From rtracy at opencloudconsultants.com Wed Apr 13 21:03:17 2011 From: rtracy at opencloudconsultants.com (Rick Tracy) Date: Wed, 13 Apr 2011 16:03:17 -0500 Subject: [Pki-users] Copying subjectAltName from request to certificate Message-ID: New to DogTag here. We are currently evaluating the use of DogTag in a new project. One need that we have is to take two subjectAltName fields from the CSR and include them in the certificate. These are both currently otherName UTF8String types with private OID's. We have tried customizing the profiles in .../profiles/ca/*.cfg and have been able to get default subjectAltName fields included in the certificate, but we have been unsuccessful in copying them from the certificate request. Ideally, the value of these fields would be displayed to the agent before approving the certificate if there is a way to do that too. Is this possible with DogTag? If so can anyone point me to information on how to do this? Thanks Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: From Charles.Jennings at corp.earthlink.com Thu Apr 21 13:00:27 2011 From: Charles.Jennings at corp.earthlink.com (Jennings, Charles) Date: Thu, 21 Apr 2011 08:00:27 -0500 Subject: [Pki-users] Cisco Router and RA SCEP & PIN References: <7D3F0A517BC6854985181FBF9D376008019DD6302E@EXCHANGEPOST01.its.local> Message-ID: Looking for some help: I've been beating my head over this for a few days with no resolve: 1. Using DCS version 1.3 2. In RA SSL End User Services, perform a SCEP enrollment using following information: a. Client IP: a user id b. Site ID: The IP address of the router c. Email: My email address 3. In RA Agent Services, approve the request and note the PIN that is assigned. 4. In router, generate RSA key: crypto key gen rsa Set to 1024 modulus 5. In router, create the crypto ca trustpoint as follows: crypto ca trustpoint CA enrollment mode ra enrollment url http://ra.test.com:12888/ee/scep/pkiclient.cgi crl optional 6. In router, obtain CA certificate (with no problem) crypto ca authenticate CA Certificate has the following attributes: Fingerprint MD5: blah blah Fingerprint SHA1: blah blah %Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Here's where it all blows up: 7. Try to obtain certificate: crypto ca enroll CA % % Start certificate enrollment . % Create a challenge password. You will need to verbally provide this Password to the CA Administrator in order to revoke your certificate. For security reasons you password will not be saved in the configuration. Please make a note of it. Password: {I've tried the PIN and just any 'ol password} Re-enter password: % The subject name in the certificate will include: TEST_HOST.cert-test.net % Include the router serial number in the subject name? [yes/no]: no {tried both} % Include the IP address in the subject name? [no]: no {tried both} Request certificate from CA? [yes/no] yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate CA verbose' command will show the fingerprint CRYPTO_PKI: Certificate Request Fingerprint MD5: blah blah CRYPTO_PKI: Certificate Request Fingerprint SHA1: blah blah %PKI-6-CERTFAIL: Certificate enrollment failed. 8. I have turned on debugging and found that everytime it failed, I was being told at the end of the debugging that I was being redirected with a '302 Moved' to /ee/scep/installer.cgi 9. So I went in and edited the following file: vi ./var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi and commented out the following 4 lines in the file: # check PIN if (1) { my $pin_store = PKI::Base::PinStore->new(); $pin_store->open($cfg); my $pinref = $pin_store->read_pin($key); if (defined($pinref) && $pinref->{'pin'} eq $pin) { $pin_store->delete($key); } else { # $pin_store->close(); # # XXX - return SCEP error # print $q->redirect("/ee/scep/installer.cgi"); # return; } $pin_store->close(); } 10. I ran thru the whole enrollment process again - and bang: It works So I know that the issue is that it can't determine the PIN that was assigned during the RA enrollment process. Does anyone know how I can resolve this so that PIN authentication works? Thanks, Charles Jennings Network Security Engineer | Network Engineering EarthLink Business E: charles.jennings at corp.earthlink.com O: 256-241-4223 | M: 256-689-9741 | F: 256-241-4294 1801 Hillyer Robinson Parkway | Anniston, AL | 36207 Deltacom is now EarthLink Business "There is one safeguard known generally to the wise, which is an advantage and security to all, but especially to democracies as against despots. What is it? Distrust." Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24 (344 B.C.) -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Mon Apr 25 23:02:26 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Mon, 25 Apr 2011 16:02:26 -0700 Subject: [Pki-users] Cisco Router and RA SCEP & PIN In-Reply-To: References: <7D3F0A517BC6854985181FBF9D376008019DD6302E@EXCHANGEPOST01.its.local> Message-ID: <4DB5FD82.4080002@redhat.com> Is there anything interesting in your CA debug log file? Did you verify if your request includes challenge password attribute? Thank you, Andrew On 04/21/2011 06:00 AM, Jennings, Charles wrote: > > Looking for some help: > > I've been beating my head over this for a few days with no resolve: > > 1. Using DCS version 1.3 > > 2. In RA SSL End User Services, perform a SCEP enrollment using > following information: > > a. Client IP: a user id > b. Site ID: The IP address of the router > c. Email: My email address > > 3. In RA Agent Services, approve the request and note the PIN that is > assigned. > > 4. In router, generate RSA key: > > crypto key gen rsa > Set to 1024 modulus > > 5. In router, create the crypto ca trustpoint as follows: > > crypto ca trustpoint CA > enrollment mode ra > enrollment url http://ra.test.com:12888/ee/scep/pkiclient.cgi > crl optional > > 6. In router, obtain CA certificate (with no problem) > > crypto ca authenticate CA > > Certificate has the following attributes: > Fingerprint MD5: blah blah > Fingerprint SHA1: blah blah > %Do you accept this certificate? [yes/no]: yes > Trustpoint CA certificate accepted. > > Here's where it all blows up: > > 7. Try to obtain certificate: > > crypto ca enroll CA > % > % Start certificate enrollment . > % Create a challenge password. You will need to verbally provide > this > Password to the CA Administrator in order to revoke your > certificate. > For security reasons you password will not be saved in the > configuration. > Please make a note of it. > > Password: {I've tried the PIN and just any 'ol password} > Re-enter password: > > % The subject name in the certificate will include: > TEST_HOST.cert-test.net > % Include the router serial number in the subject name? > [yes/no]: no {tried both} > % Include the IP address in the subject name? [no]: no {tried both} > Request certificate from CA? [yes/no] yes > % Certificate request sent to Certificate Authority > % The 'show crypto ca certificate CA verbose' command will show > the fingerprint > > CRYPTO_PKI: Certificate Request Fingerprint MD5: blah blah > CRYPTO_PKI: Certificate Request Fingerprint SHA1: blah blah > > %PKI-6-CERTFAIL: Certificate enrollment failed. > > 8. I have turned on debugging and found that everytime it failed, I > was being told at the end of the debugging that I was being > redirected with a '302 Moved' to /ee/scep/installer.cgi > > 9. So I went in and edited the following file: > > vi ./var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi > > and commented out the following 4 lines in the file: > > # check PIN > if (1) { > my $pin_store = PKI::Base::PinStore->new(); > $pin_store->open($cfg); > my $pinref = $pin_store->read_pin($key); > if (defined($pinref) && $pinref->{'pin'} eq $pin) { > $pin_store->delete($key); > } else { > # $pin_store->close(); > # # XXX - return SCEP error > # print $q->redirect("/ee/scep/installer.cgi"); > # return; > } > $pin_store->close(); > } > > 10. I ran thru the whole enrollment process again - and bang: It works > > > So I know that the issue is that it can't determine the PIN that was > assigned during the RA enrollment process. > > Does anyone know how I can resolve this so that PIN authentication works? > > Thanks, > > Charles Jennings > Network Security Engineer | Network Engineering > EarthLink Business > > > E: charles.jennings at corp.earthlink.com > > O: 256-241-4223 | M: 256-689-9741 | F: 256-241-4294 > 1801 Hillyer Robinson Parkway | Anniston, AL | 36207 > Deltacom is now EarthLink Business > > "There is one safeguard known generally to the wise, which is an > advantage and security to all, but especially to democracies as > against despots. What is it? Distrust." > Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24 > (344 B.C.) > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Thu Apr 28 19:47:29 2011 From: msauton at redhat.com (Marc Sauton) Date: Thu, 28 Apr 2011 12:47:29 -0700 Subject: [Pki-users] Copying subjectAltName from request to certificate In-Reply-To: References: Message-ID: <4DB9C451.7050404@redhat.com> On 04/13/2011 02:03 PM, Rick Tracy wrote: > New to DogTag here. We are currently evaluating the use of DogTag in a > new project. One need that we have is to take two subjectAltName > fields from the CSR and include them in the certificate. These are > both currently otherName UTF8String types with private OID's. We have > tried customizing the profiles in .../profiles/ca/*.cfg and have been > able to get default subjectAltName fields included in the certificate, > but we have been unsuccessful in copying them from the certificate > request. > > Ideally, the value of these fields would be displayed to the agent > before approving the certificate if there is a way to do that too. > > Is this possible with DogTag? If so can anyone point me to > information on how to do this? > Yes: http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html Can you share the part in your profile with the policyset.encryptionCertSet.