tcp 0 0 :::22 :::* LISTEN 2766/sshd > tcp 0 0 :::9180 :::* LISTEN 3411/java > > >> , but under SSL End Users Services there's no SCEP Enrollment option. > >In the RA's "SSL End Users Services" page, there should be a "SCEP > >Enrollment" link, url looks like this: > >https:///ee/index.cgi (default port 12899) > >Also by default, a CA EE enrollment pages and "List Certificate > >Profiles" will list the caRouterCert and caRARouterCert profiles. > >** > > I was looking at the wrong http[s]::// > I have the SCEP web gui now under: https://:12889/ee/scep/index.cgi > > >> Am I missing an option/config? > >Should not, seem quite strange if you do not see those. > >> pki-ra 1.1.0 is installed. > >> > >ok, so you want to use SCEP with a RA. > > Maybe a better description on the CA SCEP versus RA SCEP would be helpfull? I'll try to comment on the document soon. > > >> There are what appear to be 3 tabs: Enrollment, Revocation and Retrieval - under the ca pkiconsole. > >> > >Those are for SSL sub system certificates. > >> Do any of the listed Certificate Profiles match to what the manual refers to as SCEP Enrollment and the Request Submission - Manager? > >> > >The Request Submission is to get the one time pin for the device. > >The SCEP Enrollment page shows the link to configure on the device. > >Those 2 are listed in the "EE" pages on the RA instance. > >See the profiles like in the directory > >/var/lib/rhpki-/profiles/ca/caRA* > >Specially caRARouterCert profile on the CA instance (caRouterCert s for > >CA mode). > >Some pointers: > >http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html > > SCEP screenshots would help. The different ports available for all CM services makes things confusing. > > >http://pki.fedoraproject.org/wiki/PKI_SCEP_Support_In_Certificate_System > >http://pki.fedoraproject.org/wiki/PKI_Cisco_Routers_%28IOS%29 > > Are there any easily available SCEP clients out there? http://www.klake.org/~jt/sscep/ > > >> Regards, > >> > >> _______________________________________________ > >> Pki-users mailing list > >> Pki-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-users > >> > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chandrasekar Kannan -- ckannan at redhat.com Quality Engineering -- http://www.redhat.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From fortunato.montresor at earthlink.net Thu Apr 23 18:35:41 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Thu, 23 Apr 2009 11:35:41 -0700 (GMT-07:00) Subject: [Pki-users] SSCEP client requesting CA cert Message-ID: <11586006.1240511741382.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> Thanks to all for your help so far. :) Lately I've been trying to request the CA cert using sscep and using the RA cgi url: http://:12888/ee/scep/pkiclient.cgi I get the following error message: ./sscep: cannot find data from http reply It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas? Additionally all the examples for retrieving the CA are for: http://:9180/ca/cgi.bin I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors: ./sscep: wrong (or missing) MIME content type ./sscep: error while sending message which looks even more hopeless. Any help is appreciated. From ckannan at redhat.com Thu Apr 23 20:03:43 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Thu, 23 Apr 2009 13:03:43 -0700 Subject: [Pki-users] SSCEP client requesting CA cert In-Reply-To: <11586006.1240511741382.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> References: <11586006.1240511741382.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> Message-ID: <1240517023.3110.1.camel@localhost.localdomain> On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote: > Thanks to all for your help so far. :) > > Lately I've been trying to request the CA cert using sscep and using the RA cgi url: > > http://:12888/ee/scep/pkiclient.cgi > > I get the following error message: > > ./sscep: cannot find data from http reply > > It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas? > > Additionally all the examples for retrieving the CA are for: > > http://:9180/ca/cgi.bin > > I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors: > > ./sscep: wrong (or missing) MIME content type > ./sscep: error while sending message > > which looks even more hopeless. > > Any help is appreciated. Here's a perl module that we use for simple scep testing. I'll try to dig out the url and pin soon for a sample ... ###################################################################### # This perl module serves as a perl interface for the RHCS # SCEP - Enrollment ###################################################################### package scep_enroll; require Exporter; @ISA = qw(Exporter); @EXPORT = qw(scep_do_enroll_with_sscep ); ###################################################################### use strict; use baserc; use baselib; use applib; #use Net::Telnet::Cisco; ###################################################################### #sub scep_do_enroll #{ # my ($scep_enroll_pin,$scep_enroll_url) = @_; # # # scep_host/password are hardcoded here. # my $scep_host = "scep.dsdev.sjc.redhat.com"; # my $scep_host_ip = "10.14.1.94"; # my $scep_password = "netscape"; # my $scep_ethernet = "Ethernet0/0"; # # my $session = Net::Telnet::Cisco->new(Host => "$scep_host" ); # $session->login('', "$scep_password"); # $session->ignore_warnings("1"); # # # Execute a command # &message_ts; # my @output = $session->cmd('show version'); # log_entry(@output); # # # Enable mode # if ($session->enable("$scep_password") ) # { # @output = $session->cmd('show privilege'); # log_entry("My privileges: @output\n"); # } # else # { # log_entry("Can't enable: " . "$session->errmsg"); # } # # # enter conf t mode # log_entry("Executing command = conf t\n"); # @output = $session->cmd("conf t"); # log_entry("result =@output \n"); # # # perform crypto cleanup first # log_entry("Executing command = crypto key zeroize rsa \n"); # @output = $session->cmd("crypto key zeroize rsa\nyes"); # log_entry("result = @output\n"); # # log_entry("Executing command = no crypto ca identity CA\n"); # @output = $session->cmd("no crypto ca identity CA\nyes"); # log_entry("result = @output\n"); # # # setup CA identity # log_entry("Executing command = crypto ca identity CA\n"); # @output = $session->cmd("crypto ca identity CA"); # log_entry("result = @output\n"); # # log_entry("Executing command = enrollment url $scep_enroll_url \n"); # @output = $session->cmd("enrollment url $scep_enroll_url "); # log_entry("result = @output\n"); # # log_entry("Executing command = crl optional\n"); # @output = $session->cmd("crl optional"); # log_entry("result = @output\n"); # # log_entry("Executing command = exit \n"); # @output = $session->cmd("exit"); # log_entry("result = @output\n"); # # # authenticate CA # log_entry("Executing command = crypto ca authenticate CA\n"); # @output = $session->cmd("crypto ca authenticate CA\nyes"); # log_entry("result = @output\n"); # # log_entry("Executing command = crypto key generate rsa\n"); # @output = $session->cmd("crypto key generate rsa\n512"); # log_entry("result = @output\n"); # sleep(60); # # log_entry("Executing command = crypto ca enroll CA \n"); # @output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n $scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes"); # log_entry("result = @output\n"); # # log_entry("Executing command = exit \n"); # @output = $session->cmd("exit"); # log_entry("result = @output\n"); # # log_entry("Executing command = show crypto CA certificate\nq\n"); # @output = $session->cmd("show crypto CA certificate\nq\n"); # log_entry("result = @output\n"); # # foreach(@output) # { # if( /$scep_host/ || /Key Usage: General Purpose/ ) # { # return 0; # } # } # # ########################################################################## # # close the session object # $session->close; # # return 1; #} ###################################################################### sub scep_do_enroll_with_sscep { # This sub-routine uses the Simple SCEP client to do scep enrollments. # this can be used as an alternative if we don't have the router # the scep client is installed on tank.dsdev.sjc.redhat.com my ($scep_enroll_pin,$scep_enroll_url) = @_; # scep_host/password are hardcoded here. my $scep_host = "tank.dsdev.sjc.redhat.com"; my $uid = "root"; my $ipaddress = os_getip(); # clean up log_entry("######################################################## \n"); log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr local.key ca.crt cert.crt \n"); my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key ca.crt cert.crt`; log_entry("result = $result\n"); # generate a key log_entry("######################################################## \n"); log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress $scep_enroll_pin \n"); $result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress $scep_enroll_pin `; log_entry("result = $result\n"); # get ca cert log_entry("######################################################## \n"); log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u $scep_enroll_url\n"); $result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u $scep_enroll_url`; log_entry("result = $result\n"); # submit enrollment request log_entry("######################################################## \n"); log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u $scep_enroll_url \n"); my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u $scep_enroll_url `; log_entry("result = @output \n"); # parse for success log_entry("######################################################## \n"); foreach(@output) { if(/pkistatus: SUCCESS/ || /certificate written as/ ) { return 0; } } # failure return 1; } ######################################################################### > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chandrasekar Kannan -- ckannan at redhat.com Quality Engineering -- http://www.redhat.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From ckannan at redhat.com Thu Apr 23 20:09:53 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Thu, 23 Apr 2009 13:09:53 -0700 Subject: [Pki-users] SSCEP client requesting CA cert In-Reply-To: <1240517023.3110.1.camel@localhost.localdomain> References: <11586006.1240511741382.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> <1240517023.3110.1.camel@localhost.localdomain> Message-ID: <1240517393.3110.2.camel@localhost.localdomain> On Thu, 2009-04-23 at 13:03 -0700, Chandrasekar Kannan wrote: > On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote: > > Thanks to all for your help so far. :) > > > > Lately I've been trying to request the CA cert using sscep and using the RA cgi url: > > > > http://:12888/ee/scep/pkiclient.cgi > > > > I get the following error message: > > > > ./sscep: cannot find data from http reply > > > > It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas? > > > > Additionally all the examples for retrieving the CA are for: > > > > http://:9180/ca/cgi.bin > > > > I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors: > > > > ./sscep: wrong (or missing) MIME content type > > ./sscep: error while sending message > > > > which looks even more hopeless. > > > > Any help is appreciated. > > Here's a perl module that we use for simple scep testing. > I'll try to dig out the url and pin soon for a sample ... some sample results from this. might be useful for you. ########################################################################## scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /bin/rm -f local.csr local.key ca.crt cert.crt scep3 : [2007:5:9 12:44:7] : result = scep3 : [2007:5:9 12:44:7] : ######################################################## scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/mkrequest -ip 10.14.1.89 netscape Generating RSA private key, 1024 bit long modulus ..............++++++ ...........++++++ e is 65537 (0x10001) scep3 : [2007:5:9 12:44:7] : result = scep3 : [2007:5:9 12:44:7] : ######################################################## scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep getca -c ca.crt -u http://tank:9007/ca/cgi-bin/pkiclient.exe scep3 : [2007:5:9 12:44:8] : result = /usr/bin/sscep: requesting CA certificate /usr/bin/sscep: valid response from server /usr/bin/sscep: MD5 fingerprint: AC:B6:11:DF:97:8C:E5:77:E2:A8:21:EE:A0:C5:76:D5 /usr/bin/sscep: CA certificate written as ca.crt scep3 : [2007:5:9 12:44:8] : ######################################################## scep3 : [2007:5:9 12:44:8] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u http://tank:9007/ca/cgi-bin/pkiclient.exe scep3 : [2007:5:9 12:44:9] : result = /usr/bin/sscep: sending certificate request /usr/bin/sscep: valid response from server /usr/bin/sscep: pkistatus: SUCCESS /usr/bin/sscep: certificate written as cert.crt scep3 : [2007:5:9 12:44:9] : ######################################################## scep3 : [2007:5:9 12:44:9] : TestCaseResult scep3 PASS ########################################################################## > > > ###################################################################### > # This perl module serves as a perl interface for the RHCS > # SCEP - Enrollment > > ###################################################################### > package scep_enroll; > require Exporter; > @ISA = qw(Exporter); > @EXPORT = qw(scep_do_enroll_with_sscep > ); > > ###################################################################### > use strict; > use baserc; > use baselib; > use applib; > #use Net::Telnet::Cisco; > ###################################################################### > #sub scep_do_enroll > #{ > # my ($scep_enroll_pin,$scep_enroll_url) = @_; > # > # # scep_host/password are hardcoded here. > # my $scep_host = "scep.dsdev.sjc.redhat.com"; > # my $scep_host_ip = "10.14.1.94"; > # my $scep_password = "netscape"; > # my $scep_ethernet = "Ethernet0/0"; > # > # my $session = Net::Telnet::Cisco->new(Host => "$scep_host" ); > # $session->login('', "$scep_password"); > # $session->ignore_warnings("1"); > # > # # Execute a command > # &message_ts; > # my @output = $session->cmd('show version'); > # log_entry(@output); > # > # # Enable mode > # if ($session->enable("$scep_password") ) > # { > # @output = $session->cmd('show privilege'); > # log_entry("My privileges: @output\n"); > # } > # else > # { > # log_entry("Can't enable: " . "$session->errmsg"); > # } > # > # # enter conf t mode > # log_entry("Executing command = conf t\n"); > # @output = $session->cmd("conf t"); > # log_entry("result =@output \n"); > # > # # perform crypto cleanup first > # log_entry("Executing command = crypto key zeroize rsa \n"); > # @output = $session->cmd("crypto key zeroize rsa\nyes"); > # log_entry("result = @output\n"); > # > # log_entry("Executing command = no crypto ca identity CA\n"); > # @output = $session->cmd("no crypto ca identity CA\nyes"); > # log_entry("result = @output\n"); > # > # # setup CA identity > # log_entry("Executing command = crypto ca identity CA\n"); > # @output = $session->cmd("crypto ca identity CA"); > # log_entry("result = @output\n"); > # > # log_entry("Executing command = enrollment url $scep_enroll_url \n"); > # @output = $session->cmd("enrollment url $scep_enroll_url "); > # log_entry("result = @output\n"); > # > # log_entry("Executing command = crl optional\n"); > # @output = $session->cmd("crl optional"); > # log_entry("result = @output\n"); > # > # log_entry("Executing command = exit \n"); > # @output = $session->cmd("exit"); > # log_entry("result = @output\n"); > # > # # authenticate CA > # log_entry("Executing command = crypto ca authenticate CA\n"); > # @output = $session->cmd("crypto ca authenticate CA\nyes"); > # log_entry("result = @output\n"); > # > # log_entry("Executing command = crypto key generate rsa\n"); > # @output = $session->cmd("crypto key generate rsa\n512"); > # log_entry("result = @output\n"); > # sleep(60); > # > # log_entry("Executing command = crypto ca enroll CA \n"); > # @output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n > $scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes"); > # log_entry("result = @output\n"); > # > # log_entry("Executing command = exit \n"); > # @output = $session->cmd("exit"); > # log_entry("result = @output\n"); > # > # log_entry("Executing command = show crypto CA certificate\nq\n"); > # @output = $session->cmd("show crypto CA certificate\nq\n"); > # log_entry("result = @output\n"); > # > # foreach(@output) > # { > # if( /$scep_host/ || /Key Usage: General Purpose/ ) > # { > # return 0; > # } > # } > # > # > ########################################################################## > # # close the session object > # $session->close; > # > # return 1; > #} > ###################################################################### > sub scep_do_enroll_with_sscep > { > # This sub-routine uses the Simple SCEP client to do scep enrollments. > # this can be used as an alternative if we don't have the router > # the scep client is installed on tank.dsdev.sjc.redhat.com > > my ($scep_enroll_pin,$scep_enroll_url) = @_; > > # scep_host/password are hardcoded here. > my $scep_host = "tank.dsdev.sjc.redhat.com"; > my $uid = "root"; > my $ipaddress = os_getip(); > > # clean up > log_entry("######################################################## > \n"); > log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr > local.key ca.crt cert.crt \n"); > my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key > ca.crt cert.crt`; > log_entry("result = $result\n"); > > # generate a key > log_entry("######################################################## > \n"); > log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip > $ipaddress $scep_enroll_pin \n"); > $result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress > $scep_enroll_pin `; > log_entry("result = $result\n"); > > # get ca cert > log_entry("######################################################## > \n"); > log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c > ca.crt -u $scep_enroll_url\n"); > $result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u > $scep_enroll_url`; > log_entry("result = $result\n"); > > # submit enrollment request > log_entry("######################################################## > \n"); > log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c > ca.crt -k local.key -r local.csr -l cert.crt -u $scep_enroll_url \n"); > my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k > local.key -r local.csr -l cert.crt -u $scep_enroll_url `; > log_entry("result = @output \n"); > > # parse for success > log_entry("######################################################## > \n"); > foreach(@output) > { > if(/pkistatus: SUCCESS/ || /certificate written as/ ) > { > return 0; > } > } > > # failure > return 1; > } > ######################################################################### > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chandrasekar Kannan -- ckannan at redhat.com Quality Engineering -- http://www.redhat.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From ckannan at redhat.com Thu Apr 23 21:07:10 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Thu, 23 Apr 2009 14:07:10 -0700 Subject: [Pki-users] SSCEP client requesting CA cert In-Reply-To: <7773990.1240519925381.JavaMail.root@elwamui-royal.atl.sa.earthlink.net> References: <7773990.1240519925381.JavaMail.root@elwamui-royal.atl.sa.earthlink.net> Message-ID: <1240520830.3110.4.camel@localhost.localdomain> On Thu, 2009-04-23 at 13:52 -0700, Fortunato wrote: > Solved. cool. thanks. > > I pointed sscep to the url: > > # ./sscep getca -c ca.crt -u http://:9080/ca/cgi-bin/pkiclient.exe > > I know I'll run into issues with the rest... :) but I'll work on those bridges once I cross them. > > -----Original Message----- > >From: Chandrasekar Kannan > >Sent: Apr 23, 2009 1:09 PM > >To: Fortunato > >Cc: pki-users at redhat.com > >Subject: Re: [Pki-users] SSCEP client requesting CA cert > > > >On Thu, 2009-04-23 at 13:03 -0700, Chandrasekar Kannan wrote: > >> On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote: > >> > Thanks to all for your help so far. :) > >> > > >> > Lately I've been trying to request the CA cert using sscep and using the RA cgi url: > >> > > >> > http://:12888/ee/scep/pkiclient.cgi > >> > > >> > I get the following error message: > >> > > >> > ./sscep: cannot find data from http reply > >> > > >> > It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas? > >> > > >> > Additionally all the examples for retrieving the CA are for: > >> > > >> > http://:9180/ca/cgi.bin > >> > > >> > I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors: > >> > > >> > ./sscep: wrong (or missing) MIME content type > >> > ./sscep: error while sending message > >> > > >> > which looks even more hopeless. > >> > > >> > Any help is appreciated. > >> > >> Here's a perl module that we use for simple scep testing. > >> I'll try to dig out the url and pin soon for a sample ... > > > > > >some sample results from this. might be useful for you. > >########################################################################## > > > >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l > >root /bin/rm -f local.csr > > local.key ca.crt cert.crt > >scep3 : [2007:5:9 12:44:7] : result = > >scep3 : [2007:5:9 12:44:7] : ######################################################## > >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/mkrequest > > -ip 10.14.1.89 netscape > >Generating RSA private key, 1024 bit long modulus > >..............++++++ > >...........++++++ > >e is 65537 (0x10001) > >scep3 : [2007:5:9 12:44:7] : result = > >scep3 : [2007:5:9 12:44:7] : ######################################################## > >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep getca > > -c ca.crt -u http://tank:9007/ca/cgi-bin/pkiclient.exe > >scep3 : [2007:5:9 12:44:8] : result = /usr/bin/sscep: requesting CA certificate > > /usr/bin/sscep: valid response from server > > /usr/bin/sscep: MD5 fingerprint: AC:B6:11:DF:97:8C:E5:77:E2:A8:21:EE:A0:C5:76:D5 > > /usr/bin/sscep: CA certificate written as ca.crt > >scep3 : [2007:5:9 12:44:8] : ######################################################## > >scep3 : [2007:5:9 12:44:8] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep enroll > > -c ca.crt -k local.key -r local.csr -l cert.crt -u > > http://tank:9007/ca/cgi-bin/pkiclient.exe > >scep3 : [2007:5:9 12:44:9] : result = /usr/bin/sscep: sending certificate request > > /usr/bin/sscep: valid response from server > > /usr/bin/sscep: pkistatus: SUCCESS > > /usr/bin/sscep: certificate written as cert.crt > >scep3 : [2007:5:9 12:44:9] : ######################################################## > >scep3 : [2007:5:9 12:44:9] : TestCaseResult scep3 PASS > >########################################################################## > > > > > >> > >> > >> ###################################################################### > >> # This perl module serves as a perl interface for the RHCS > >> # SCEP - Enrollment > >> > >> ###################################################################### > >> package scep_enroll; > >> require Exporter; > >> @ISA = qw(Exporter); > >> @EXPORT = qw(scep_do_enroll_with_sscep > >> ); > >> > >> ###################################################################### > >> use strict; > >> use baserc; > >> use baselib; > >> use applib; > >> #use Net::Telnet::Cisco; > >> ###################################################################### > >> #sub scep_do_enroll > >> #{ > >> # my ($scep_enroll_pin,$scep_enroll_url) = @_; > >> # > >> # # scep_host/password are hardcoded here. > >> # my $scep_host = "scep.dsdev.sjc.redhat.com"; > >> # my $scep_host_ip = "10.14.1.94"; > >> # my $scep_password = "netscape"; > >> # my $scep_ethernet = "Ethernet0/0"; > >> # > >> # my $session = Net::Telnet::Cisco->new(Host => "$scep_host" ); > >> # $session->login('', "$scep_password"); > >> # $session->ignore_warnings("1"); > >> # > >> # # Execute a command > >> # &message_ts; > >> # my @output = $session->cmd('show version'); > >> # log_entry(@output); > >> # > >> # # Enable mode > >> # if ($session->enable("$scep_password") ) > >> # { > >> # @output = $session->cmd('show privilege'); > >> # log_entry("My privileges: @output\n"); > >> # } > >> # else > >> # { > >> # log_entry("Can't enable: " . "$session->errmsg"); > >> # } > >> # > >> # # enter conf t mode > >> # log_entry("Executing command = conf t\n"); > >> # @output = $session->cmd("conf t"); > >> # log_entry("result =@output \n"); > >> # > >> # # perform crypto cleanup first > >> # log_entry("Executing command = crypto key zeroize rsa \n"); > >> # @output = $session->cmd("crypto key zeroize rsa\nyes"); > >> # log_entry("result = @output\n"); > >> # > >> # log_entry("Executing command = no crypto ca identity CA\n"); > >> # @output = $session->cmd("no crypto ca identity CA\nyes"); > >> # log_entry("result = @output\n"); > >> # > >> # # setup CA identity > >> # log_entry("Executing command = crypto ca identity CA\n"); > >> # @output = $session->cmd("crypto ca identity CA"); > >> # log_entry("result = @output\n"); > >> # > >> # log_entry("Executing command = enrollment url $scep_enroll_url \n"); > >> # @output = $session->cmd("enrollment url $scep_enroll_url "); > >> # log_entry("result = @output\n"); > >> # > >> # log_entry("Executing command = crl optional\n"); > >> # @output = $session->cmd("crl optional"); > >> # log_entry("result = @output\n"); > >> # > >> # log_entry("Executing command = exit \n"); > >> # @output = $session->cmd("exit"); > >> # log_entry("result = @output\n"); > >> # > >> # # authenticate CA > >> # log_entry("Executing command = crypto ca authenticate CA\n"); > >> # @output = $session->cmd("crypto ca authenticate CA\nyes"); > >> # log_entry("result = @output\n"); > >> # > >> # log_entry("Executing command = crypto key generate rsa\n"); > >> # @output = $session->cmd("crypto key generate rsa\n512"); > >> # log_entry("result = @output\n"); > >> # sleep(60); > >> # > >> # log_entry("Executing command = crypto ca enroll CA \n"); > >> # @output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n > >> $scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes"); > >> # log_entry("result = @output\n"); > >> # > >> # log_entry("Executing command = exit \n"); > >> # @output = $session->cmd("exit"); > >> # log_entry("result = @output\n"); > >> # > >> # log_entry("Executing command = show crypto CA certificate\nq\n"); > >> # @output = $session->cmd("show crypto CA certificate\nq\n"); > >> # log_entry("result = @output\n"); > >> # > >> # foreach(@output) > >> # { > >> # if( /$scep_host/ || /Key Usage: General Purpose/ ) > >> # { > >> # return 0; > >> # } > >> # } > >> # > >> # > >> ########################################################################## > >> # # close the session object > >> # $session->close; > >> # > >> # return 1; > >> #} > >> ###################################################################### > >> sub scep_do_enroll_with_sscep > >> { > >> # This sub-routine uses the Simple SCEP client to do scep enrollments. > >> # this can be used as an alternative if we don't have the router > >> # the scep client is installed on tank.dsdev.sjc.redhat.com > >> > >> my ($scep_enroll_pin,$scep_enroll_url) = @_; > >> > >> # scep_host/password are hardcoded here. > >> my $scep_host = "tank.dsdev.sjc.redhat.com"; > >> my $uid = "root"; > >> my $ipaddress = os_getip(); > >> > >> # clean up > >> log_entry("######################################################## > >> \n"); > >> log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr > >> local.key ca.crt cert.crt \n"); > >> my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key > >> ca.crt cert.crt`; > >> log_entry("result = $result\n"); > >> > >> # generate a key > >> log_entry("######################################################## > >> \n"); > >> log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip > >> $ipaddress $scep_enroll_pin \n"); > >> $result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress > >> $scep_enroll_pin `; > >> log_entry("result = $result\n"); > >> > >> # get ca cert > >> log_entry("######################################################## > >> \n"); > >> log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c > >> ca.crt -u $scep_enroll_url\n"); > >> $result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u > >> $scep_enroll_url`; > >> log_entry("result = $result\n"); > >> > >> # submit enrollment request > >> log_entry("######################################################## > >> \n"); > >> log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c > >> ca.crt -k local.key -r local.csr -l cert.crt -u $scep_enroll_url \n"); > >> my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k > >> local.key -r local.csr -l cert.crt -u $scep_enroll_url `; > >> log_entry("result = @output \n"); > >> > >> # parse for success > >> log_entry("######################################################## > >> \n"); > >> foreach(@output) > >> { > >> if(/pkistatus: SUCCESS/ || /certificate written as/ ) > >> { > >> return 0; > >> } > >> } > >> > >> # failure > >> return 1; > >> } > >> ######################################################################### > >> > > >> > > >> > > >> > _______________________________________________ > >> > Pki-users mailing list > >> > Pki-users at redhat.com > >> > https://www.redhat.com/mailman/listinfo/pki-users > >-- > > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >Chandrasekar Kannan -- ckannan at redhat.com > >Quality Engineering -- http://www.redhat.com > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chandrasekar Kannan -- ckannan at redhat.com Quality Engineering -- http://www.redhat.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From fortunato.montresor at earthlink.net Thu Apr 23 23:53:03 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Thu, 23 Apr 2009 19:53:03 -0400 (EDT) Subject: [Pki-users] SSCEP enroll using CA Message-ID: <23031247.1240530783144.JavaMail.root@elwamui-royal.atl.sa.earthlink.net> I'm making lots of progress, but there seems to be a lack (or at least its unclear to me still) in the way to configure SCEP enrollment on the CA. All the manual references use the RA thru: http://:12888/ee/scep/index.cgi to configure SCEP. But in order to get the CA cert and do a SCEP enroll, most examples use: http://:9080/ca/cgi-bin/pkiclient.exe Is there something similar to the RA on the CA web gui to create the SCEP requests? Lastly, I'm trying to use sscep as follows: # ./sscep getca -c ca.crt -u http://:9080/ca/cgi-bin/pkiclient.exe ... ./sscep: CA certificate written as ca.crt # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u http://:9080/ca/cgi-bin/pkiclient.exe But all that is returned is: ./sscep: sending certificate request ./sscep: valid response from server ./sscep: pkistatus: FAILURE ./sscep: reason: Transaction not permitted or supported Any helpful logs would be appreciated, but my guess is that I'm overlooking a web gui somewhere off port 9080. Is there something in the CA or RA that could help identify a more specific FAILURE reason? From msauton at redhat.com Fri Apr 24 00:17:32 2009 From: msauton at redhat.com (Marc Sauton) Date: Thu, 23 Apr 2009 17:17:32 -0700 Subject: [Pki-users] SSCEP enroll using CA In-Reply-To: <23031247.1240530783144.JavaMail.root@elwamui-royal.atl.sa.earthlink.net> References: <23031247.1240530783144.JavaMail.root@elwamui-royal.atl.sa.earthlink.net> Message-ID: <49F1051C.9070207@redhat.com> Fortunato wrote: > I'm making lots of progress, but there seems to be a lack (or at least its unclear to me still) in the way to configure SCEP enrollment on the CA. > > All the manual references use the RA thru: > > http://:12888/ee/scep/index.cgi > > to configure SCEP. > > But in order to get the CA cert and do a SCEP enroll, most examples use: > > http://:9080/ca/cgi-bin/pkiclient.exe > > Is there something similar to the RA on the CA web gui to create the SCEP requests? > > Lastly, I'm trying to use sscep as follows: > > # ./sscep getca -c ca.crt -u http://:9080/ca/cgi-bin/pkiclient.exe > ... > ./sscep: CA certificate written as ca.crt > > # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u http://:9080/ca/cgi-bin/pkiclient.exe > > But all that is returned is: > > ./sscep: sending certificate request > ./sscep: valid response from server > ./sscep: pkistatus: FAILURE > ./sscep: reason: Transaction not permitted or supported > > Any helpful logs would be appreciated, but my guess is that I'm overlooking a web gui somewhere off port 9080. Is there something in the CA or RA that could help identify a more specific FAILURE reason? > > Try to get a look at your /var/log/rhpki-ca/debug file, and check /var/lib/rhpki-ca/conf/flatfile.txt should be in the form of: UID:x.x.x.x PWD:password See: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From msauton at redhat.com Fri Apr 24 00:43:33 2009 From: msauton at redhat.com (Marc Sauton) Date: Thu, 23 Apr 2009 17:43:33 -0700 Subject: [Pki-users] SSCEP enroll using CA In-Reply-To: <49F1051C.9070207@redhat.com> References: <23031247.1240530783144.JavaMail.root@elwamui-royal.atl.sa.earthlink.net> <49F1051C.9070207@redhat.com> Message-ID: <49F10B35.3070809@redhat.com> Marc Sauton wrote: > Fortunato wrote: >> I'm making lots of progress, but there seems to be a lack (or at >> least its unclear to me still) in the way to configure SCEP >> enrollment on the CA. >> >> All the manual references use the RA thru: >> >> http://:12888/ee/scep/index.cgi >> to configure SCEP. >> >> But in order to get the CA cert and do a SCEP enroll, most examples use: >> >> http://:9080/ca/cgi-bin/pkiclient.exe >> >> Is there something similar to the RA on the CA web gui to create the >> SCEP requests? >> >> Lastly, I'm trying to use sscep as follows: >> >> # ./sscep getca -c ca.crt -u >> http://:9080/ca/cgi-bin/pkiclient.exe >> ... >> ./sscep: CA certificate written as ca.crt >> >> # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u >> http://:9080/ca/cgi-bin/pkiclient.exe >> >> But all that is returned is: >> ./sscep: sending certificate request >> ./sscep: valid response from server >> ./sscep: pkistatus: FAILURE >> ./sscep: reason: Transaction not permitted or supported >> >> Any helpful logs would be appreciated, but my guess is that I'm >> overlooking a web gui somewhere off port 9080. Is there something in >> the CA or RA that could help identify a more specific FAILURE reason? >> >> > Try to get a look at your /var/log/rhpki-ca/debug file, and check > /var/lib/rhpki-ca/conf/flatfile.txt > should be in the form of: > UID:x.x.x.x > PWD:password > See: > http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html > In some tests, I think I used mkrequest, and then something like below, with more verbose output: sscep enroll -v -d -k /var/tmp/local.key -r /var/tmp/local.csr -l /var/tmp/local.crt -t 15 -u http://:9080/ca/cgi-bin/pkiclient.exe -c /var/tmp/ms-cs73-2.crt | tee /var/tmp/sscep.enroll.ca.test2local.txt >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From fortunato.montresor at earthlink.net Fri Apr 24 01:19:45 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Thu, 23 Apr 2009 21:19:45 -0400 (EDT) Subject: [Pki-users] SSCEP enroll using CA Message-ID: <32421257.1240535986108.JavaMail.root@elwamui-royal.atl.sa.earthlink.net> Solved. The /var/lib/rhpki-ca/conf/flatfile.txt needed to be configured. (At least that section of the manual makes sense now.) And, mkrequest has to be run before the enroll request with the UID and PWD options, otherwise /var/log/rhpki-ca/debug complains about duplicate requests. -- All this still begs the question, "How to use the RA to do this?" - but I'll leave that question alone for now. Thanks all. And now I'm off to try this on IPv6... -----Original Message----- >From: Marc Sauton >Sent: Apr 23, 2009 8:43 PM >To: Fortunato >Cc: pki-users at redhat.com >Subject: Re: [Pki-users] SSCEP enroll using CA > >Marc Sauton wrote: >> Fortunato wrote: >>> I'm making lots of progress, but there seems to be a lack (or at >>> least its unclear to me still) in the way to configure SCEP >>> enrollment on the CA. >>> >>> All the manual references use the RA thru: >>> >>> http://:12888/ee/scep/index.cgi >>> to configure SCEP. >>> >>> But in order to get the CA cert and do a SCEP enroll, most examples use: >>> >>> http://:9080/ca/cgi-bin/pkiclient.exe >>> >>> Is there something similar to the RA on the CA web gui to create the >>> SCEP requests? >>> >>> Lastly, I'm trying to use sscep as follows: >>> >>> # ./sscep getca -c ca.crt -u >>> http://:9080/ca/cgi-bin/pkiclient.exe >>> ... >>> ./sscep: CA certificate written as ca.crt >>> >>> # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u >>> http://:9080/ca/cgi-bin/pkiclient.exe >>> >>> But all that is returned is: >>> ./sscep: sending certificate request >>> ./sscep: valid response from server >>> ./sscep: pkistatus: FAILURE >>> ./sscep: reason: Transaction not permitted or supported >>> >>> Any helpful logs would be appreciated, but my guess is that I'm >>> overlooking a web gui somewhere off port 9080. Is there something in >>> the CA or RA that could help identify a more specific FAILURE reason? >>> >>> >> Try to get a look at your /var/log/rhpki-ca/debug file, and check >> /var/lib/rhpki-ca/conf/flatfile.txt >> should be in the form of: >> UID:x.x.x.x >> PWD:password >> See: >> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html >> >In some tests, I think I used mkrequest, and then something like below, >with more verbose output: >sscep enroll -v -d -k /var/tmp/local.key -r /var/tmp/local.csr -l >/var/tmp/local.crt -t 15 -u http://:9080/ca/cgi-bin/pkiclient.exe >-c /var/tmp/ms-cs73-2.crt | tee /var/tmp/sscep.enroll.ca.test2local.txt > >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > From ckannan at redhat.com Fri Apr 24 01:30:42 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Thu, 23 Apr 2009 18:30:42 -0700 Subject: [Pki-users] SSCEP enroll using CA In-Reply-To: <32421257.1240535986108.JavaMail.root@elwamui-royal.atl.sa.earthlink.net> References: <32421257.1240535986108.JavaMail.root@elwamui-royal.atl.sa.earthlink.net> Message-ID: <1240536642.3089.6.camel@localhost.localdomain> On Thu, 2009-04-23 at 21:19 -0400, Fortunato wrote: > Solved. > > The /var/lib/rhpki-ca/conf/flatfile.txt needed to be configured. (At least that section of the manual makes sense now.) > > And, mkrequest has to be run before the enroll request with the UID and PWD options, otherwise /var/log/rhpki-ca/debug complains about duplicate requests. > > -- > > All this still begs the question, "How to use the RA to do this?" - but I'll leave that question alone for now. from the docs for RA .. SCEP Enrollment In a SCEP enrollment scenario, you use the EE interface to submit a request in order to retrieve a one-time PIN. The RA agent is notified of the request and, after validating the requestor, approves it. Approving the request generates a PIN. The manager gives this PIN to the router installer. On the router, the installer enters the URL to the RA and provides the one-time PIN. The enrollment can then be initiated. http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority.html#Administration_Guide-Introduction-Enrollment_Types > > Thanks all. And now I'm off to try this on IPv6... > > > -----Original Message----- > >From: Marc Sauton > >Sent: Apr 23, 2009 8:43 PM > >To: Fortunato > >Cc: pki-users at redhat.com > >Subject: Re: [Pki-users] SSCEP enroll using CA > > > >Marc Sauton wrote: > >> Fortunato wrote: > >>> I'm making lots of progress, but there seems to be a lack (or at > >>> least its unclear to me still) in the way to configure SCEP > >>> enrollment on the CA. > >>> > >>> All the manual references use the RA thru: > >>> > >>> http://:12888/ee/scep/index.cgi > >>> to configure SCEP. > >>> > >>> But in order to get the CA cert and do a SCEP enroll, most examples use: > >>> > >>> http://:9080/ca/cgi-bin/pkiclient.exe > >>> > >>> Is there something similar to the RA on the CA web gui to create the > >>> SCEP requests? > >>> > >>> Lastly, I'm trying to use sscep as follows: > >>> > >>> # ./sscep getca -c ca.crt -u > >>> http://:9080/ca/cgi-bin/pkiclient.exe > >>> ... > >>> ./sscep: CA certificate written as ca.crt > >>> > >>> # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u > >>> http://:9080/ca/cgi-bin/pkiclient.exe > >>> > >>> But all that is returned is: > >>> ./sscep: sending certificate request > >>> ./sscep: valid response from server > >>> ./sscep: pkistatus: FAILURE > >>> ./sscep: reason: Transaction not permitted or supported > >>> > >>> Any helpful logs would be appreciated, but my guess is that I'm > >>> overlooking a web gui somewhere off port 9080. Is there something in > >>> the CA or RA that could help identify a more specific FAILURE reason? > >>> > >>> > >> Try to get a look at your /var/log/rhpki-ca/debug file, and check > >> /var/lib/rhpki-ca/conf/flatfile.txt > >> should be in the form of: > >> UID:x.x.x.x > >> PWD:password > >> See: > >> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html > >> > >In some tests, I think I used mkrequest, and then something like below, > >with more verbose output: > >sscep enroll -v -d -k /var/tmp/local.key -r /var/tmp/local.csr -l > >/var/tmp/local.crt -t 15 -u http://:9080/ca/cgi-bin/pkiclient.exe > >-c /var/tmp/ms-cs73-2.crt | tee /var/tmp/sscep.enroll.ca.test2local.txt > > > >>> > >>> _______________________________________________ > >>> Pki-users mailing list > >>> Pki-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/pki-users > >>> > >> > >> _______________________________________________ > >> Pki-users mailing list > >> Pki-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chandrasekar Kannan -- ckannan at redhat.com Quality Engineering -- http://www.redhat.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From fortunato.montresor at earthlink.net Fri Apr 24 03:45:31 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Thu, 23 Apr 2009 23:45:31 -0400 (EDT) Subject: [Pki-users] SCEP - FlatFileAuth and NullPointerException Message-ID: <27309690.1240544731836.JavaMail.root@elwamui-royal.atl.sa.earthlink.net> Hello again... I just tried this with some an IPv6 address in: /var/lib/rhpki-ca/conf/flatfile.txt Explicitly: -- UID=2001:a::1 PWD=123456 -- Here's the error trail... --- # tail -f /var/log/pki-ca/debug [23/Apr/2009:18:30:03][http-9180-Processor24]: operation=PKIOperation [23/Apr/2009:18:30:03][http-9180-Processor24]: message=MIIHWQYJK ... hK1frjNF9w+FCAIahXRKFlQmGEVJ8IU5bBRiS1hfjjybPD3XDWb0B4UZjyr/JFYcE/3gwnw== [23/Apr/2009:18:30:03][http-9180-Processor24]: Processing PKCSReq [23/Apr/2009:18:30:03][http-9180-Processor24]: getConn: mNumConns now 2 [23/Apr/2009:18:30:03][http-9180-Processor24]: returnConn: mNumConns now 3 [23/Apr/2009:18:30:03][http-9180-Processor24]: decryptedP10bytes: 30 82 01 cf 30 82 01 38 02 01 00 30 3e 31 16 30 ... 3f ad 12 05 05 05 05 05 [23/Apr/2009:18:30:03][http-9180-Processor24]: Found profile=caRouterCert [23/Apr/2009:18:30:03][http-9180-Processor24]: Retrieving authenticator [23/Apr/2009:18:30:03][http-9180-Processor24]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth [23/Apr/2009:18:30:03][http-9180-Processor24]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = UID [23/Apr/2009:18:30:03][http-9180-Processor24]: FlatFileAuth: authenticating user: finding user from key: 2001:a:0:0:0:0:0:1 [23/Apr/2009:18:30:03][http-9180-Processor24]: handlePKIMessage exception java.lang.NullPointerException java.lang.NullPointerException at com.netscape.cms.authentication.FlatFileAuth.authenticate(FlatFileAuth.java:462) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.authenticate(CRSEnrollment.java:276) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.postRequest(CRSEnrollment.java:1378) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKCSReq(CRSEnrollment.java:1282) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:671) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:231) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:636) [23/Apr/2009:18:30:03][http-9180-Processor24]: Service exception javax.servlet.ServletException: Failed to process message in CEP servlet: null --- I tried with an IPv4 address again. --- [23/Apr/2009:19:29:40][http-9180-Processor25]: Found profile=caRouterCert [23/Apr/2009:19:29:40][http-9180-Processor25]: Retrieving authenticator [23/Apr/2009:19:29:40][http-9180-Processor25]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth [23/Apr/2009:19:29:40][http-9180-Processor25]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = UID [23/Apr/2009:19:29:40][http-9180-Processor25]: FlatFileAuth: authenticating user: finding user from key: 200.1.0.1 [23/Apr/2009:19:29:40][http-9180-Processor25]: handlePKIMessage exception java.lang.NullPointerException java.lang.NullPointerException at com.netscape.cms.authentication.FlatFileAuth.authenticate(FlatFileAuth.java:462) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.authenticate(CRSEnrollment.java:276) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.postRequest(CRSEnrollment.java:1378) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKCSReq(CRSEnrollment.java:1282) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:671) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:231) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:636) [23/Apr/2009:19:29:40][http-9180-Processor25]: Service exception javax.servlet.ServletException: Failed to process message in CEP servlet: null -- Same NullPointerException even after restarting pki-ca. Any ideas? From fortunato.montresor at earthlink.net Tue Apr 28 17:08:40 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Tue, 28 Apr 2009 10:08:40 -0700 (GMT-07:00) Subject: [Pki-users] pkicreate and IPv6 Message-ID: <17243358.1240938520632.JavaMail.root@mswamui-swiss.atl.sa.earthlink.net> Hello again, I just used pkicreate to create another CA instance and still don't see how to configure the new CA to use an IPv6 address. Is there a way to configure the new CA to use the IPv6 address? # service pki-ca2 status pki-ca2 (pid 7867) is running ... Unsecure Port = http://fed10.tpn-af.mil:9280/ca/ee/ca Secure Agent Port = https://fed10.tpn-af.mil:9544/ca/agent/ca Secure EE Port = https://fed10.tpn-af.mil:9543/ca/ee/ca Secure Admin Port = https://fed10.tpn-af.mil:9545/ca/services Secure Admin Port = pkiconsole https://fed10.tpn-af.mil:9545/ca Tomcat Port = 9801 (for shutdown) Only the 1) Unsecure Port entry and 2) the Tomcat Port appears to be listening on IPv6. # netstat -tlpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 9061/java tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN 9061/java tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN 9061/java tcp 0 0 0.0.0.0:9543 0.0.0.0:* LISTEN 7867/java tcp 0 0 0.0.0.0:9544 0.0.0.0:* LISTEN 7867/java tcp 0 0 0.0.0.0:9545 0.0.0.0:* LISTEN 7867/java tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2121/rpcbind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2883/sshd tcp 0 0 0.0.0.0:41495 0.0.0.0:* LISTEN 2134/rpc.statd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2900/sendmail: acce tcp 0 0 :::9280 :::* LISTEN 7867/java tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 9061/java tcp 0 0 :::389 :::* LISTEN 2471/ns-slapd tcp 0 0 :::9830 :::* LISTEN 2572/httpd.worker tcp 0 0 ::ffff:127.0.0.1:9801 :::* LISTEN 7867/java tcp 0 0 :::111 :::* LISTEN 2121/rpcbind tcp 0 0 :::22 :::* LISTEN 2883/sshd tcp 0 0 :::9180 :::* LISTEN 9061/java The file /etc/pki-ca2/CS.cfg appears to have places for localhost or machinename (hostname) but the settings are sprinkled all over the file. Any ideas? As an observation, I so far see IPv6 support as somewhat limited and arbitrary considering the way 9180 was selected and the weird 9801 address. From lambam80 at hotmail.com Wed Apr 29 09:06:04 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Wed, 29 Apr 2009 05:06:04 -0400 Subject: [Pki-users] Wildcard Certificates Webpage In-Reply-To: <49AD75F1.2080005@redhat.com> References: <49AC11BA.9090902@thalesgroup.com> <49AD75F1.2080005@redhat.com> Message-ID: Hello everybody. Does someone have a copy of the wildcard certificates Webpage, it used to be here: http://wp.netscape.com/eng/security/ssl_2.0_certificate.html or http://home.netscape.com/eng/security/ssl_2.0_certificate.html#Site Thanks in advance and sorry to be a bother. I should have WGETed the entire site, at the time. _________________________________________________________________ Experience all of the new features, and Reconnect with your life. http://go.microsoft.com/?linkid=9650730 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jfenal at redhat.com Wed Apr 29 09:13:21 2009 From: jfenal at redhat.com (Jerome Fenal) Date: Wed, 29 Apr 2009 11:13:21 +0200 Subject: [Pki-users] Wildcard Certificates Webpage In-Reply-To: References: <49AC11BA.9090902@thalesgroup.com> <49AD75F1.2080005@redhat.com> Message-ID: <1240996401.23463.5.camel@jfenal.f10> Le mercredi 29 avril 2009 ? 05:06 -0400, lambam80 at hotmail.com a ?crit : > Hello everybody. > > Does someone have a copy of the wildcard certificates Webpage, it used > to be here: > > http://wp.netscape.com/eng/security/ssl_2.0_certificate.html > > or > > http://home.netscape.com/eng/security/ssl_2.0_certificate.html#Site > > Thanks in advance and sorry to be a bother. I should have WGETed the > entire site, at the time. Hi Dave, web.archive.org has it : http://web.archive.org/web/20071124072414/http://wp.netscape.com/eng/security/ssl_2.0_certificate.html Regards, J. -- J?r?me Fenal, RHCE Tel.: +33 1 41 91 23 37 Solution Architect Mob.: +33 6 88 06 51 15 Consultant Avant-ventes Fax.: +33 1 41 91 23 32 http://www.redhat.fr/ jfenal at redhat.com Red Hat France SARL Siret n? 421 199 464 00064 Le Linea, 1 rue du G?n?ral Leclerc 92047 Paris La D?fense Cedex Taillez dans vos co?ts avec Red Hat ! http://www.redhat.fr/promo/carveoutcosts From fortunato.montresor at earthlink.net Wed Apr 29 18:30:10 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Wed, 29 Apr 2009 11:30:10 -0700 (GMT-07:00) Subject: [Pki-users] certutil: unable to generate key(s) Message-ID: <17902368.1241029810296.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> Hello, I haven't found information on the topic but it looks like there's a problem with certutil - using IPv4. [root at localhost alias]# certutil -R -k rsa -g 2048 -s "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d /var/lib/pki-sub-ca/ -1 -3 -6 certutil: unable to generate key(s) : An I/O error occurred during security authorization. Any ideas would be welcome. From msauton at redhat.com Wed Apr 29 18:34:32 2009 From: msauton at redhat.com (Marc Sauton) Date: Wed, 29 Apr 2009 11:34:32 -0700 Subject: [Pki-users] certutil: unable to generate key(s) In-Reply-To: <17902368.1241029810296.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> References: <17902368.1241029810296.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> Message-ID: <49F89DB8.6080002@redhat.com> Fortunato wrote: > Hello, > > I haven't found information on the topic but it looks like there's a problem with certutil - using IPv4. > > [root at localhost alias]# certutil -R -k rsa -g 2048 -s "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d /var/lib/pki-sub-ca/ -1 -3 -6 > certutil: unable to generate key(s) > : An I/O error occurred during security authorization. > > Any ideas would be welcome. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > May want to tweak the -d option to point to the alias directory , not just /var/lib/pki-sub-ca/ M. From msauton at redhat.com Wed Apr 29 18:42:22 2009 From: msauton at redhat.com (Marc Sauton) Date: Wed, 29 Apr 2009 11:42:22 -0700 Subject: [Pki-users] certutil: unable to generate key(s) In-Reply-To: <49F89DB8.6080002@redhat.com> References: <17902368.1241029810296.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> <49F89DB8.6080002@redhat.com> Message-ID: <49F89F8E.4090508@redhat.com> Marc Sauton wrote: > Fortunato wrote: >> Hello, >> >> I haven't found information on the topic but it looks like there's a >> problem with certutil - using IPv4. >> >> [root at localhost alias]# certutil -R -k rsa -g 2048 -s >> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d >> /var/lib/pki-sub-ca/ -1 -3 -6 >> certutil: unable to generate key(s) >> : An I/O error occurred during security authorization. >> >> Any ideas would be welcome. >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > May want to tweak the -d option to point to the alias directory > , not just /var/lib/pki-sub-ca/ > M. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users Side note: the i/o error happens because of the missing NSS db files, either wrong alias directory with -d, or need a certutil -N -d to create them. M. From kchamart at redhat.com Wed Apr 29 18:43:04 2009 From: kchamart at redhat.com (kashyap chamarthy) Date: Thu, 30 Apr 2009 00:13:04 +0530 Subject: [Pki-users] certutil: unable to generate key(s) In-Reply-To: <17902368.1241029810296.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> References: <17902368.1241029810296.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> Message-ID: <49F89FB8.5020507@redhat.com> Fortunato wrote: > Hello, > > I haven't found information on the topic but it looks like there's a problem with certutil - using IPv4. > > [root at localhost alias]# certutil -R -k rsa -g 2048 -s "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d /var/lib/pki-sub-ca/ -1 -3 -6 > certutil: unable to generate key(s) > : An I/O error occurred during security authorization. > > Any ideas would be welcome. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > Hi Fortuanto, We still have a few pending fixes to be done for JSS, which should be coming soon. Thanks, Kashyap From kchamart at redhat.com Wed Apr 29 18:47:00 2009 From: kchamart at redhat.com (kashyap chamarthy) Date: Thu, 30 Apr 2009 00:17:00 +0530 Subject: oops wrong email..[Re: [Pki-users] certutil: unable to generate key(s)] In-Reply-To: <49F89FB8.5020507@redhat.com> References: <17902368.1241029810296.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> <49F89FB8.5020507@redhat.com> Message-ID: <49F8A0A4.4060101@redhat.com> >> > Hi Fortuanto, > > We still have a few pending fixes to be done for JSS, which should be > coming soon. > > Thanks, > Kashyap > sorry folks, that was not intended here... > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From fortunato.montresor at earthlink.net Wed Apr 29 18:52:10 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Wed, 29 Apr 2009 11:52:10 -0700 (GMT-07:00) Subject: [Pki-users] certutil: unable to generate key(s) Message-ID: <30142772.1241031130509.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> Thanks! Fixed the -d option. Now I'm getting: Enter Password or Pin for "NSS Certificate DB": I did not set this Password/PIN. All the docs reference tksTool. I don't want to fubar more things but it looks like the following is needed: tksTool -N -d . I assume the tksTool is part of pki-tks. -----Original Message----- >From: Marc Sauton >Sent: Apr 29, 2009 11:42 AM >To: Fortunato >Cc: pki-users at redhat.com >Subject: Re: [Pki-users] certutil: unable to generate key(s) > >Marc Sauton wrote: >> Fortunato wrote: >>> Hello, >>> >>> I haven't found information on the topic but it looks like there's a >>> problem with certutil - using IPv4. >>> >>> [root at localhost alias]# certutil -R -k rsa -g 2048 -s >>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d >>> /var/lib/pki-sub-ca/ -1 -3 -6 >>> certutil: unable to generate key(s) >>> : An I/O error occurred during security authorization. >>> >>> Any ideas would be welcome. >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> May want to tweak the -d option to point to the alias directory >> , not just /var/lib/pki-sub-ca/ >> M. >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >Side note: the i/o error happens because of the missing NSS db files, >either wrong alias directory with -d, or need a certutil -N -d to >create them. >M. From kchamart at redhat.com Wed Apr 29 18:49:30 2009 From: kchamart at redhat.com (kashyap chamarthy) Date: Thu, 30 Apr 2009 00:19:30 +0530 Subject: [Pki-users] pkicreate and IPv6 In-Reply-To: <17243358.1240938520632.JavaMail.root@mswamui-swiss.atl.sa.earthlink.net> References: <17243358.1240938520632.JavaMail.root@mswamui-swiss.atl.sa.earthlink.net> Message-ID: <49F8A13A.4010906@redhat.com> Fortunato wrote: > Hello again, > > I just used pkicreate to create another CA instance and still don't see how to configure the new CA to use an IPv6 address. Is there a way to configure the new CA to use the IPv6 address? > > # service pki-ca2 status > pki-ca2 (pid 7867) is running ... > > Unsecure Port = http://fed10.tpn-af.mil:9280/ca/ee/ca > Secure Agent Port = https://fed10.tpn-af.mil:9544/ca/agent/ca > Secure EE Port = https://fed10.tpn-af.mil:9543/ca/ee/ca > Secure Admin Port = https://fed10.tpn-af.mil:9545/ca/services > Secure Admin Port = pkiconsole https://fed10.tpn-af.mil:9545/ca > Tomcat Port = 9801 (for shutdown) > > Only the 1) Unsecure Port entry and 2) the Tomcat Port appears to be listening on IPv6. > > # netstat -tlpn > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 9061/java > tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN 9061/java > tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN 9061/java > tcp 0 0 0.0.0.0:9543 0.0.0.0:* LISTEN 7867/java > tcp 0 0 0.0.0.0:9544 0.0.0.0:* LISTEN 7867/java > tcp 0 0 0.0.0.0:9545 0.0.0.0:* LISTEN 7867/java > tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2121/rpcbind > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2883/sshd > tcp 0 0 0.0.0.0:41495 0.0.0.0:* LISTEN 2134/rpc.statd > tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2900/sendmail: acce > tcp 0 0 :::9280 :::* LISTEN 7867/java > tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 9061/java > tcp 0 0 :::389 :::* LISTEN 2471/ns-slapd > tcp 0 0 :::9830 :::* LISTEN 2572/httpd.worker > tcp 0 0 ::ffff:127.0.0.1:9801 :::* LISTEN 7867/java > tcp 0 0 :::111 :::* LISTEN 2121/rpcbind > tcp 0 0 :::22 :::* LISTEN 2883/sshd > tcp 0 0 :::9180 :::* LISTEN 9061/java > > The file /etc/pki-ca2/CS.cfg appears to have places for localhost or machinename (hostname) but the settings are sprinkled all over the file. > > Any ideas? > > As an observation, I so far see IPv6 support as somewhat limited and arbitrary considering the way 9180 was selected and the weird 9801 address. > > > Hi Fortuanto, We still have a few pending fixes to be done for JSS, which should be coming soon. Thanks, Kashyap ps: that was intended here :) > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > From ckannan at redhat.com Wed Apr 29 18:56:50 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Wed, 29 Apr 2009 11:56:50 -0700 Subject: [Pki-users] certutil: unable to generate key(s) In-Reply-To: <30142772.1241031130509.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> References: <30142772.1241031130509.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> Message-ID: <1241031410.3121.12.camel@localhost.localdomain> On Wed, 2009-04-29 at 11:52 -0700, Fortunato wrote: > Thanks! > > Fixed the -d option. > > Now I'm getting: > > Enter Password or Pin for "NSS Certificate DB": cat /var/lib/pki-sub-ca/conf/password.conf contains what you need. Look for internal token password. > > I did not set this Password/PIN. All the docs reference tksTool. I don't want to fubar more things but it looks like the following is needed: > > tksTool -N -d . > > I assume the tksTool is part of pki-tks. > > -----Original Message----- > >From: Marc Sauton > >Sent: Apr 29, 2009 11:42 AM > >To: Fortunato > >Cc: pki-users at redhat.com > >Subject: Re: [Pki-users] certutil: unable to generate key(s) > > > >Marc Sauton wrote: > >> Fortunato wrote: > >>> Hello, > >>> > >>> I haven't found information on the topic but it looks like there's a > >>> problem with certutil - using IPv4. > >>> > >>> [root at localhost alias]# certutil -R -k rsa -g 2048 -s > >>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d > >>> /var/lib/pki-sub-ca/ -1 -3 -6 > >>> certutil: unable to generate key(s) > >>> : An I/O error occurred during security authorization. > >>> > >>> Any ideas would be welcome. > >>> > >>> _______________________________________________ > >>> Pki-users mailing list > >>> Pki-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/pki-users > >>> > >> May want to tweak the -d option to point to the alias directory > >> , not just /var/lib/pki-sub-ca/ > >> M. > >> > >> _______________________________________________ > >> Pki-users mailing list > >> Pki-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-users > >Side note: the i/o error happens because of the missing NSS db files, > >either wrong alias directory with -d, or need a certutil -N -d to > >create them. > >M. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chandrasekar Kannan -- ckannan at redhat.com Quality Engineering -- http://www.redhat.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From msauton at redhat.com Wed Apr 29 19:06:27 2009 From: msauton at redhat.com (Marc Sauton) Date: Wed, 29 Apr 2009 12:06:27 -0700 Subject: [Pki-users] certutil: unable to generate key(s) In-Reply-To: <30142772.1241031130509.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> References: <30142772.1241031130509.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> Message-ID: <49F8A533.7010207@redhat.com> Fortunato wrote: > Thanks! > > Fixed the -d option. > > Now I'm getting: > > Enter Password or Pin for "NSS Certificate DB": > > I did not set this Password/PIN. means you are creating new NSS db files in the directory specified > All the docs reference tksTool. not in: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Managing_Certificates-Requesting_and_Receiving_Certificates.html#Administration_Guide-Requesting_Certificates-Requesting_Certificates_using_certutil may be in: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Token_Key_Service-Using_HSM_for_Generating_Keys.html ? > I don't want to fubar more things but it looks like the following is needed: > > tksTool -N -d . > will do it too, just make sure you are doing this in the directory you want to. > I assume the tksTool is part of pki-tks. > yes, you can verify with a rpm -qf /usr/bin/tkstool should get something with the string: pki-native-tools not sure why you want to use tkstool instead of certutil, or what may be the bigger issue. > -----Original Message----- > >> From: Marc Sauton >> Sent: Apr 29, 2009 11:42 AM >> To: Fortunato >> Cc: pki-users at redhat.com >> Subject: Re: [Pki-users] certutil: unable to generate key(s) >> >> Marc Sauton wrote: >> >>> Fortunato wrote: >>> >>>> Hello, >>>> >>>> I haven't found information on the topic but it looks like there's a >>>> problem with certutil - using IPv4. >>>> >>>> [root at localhost alias]# certutil -R -k rsa -g 2048 -s >>>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d >>>> /var/lib/pki-sub-ca/ -1 -3 -6 >>>> certutil: unable to generate key(s) >>>> : An I/O error occurred during security authorization. >>>> >>>> Any ideas would be welcome. >>>> >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> >>>> >>> May want to tweak the -d option to point to the alias directory >>> , not just /var/lib/pki-sub-ca/ >>> M. >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> Side note: the i/o error happens because of the missing NSS db files, >> either wrong alias directory with -d, or need a certutil -N -d to >> create them. >> M. >> > > From fortunato.montresor at earthlink.net Wed Apr 29 19:35:58 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Wed, 29 Apr 2009 12:35:58 -0700 (GMT-07:00) Subject: [Pki-users] certutil: unable to generate key(s) Message-ID: <9304180.1241033758450.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> SOLVED. That did the trick, but there were other plain-text items in the file. Additionally there are additional inputs involved when using certutil: # certutil -R -k rsa -g 2048 -s "CN=cisco1.stargatecommand.mil" -o cisco1.cert -v 12 -d . -1 -3 -6 Enter Password or Pin for "NSS Certificate DB": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| ... -- The bigger issue is that I wanted to create a Certificate Request using certutil. -----Original Message----- >From: Chandrasekar Kannan >Sent: Apr 29, 2009 11:56 AM >To: Fortunato >Cc: Marc Sauton , pki-users at redhat.com >Subject: Re: [Pki-users] certutil: unable to generate key(s) > >On Wed, 2009-04-29 at 11:52 -0700, Fortunato wrote: >> Thanks! >> >> Fixed the -d option. >> >> Now I'm getting: >> >> Enter Password or Pin for "NSS Certificate DB": > > cat /var/lib/pki-sub-ca/conf/password.conf contains what you need. > Look for internal token password. > >> >> I did not set this Password/PIN. All the docs reference tksTool. I don't want to fubar more things but it looks like the following is needed: >> >> tksTool -N -d . >> >> I assume the tksTool is part of pki-tks. >> >> -----Original Message----- >> >From: Marc Sauton >> >Sent: Apr 29, 2009 11:42 AM >> >To: Fortunato >> >Cc: pki-users at redhat.com >> >Subject: Re: [Pki-users] certutil: unable to generate key(s) >> > >> >Marc Sauton wrote: >> >> Fortunato wrote: >> >>> Hello, >> >>> >> >>> I haven't found information on the topic but it looks like there's a >> >>> problem with certutil - using IPv4. >> >>> >> >>> [root at localhost alias]# certutil -R -k rsa -g 2048 -s >> >>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d >> >>> /var/lib/pki-sub-ca/ -1 -3 -6 >> >>> certutil: unable to generate key(s) >> >>> : An I/O error occurred during security authorization. >> >>> >> >>> Any ideas would be welcome. >> >>> >> >>> _______________________________________________ >> >>> Pki-users mailing list >> >>> Pki-users at redhat.com >> >>> https://www.redhat.com/mailman/listinfo/pki-users >> >>> >> >> May want to tweak the -d option to point to the alias directory >> >> , not just /var/lib/pki-sub-ca/ >> >> M. >> >> >> >> _______________________________________________ >> >> Pki-users mailing list >> >> Pki-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/pki-users >> >Side note: the i/o error happens because of the missing NSS db files, >> >either wrong alias directory with -d, or need a certutil -N -d to >> >create them. >> >M. >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >-- > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >Chandrasekar Kannan -- ckannan at redhat.com >Quality Engineering -- http://www.redhat.com >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > From msauton at redhat.com Wed Apr 29 21:14:41 2009 From: msauton at redhat.com (Marc Sauton) Date: Wed, 29 Apr 2009 14:14:41 -0700 Subject: [Pki-users] certutil: unable to generate key(s) In-Reply-To: <9304180.1241033758450.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> References: <9304180.1241033758450.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> Message-ID: <49F8C341.9000408@redhat.com> Fortunato wrote: > SOLVED. > > That did the trick, but there were other plain-text items in the file. Additionally there are additional inputs involved when using certutil: > > use the option -z http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html http://directory.fedora.redhat.com/wiki/Howto:SSL > # certutil -R -k rsa -g 2048 -s "CN=cisco1.stargatecommand.mil" -o cisco1.cert -v 12 -d . -1 -3 -6 > Enter Password or Pin for "NSS Certificate DB": > > A random seed must be generated that will be used in the > creation of your key. One of the easiest ways to create a > random seed is to use the timing of keystrokes on a keyboard. > > To begin, type keys on the keyboard until this progress meter > is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! > > > Continue typing until the progress meter is full: > > |************************************************************| > > ... > > -- > > The bigger issue is that I wanted to create a Certificate Request using certutil. > > > > -----Original Message----- > >> From: Chandrasekar Kannan >> Sent: Apr 29, 2009 11:56 AM >> To: Fortunato >> Cc: Marc Sauton , pki-users at redhat.com >> Subject: Re: [Pki-users] certutil: unable to generate key(s) >> >> On Wed, 2009-04-29 at 11:52 -0700, Fortunato wrote: >> >>> Thanks! >>> >>> Fixed the -d option. >>> >>> Now I'm getting: >>> >>> Enter Password or Pin for "NSS Certificate DB": >>> >> cat /var/lib/pki-sub-ca/conf/password.conf contains what you need. >> Look for internal token password. >> >> >>> I did not set this Password/PIN. All the docs reference tksTool. I don't want to fubar more things but it looks like the following is needed: >>> >>> tksTool -N -d . >>> >>> I assume the tksTool is part of pki-tks. >>> >>> -----Original Message----- >>> >>>> From: Marc Sauton >>>> Sent: Apr 29, 2009 11:42 AM >>>> To: Fortunato >>>> Cc: pki-users at redhat.com >>>> Subject: Re: [Pki-users] certutil: unable to generate key(s) >>>> >>>> Marc Sauton wrote: >>>> >>>>> Fortunato wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> I haven't found information on the topic but it looks like there's a >>>>>> problem with certutil - using IPv4. >>>>>> >>>>>> [root at localhost alias]# certutil -R -k rsa -g 2048 -s >>>>>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d >>>>>> /var/lib/pki-sub-ca/ -1 -3 -6 >>>>>> certutil: unable to generate key(s) >>>>>> : An I/O error occurred during security authorization. >>>>>> >>>>>> Any ideas would be welcome. >>>>>> >>>>>> _______________________________________________ >>>>>> Pki-users mailing list >>>>>> Pki-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>>> >>>>>> >>>>> May want to tweak the -d option to point to the alias directory >>>>> , not just /var/lib/pki-sub-ca/ >>>>> M. >>>>> >>>>> _______________________________________________ >>>>> Pki-users mailing list >>>>> Pki-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>> >>>> Side note: the i/o error happens because of the missing NSS db files, >>>> either wrong alias directory with -d, or need a certutil -N -d to >>>> create them. >>>> M. >>>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> -- >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Chandrasekar Kannan -- ckannan at redhat.com >> Quality Engineering -- http://www.redhat.com >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From fortunato.montresor at earthlink.net Wed Apr 29 21:27:07 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Wed, 29 Apr 2009 17:27:07 -0400 (EDT) Subject: [Pki-users] signing a certificate request using CLI Message-ID: <8839008.1241040427278.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> Hello again. In advance, I apologize for the basic questions but I'm trying to follow along with the openssl examples. Signing a CSR is relatively easy using openssl, so I'm wondering if there's a similar CLI command (with options) in DCS. --- # openssl ca -in /root/CA/cisco1.csr -extensions x509v3_extensions -out /root/CA/cisco1.pem -notext Using configuration from /root/CA/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'Stargate Command Domain' commonName :PRINTABLE:'cisco1.stargatecommand.mil' Certificate is to be certified until Apr 24 17:15:41 2010 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated --- The only thing similar I can find is CMCenroll, but it looks like it can't specify the signing cert as specified in OPENSSL_CONF. I'm doing reading on the end-entity (EE) versus agent services. Automation is great but I'd like to cover the basics using the CLI. It is Linux BTW. :) From ckannan at redhat.com Wed Apr 29 21:37:04 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Wed, 29 Apr 2009 14:37:04 -0700 Subject: [Pki-users] signing a certificate request using CLI In-Reply-To: <8839008.1241040427278.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> References: <8839008.1241040427278.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> Message-ID: <1241041024.3121.15.camel@localhost.localdomain> On Wed, 2009-04-29 at 17:27 -0400, Fortunato wrote: > Hello again. > > In advance, I apologize for the basic questions but I'm trying to follow along with the openssl examples. > > Signing a CSR is relatively easy using openssl, so I'm wondering if there's a similar CLI command (with options) in DCS. from http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html Creating a Certificate A valid certificate must be issued by a trusted CA. If a CA key pair is not available, you can create a self-signed certificate (for purposes of illustration) with the -x argument. This example creates a new binary, self-signed CA certificate named myissuer, in the specified directory. certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234 -f password-file -d certdir The following example creates a new binary certificate named mycert.crt, from a binary certificate request named mycert.req, in the specified directory. It is issued by the self-signed certificate created above, myissuer. certutil -C -m 2345 -i mycert.req -o mycert.crt -c myissuer -d certdir > > --- > > # openssl ca -in /root/CA/cisco1.csr -extensions x509v3_extensions -out /root/CA/cisco1.pem -notext > Using configuration from /root/CA/openssl.cnf > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > organizationName :PRINTABLE:'Stargate Command Domain' > commonName :PRINTABLE:'cisco1.stargatecommand.mil' > Certificate is to be certified until Apr 24 17:15:41 2010 GMT (365 days) > Sign the certificate? [y/n]:y > > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > > --- > > The only thing similar I can find is CMCenroll, but it looks like it can't specify the signing cert as specified in OPENSSL_CONF. > > I'm doing reading on the end-entity (EE) versus agent services. Automation is great but I'd like to cover the basics using the CLI. It is Linux BTW. :) > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chandrasekar Kannan -- ckannan at redhat.com Quality Engineering -- http://www.redhat.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~