*.default.params.subjAlt* ? > Thanks > Rick > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Charles.Jennings at corp.earthlink.com Thu Apr 28 19:48:51 2011 From: Charles.Jennings at corp.earthlink.com (Jennings, Charles) Date: Thu, 28 Apr 2011 14:48:51 -0500 Subject: [Pki-users] Cisco Router and RA SCEP & PIN In-Reply-To: <4DB5FD82.4080002@redhat.com> References: <7D3F0A517BC6854985181FBF9D376008019DD6302E@EXCHANGEPOST01.its.local> <4DB5FD82.4080002@redhat.com> Message-ID: I found my issue. The IP address that was sourcing the request was not the IP address used in requesting the SCEP. Charles Jennings Network Security Engineer | Network Engineering EarthLink Business E: charles.jennings at corp.earthlink.com O: 256-241-4223 | M: 256-689-9741 | F: 256-241-4294 1801 Hillyer Robinson Parkway | Anniston, AL | 36207 Deltacom is now EarthLink Business "There is one safeguard known generally to the wise, which is an advantage and security to all, but especially to democracies as against despots. What is it? Distrust." Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24 (344 B.C.) ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Andrew Wnuk Sent: Monday, April 25, 2011 6:02 PM To: pki-users at redhat.com Subject: Re: [Pki-users] Cisco Router and RA SCEP & PIN Is there anything interesting in your CA debug log file? Did you verify if your request includes challenge password attribute? Thank you, Andrew On 04/21/2011 06:00 AM, Jennings, Charles wrote: Looking for some help: I've been beating my head over this for a few days with no resolve: 1. Using DCS version 1.3 2. In RA SSL End User Services, perform a SCEP enrollment using following information: a. Client IP: a user id b. Site ID: The IP address of the router c. Email: My email address 3. In RA Agent Services, approve the request and note the PIN that is assigned. 4. In router, generate RSA key: crypto key gen rsa Set to 1024 modulus 5. In router, create the crypto ca trustpoint as follows: crypto ca trustpoint CA enrollment mode ra enrollment url http://ra.test.com:12888/ee/scep/pkiclient.cgi crl optional 6. In router, obtain CA certificate (with no problem) crypto ca authenticate CA Certificate has the following attributes: Fingerprint MD5: blah blah Fingerprint SHA1: blah blah %Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Here's where it all blows up: 7. Try to obtain certificate: crypto ca enroll CA % % Start certificate enrollment . % Create a challenge password. You will need to verbally provide this Password to the CA Administrator in order to revoke your certificate. For security reasons you password will not be saved in the configuration. Please make a note of it. Password: {I've tried the PIN and just any 'ol password} Re-enter password: % The subject name in the certificate will include: TEST_HOST.cert-test.net % Include the router serial number in the subject name? [yes/no]: no {tried both} % Include the IP address in the subject name? [no]: no {tried both} Request certificate from CA? [yes/no] yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate CA verbose' command will show the fingerprint CRYPTO_PKI: Certificate Request Fingerprint MD5: blah blah CRYPTO_PKI: Certificate Request Fingerprint SHA1: blah blah %PKI-6-CERTFAIL: Certificate enrollment failed. 8. I have turned on debugging and found that everytime it failed, I was being told at the end of the debugging that I was being redirected with a '302 Moved' to /ee/scep/installer.cgi 9. So I went in and edited the following file: vi ./var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi and commented out the following 4 lines in the file: # check PIN if (1) { my $pin_store = PKI::Base::PinStore->new(); $pin_store->open($cfg); my $pinref = $pin_store->read_pin($key); if (defined($pinref) && $pinref->{'pin'} eq $pin) { $pin_store->delete($key); } else { # $pin_store->close(); # # XXX - return SCEP error # print $q->redirect("/ee/scep/installer.cgi"); # return; } $pin_store->close(); } 10. I ran thru the whole enrollment process again - and bang: It works So I know that the issue is that it can't determine the PIN that was assigned during the RA enrollment process. Does anyone know how I can resolve this so that PIN authentication works? Thanks, Charles Jennings Network Security Engineer | Network Engineering EarthLink Business E: charles.jennings at corp.earthlink.com O: 256-241-4223 | M: 256-689-9741 | F: 256-241-4294 1801 Hillyer Robinson Parkway | Anniston, AL | 36207 Deltacom is now EarthLink Business "There is one safeguard known generally to the wise, which is an advantage and security to all, but especially to democracies as against despots. What is it? Distrust." Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24 (344 B.C.) _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Thu Apr 28 19:57:14 2011 From: msauton at redhat.com (Marc Sauton) Date: Thu, 28 Apr 2011 12:57:14 -0700 Subject: [Pki-users] Cisco Router and RA SCEP & PIN In-Reply-To: References: <7D3F0A517BC6854985181FBF9D376008019DD6302E@EXCHANGEPOST01.its.local> <4DB5FD82.4080002@redhat.com> Message-ID: <4DB9C69A.3070103@redhat.com> Thanks for the update about the resolution. M. On 04/28/2011 12:48 PM, Jennings, Charles wrote: > > I found my issue. The IP address that was sourcing the request was > not the IP address used in requesting the SCEP. > > *Charles Jennings*** > > Network Security Engineer | Network Engineering > > *EarthLink Business* > > ** > > *E:*charles.jennings at corp.earthlink.com > > > *O:* 256-241-4223 | *M:* 256-689-9741 | *F:* 256-241-4294 > > 1801 Hillyer Robinson Parkway | Anniston, AL | 36207 > > /Deltacom is now EarthLink Business/ > > /"There is one safeguard known generally to the wise, which is an > advantage and security to all, but especially to democracies as > against despots. What is it? Distrust." > Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24 > (344 B.C.)/ > > ------------------------------------------------------------------------ > > *From:*pki-users-bounces at redhat.com > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Andrew Wnuk > *Sent:* Monday, April 25, 2011 6:02 PM > *To:* pki-users at redhat.com > *Subject:* Re: [Pki-users] Cisco Router and RA SCEP & PIN > > Is there anything interesting in your CA debug log file? > Did you verify if your request includes challenge password attribute? > > Thank you, > Andrew > > > On 04/21/2011 06:00 AM, Jennings, Charles wrote: > > Looking for some help: > > I've been beating my head over this for a few days with no resolve: > > 1. Using DCS version 1.3 > > 2. In RA SSL End User Services, perform a SCEP enrollment using > following information: > > a. Client IP: a user id > b. Site ID: The IP address of the router > c. Email: My email address > > 3. In RA Agent Services, approve the request and note the PIN that is > assigned. > > 4. In router, generate RSA key: > > crypto key gen rsa > Set to 1024 modulus > > 5. In router, create the crypto ca trustpoint as follows: > > crypto ca trustpoint CA > enrollment mode ra > enrollment url http://ra.test.com:12888/ee/scep/pkiclient.cgi > crl optional > > 6. In router, obtain CA certificate (with no problem) > > crypto ca authenticate CA > > Certificate has the following attributes: > Fingerprint MD5: blah blah > Fingerprint SHA1: blah blah > %Do you accept this certificate? [yes/no]: yes > Trustpoint CA certificate accepted. > > Here's where it all blows up: > > 7. Try to obtain certificate: > > crypto ca enroll CA > % > % Start certificate enrollment . > % Create a challenge password. You will need to verbally provide > this > Password to the CA Administrator in order to revoke your > certificate. > For security reasons you password will not be saved in the > configuration. > Please make a note of it. > > Password: {I've tried the PIN and just any 'ol password} > Re-enter password: > > % The subject name in the certificate will include: > TEST_HOST.cert-test.net > % Include the router serial number in the subject name? > [yes/no]: no {tried both} > % Include the IP address in the subject name? [no]: no {tried both} > Request certificate from CA? [yes/no] yes > % Certificate request sent to Certificate Authority > % The 'show crypto ca certificate CA verbose' command will show > the fingerprint > > CRYPTO_PKI: Certificate Request Fingerprint MD5: blah blah > CRYPTO_PKI: Certificate Request Fingerprint SHA1: blah blah > > %PKI-6-CERTFAIL: Certificate enrollment failed. > > 8. I have turned on debugging and found that everytime it failed, I > was being told at the end of the debugging that I was being > redirected with a '302 Moved' to /ee/scep/installer.cgi > > 9. So I went in and edited the following file: > > vi ./var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi > > and commented out the following 4 lines in the file: > > # check PIN > if (1) { > my $pin_store = PKI::Base::PinStore->new(); > $pin_store->open($cfg); > my $pinref = $pin_store->read_pin($key); > if (defined($pinref) && $pinref->{'pin'} eq $pin) { > $pin_store->delete($key); > } else { > # $pin_store->close(); > # # XXX - return SCEP error > # print $q->redirect("/ee/scep/installer.cgi"); > # return; > } > $pin_store->close(); > } > > 10. I ran thru the whole enrollment process again - and bang: It works > > > So I know that the issue is that it can't determine the PIN that was > assigned during the RA enrollment process. > > Does anyone know how I can resolve this so that PIN authentication works? > > Thanks, > > Charles Jennings > Network Security Engineer | Network Engineering > EarthLink Business > > > E: charles.jennings at corp.earthlink.com > > > O: 256-241-4223 | M: 256-689-9741 | F: 256-241-4294 > 1801 Hillyer Robinson Parkway | Anniston, AL | 36207 > Deltacom is now EarthLink Business > > "There is one safeguard known generally to the wise, which is an > advantage and security to all, but especially to democracies as > against despots. What is it? Distrust." > Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24 > (344 B.C.) > > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: