From fabeisageek at googlemail.com Wed Jun 1 15:21:58 2011 From: fabeisageek at googlemail.com (Fabian Bertholm) Date: Wed, 1 Jun 2011 17:21:58 +0200 Subject: [Pki-users] mapping filter.tokenATR Message-ID: Hi, Anyone some hints on ATR mapping inside the CS.conf? I have copy and pasted the ATR of my card from the tps-debug.log to the CS.conf i.e.: op.enroll.mapping.2.filter.tokenATR=3B759400006202020201 It does neither match on the format nor on the enrollment mapping, it does however work if I use the CUID. I am quite sure I have no errors on the config file. Is there anything special on the ATR parsing? B.r. Fabe From helm at fionn.es.net Fri Jun 3 03:04:45 2011 From: helm at fionn.es.net (Mike Helm) Date: Thu, 02 Jun 2011 20:04:45 -0700 Subject: [Pki-users] keygen support in RA Message-ID: <201106030304.p5334jno022956@fionn.es.net> I'm trying to support keygen-provisioned browsers in the RA. I can do almost everything needed, but I can't figure out how to get the subject name into the certificate. I can definitely get the CA to pick up the subject name as a parameter, but either I am not giving it the right name in the parameter blob, or something else is amiss. What the CA does is issue these RA-approved requests with the a subject name the same as the CA's. (Non-keygen requests are processed differently and the subject AVAs should be embedded in the request. It would be nice to be able to have RA agents edit request subject names before submission, tho.) Help me understand what to do here. Thanks, ==mwh Michael Helm ESnet/LBNL From awnuk at redhat.com Fri Jun 3 17:50:43 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Fri, 03 Jun 2011 10:50:43 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: <201106030304.p5334jno022956@fionn.es.net> References: <201106030304.p5334jno022956@fionn.es.net> Message-ID: <4DE91EF3.9020901@redhat.com> On 06/02/2011 08:04 PM, Mike Helm wrote: > > I'm trying to support keygen-provisioned browsers in the RA. > I can do almost everything needed, but I can't figure out how > to get the subject name into the certificate. > > I can definitely get the CA to pick up the subject name as > a parameter, but either I am not giving it the right name in the > parameter blob, or something else is amiss. What the CA does > is issue these RA-approved requests with the a subject name the > same as the CA's. Michael, You may try to change policy form "Subject Name Default" to "User Supplied Subject Name Default" in the profile generating your certificate. > > (Non-keygen requests are processed differently and the subject AVAs > should be embedded in the request. It would be nice to be able > to have RA agents edit request subject names before submission, tho.) You need to customize RA's UI to add subject name components not provided by current UI. Thank you, Andrew > > Help me understand what to do here. > > Thanks, ==mwh > Michael Helm > ESnet/LBNL > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From helm at fionn.es.net Fri Jun 3 18:14:05 2011 From: helm at fionn.es.net (Mike Helm) Date: Fri, 03 Jun 2011 11:14:05 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: Your message of "Fri, 03 Jun 2011 10:50:43 PDT." <4DE91EF3.9020901@redhat.com> Message-ID: <201106031814.p53IE5AH002129@fionn.es.net> Andrew Wnuk writes: > On 06/02/2011 08:04 PM, Mike Helm wrote: > > > > I'm trying to support keygen-provisioned browsers in the RA. > > I can do almost everything needed, but I can't figure out how > > to get the subject name into the certificate. > > > > I can definitely get the CA to pick up the subject name as > > a parameter, but either I am not giving it the right name in the > > parameter blob, or something else is amiss. What the CA does > > is issue these RA-approved requests with the a subject name the > > same as the CA's. > > Michael, > > You may try to change policy form "Subject Name Default" to "User > Supplied Subject Name Default" in the profile generating your certificate. Thanks, I will try this. > > > > > > (Non-keygen requests are processed differently and the subject AVAs > > should be embedded in the request. It would be nice to be able > > to have RA agents edit request subject names before submission, tho.) > > You need to customize RA's UI to add subject name components not > provided by current UI. That is _exactly_ what I am in the midst of doing. I can do whatever I need to do on the client (RA javascript) side, but I don't know how to get the subject components to the CA itself - I've sent it all kinds of things & successfully gotten it to write the certificate subjectaltname component, but not the subject. Our plan is to let the profile handle all the policy attributes and only bring over the user/ee - specific content. That's our use case. If anyone else is working on this I'd be delighted to work with you. There are a lot of browsers we can support if we can keygen support out to the RA. Thanks, ==mwh From awnuk at redhat.com Sat Jun 4 00:41:00 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Fri, 03 Jun 2011 17:41:00 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: <201106031814.p53IE5AH002129@fionn.es.net> References: <201106031814.p53IE5AH002129@fionn.es.net> Message-ID: <4DE97F1C.1000902@redhat.com> On 06/03/2011 11:14 AM, Mike Helm wrote: > Andrew Wnuk writes: >> On 06/02/2011 08:04 PM, Mike Helm wrote: >>> I'm trying to support keygen-provisioned browsers in the RA. >>> I can do almost everything needed, but I can't figure out how >>> to get the subject name into the certificate. >>> >>> I can definitely get the CA to pick up the subject name as >>> a parameter, but either I am not giving it the right name in the >>> parameter blob, or something else is amiss. What the CA does >>> is issue these RA-approved requests with the a subject name the >>> same as the CA's. >> Michael, >> >> You may try to change policy form "Subject Name Default" to "User >> Supplied Subject Name Default" in the profile generating your certificate. > Thanks, I will try this. > >> >>> (Non-keygen requests are processed differently and the subject AVAs >>> should be embedded in the request. It would be nice to be able >>> to have RA agents edit request subject names before submission, tho.) >> You need to customize RA's UI to add subject name components not >> provided by current UI. > That is _exactly_ what I am in the midst of doing. I can do whatever > I need to do on the client (RA javascript) side, but I don't know how > to get the subject components to the CA itself - I've sent it all > kinds of things& successfully gotten it to write the certificate > subjectaltname component, but not the subject. > > Our plan is to let the profile handle all the policy attributes and > only bring over the user/ee - specific content. That's our use case. > > If anyone else is working on this I'd be delighted to work with you. > There are a lot of browsers we can support if we can keygen support > out to the RA. > > Thanks, ==mwh Which browser are you trying to support? From helm at fionn.es.net Sat Jun 4 03:10:40 2011 From: helm at fionn.es.net (Mike Helm) Date: Fri, 03 Jun 2011 20:10:40 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: Your message of "Fri, 03 Jun 2011 17:41:00 PDT." <4DE97F1C.1000902@redhat.com> Message-ID: <201106040310.p543AeQw010208@fionn.es.net> Andrew Wnuk writes: > Which browser are you trying to support? Anything that has a functioning keygen tag - currently, opera, most google chrome / webkit, safari on mac os, & some derivatives. firefox also has keygen but it has a Mozilla crypto. method that the RA supports. Thanks, ==mwh From awnuk at redhat.com Mon Jun 6 16:29:02 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Mon, 06 Jun 2011 09:29:02 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: <201106040310.p543AeQw010208@fionn.es.net> References: <201106040310.p543AeQw010208@fionn.es.net> Message-ID: <4DED004E.8010508@redhat.com> On 06/03/2011 08:10 PM, Mike Helm wrote: > Andrew Wnuk writes: >> Which browser are you trying to support? > Anything that has a functioning keygen tag - currently, opera, most google chrome / webkit, > safari on mac os,& some derivatives. > > firefox also has keygen but it has a Mozilla crypto. method that the RA supports. > > Thanks, ==mwh There are keygen samples in current RA and CA UI but they were only tested with IE. Each platform from your list may have different underlying crypto modules with different methods to interact with hardware tokens and may have different preferred scripting languages to access their crypto modules.If you find a simple way to make keygen work across all of the above platforms, then I'll be happy to review your patch. Thank you, Andrew From helm at fionn.es.net Mon Jun 6 17:02:47 2011 From: helm at fionn.es.net (Mike Helm) Date: Mon, 06 Jun 2011 10:02:47 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: Your message of "Mon, 06 Jun 2011 09:29:02 PDT." <4DED004E.8010508@redhat.com> Message-ID: <201106061702.p56H2qSu006734@fionn.es.net> Andrew Wnuk writes: > There are keygen samples in current RA and CA UI but they were only > tested with IE. Each platform from your list may have different IE doesn't use keygen, it has CAPI (or whatever it's called now in Windows 7) and makes pkcs#10 requests. I couldn't find any trace of a keygen tag in IE 9 and I am given to understand (from some of the W3c mailing lists) that Microsoft is opposed to it & won't implement it in their HTML5. In any event, they're fine as-is. Opera and Google-style webkit browsers seem to have keygen. I don't know whether it works on all platforms they support yet. Definitely works on Windows. (My guess is it doesn't work on MacOS.) Safari also has keygen, but it doesn't work on windows - the tag exists but it won't do anything. Does work on MacOS. The tag is a browser method (one of my more knowledgeable coworkers calls it this) and so I can't really look inside the tag & see usable methods - just have to try and check results. Firefox has it but it's kind of a magic tag, perhaps it's an interface to crypto.crmf-something. It works on most platforms (not mobile Android - this deployment completely lacks crypto.* as far as I can tell.) By "work" I mean it does only what it says it will do - make a key pair, and understand that it has a private key somewhere & how to retrieve it. I can definitely load a successfully-signed certificate into these browsers. It may be that some options can provide a little more capability, but I can't tell whether they're there & I don't understand them either. I don't see one that will link more attributes to the generated key. The problem now is, I need to persuade the CA to sign the certificate with a usable subject name. This I don't know how to do, & I don't understand the CA's internal software structure (let alone the "request architecture" or flow) well enough yet to figure out whether it can be fixed. I can get it the key; I can get it a subjectaltname; I can deliver the policy attributes thru the profile, but the subject name.... My hope is that the CA is fine as-is and what I need to do is adjust the policy or learn some more about the request API so I can feed it the subject name in a manner it can understand - that would mean a patch to the RA perl libraries. Otherwise, need to modify something in the CA. Thanks, ==mwh Michael Helm ESnet/LBNL From helm at fionn.es.net Wed Jun 8 16:33:09 2011 From: helm at fionn.es.net (Mike Helm) Date: Wed, 08 Jun 2011 09:33:09 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: Your message of "Mon, 06 Jun 2011 10:02:47 PDT." <201106061702.p56H2qSu006734@fionn.es.net> Message-ID: <201106081633.p58GX9s7022376@fionn.es.net> Mike Helm writes: > Andrew Wnuk writes: > > There are keygen samples in current RA and CA UI but they were only We're good. My colleague, who understands the CA & the profile framework, added a subject parameter & extended the profile we were using; I added this parameter to the package I was posting to the CA, so the CA now picks up the right subject name and signs good certificates. I believe the UI on the CA will support keygen platforms, but the RA wasn't doing this. The CA may not support them well or completely but I think it supported the one that is the most important to us (Safari on MacOS). The RA didn't, tho, which was not good. I need to do some housecleaning before I provide a patch. I think the things we did could be generalized but at the moment we are only interested in some very basic certificate attributes & that is probably as much as I will do. I would certainly like to have a review & advice on the best way to do this - more in a few weeks. Thanks, ==mwh Michael Helm ESnet/LBNL From awnuk at redhat.com Wed Jun 8 21:19:48 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 08 Jun 2011 14:19:48 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: <201106081633.p58GX9s7022376@fionn.es.net> References: <201106081633.p58GX9s7022376@fionn.es.net> Message-ID: <4DEFE774.4030209@redhat.com> On 06/08/2011 09:33 AM, Mike Helm wrote: > We're good. > > My colleague, who understands the CA& the profile framework, added > a subject parameter& extended the profile we were using; I added > this parameter to the package I was posting to the CA, so the CA > now picks up the right subject name and signs good certificates. > > I believe the UI on the CA will support keygen platforms, but the > RA wasn't doing this. The CA may not support them well or completely > but I think it supported the one that is the most important to us > (Safari on MacOS). Will Safari on iPad work similar way? > The RA didn't, tho, which was not good. > > I need to do some housecleaning before I provide a patch. I think the > things we did could be generalized but at the moment we are only > interested in some very basic certificate attributes& that is probably > as much as I will do. I would certainly like to have a review& > advice on the best way to do this - more in a few weeks. > > Thanks, ==mwh > Michael Helm > ESnet/LBNL From helm at fionn.es.net Wed Jun 8 21:46:36 2011 From: helm at fionn.es.net (Mike Helm) Date: Wed, 08 Jun 2011 14:46:36 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: Your message of "Wed, 08 Jun 2011 14:19:48 PDT." <4DEFE774.4030209@redhat.com> Message-ID: <201106082146.p58Lka8Y000448@fionn.es.net> Andrew Wnuk writes: > Will Safari on iPad work similar way? ipad/iphone seems to lack crypto services - there's nothing presented by , & no keys are generated. I don't find any UI for certificate management either but I don't know very much about this platform. We suspect Apple is going to (or maybe does) support certificates by generating keys, signing, & pushing to the device. I'd like to be wrong about all of this - if we had some certificate UI we could start supporting this platform in some capacity, which would be very welcome. Thanks, ==mwh From awnuk at redhat.com Wed Jun 8 22:33:33 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 08 Jun 2011 15:33:33 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: <201106082146.p58Lka8Y000448@fionn.es.net> References: <201106082146.p58Lka8Y000448@fionn.es.net> Message-ID: <4DEFF8BD.5040903@redhat.com> On 06/08/2011 02:46 PM, Mike Helm wrote: > Andrew Wnuk writes: >> Will Safari on iPad work similar way? > ipad/iphone seems to lack crypto services - there's nothing presented > by,& no keys are generated. I don't find any UI for certificate > management either but I don't know very much about this platform. > > We suspect Apple is going to (or maybe does) support certificates by > generating keys, signing,& pushing to the device. I'd like to be > wrong about all of this - if we had some certificate UI we could > start supporting this platform in some capacity, which would be very > welcome. Thanks, ==mwh I saw some references on the net saying that iPad could use SCEP protocol to deploy certificates. (http://images.apple.com/ipad/business/pdf/iPad_Deployment_Scenarios.pdf) Have you tried this? Thank you, Andrew From helm at fionn.es.net Wed Jun 8 23:22:09 2011 From: helm at fionn.es.net (Mike Helm) Date: Wed, 08 Jun 2011 16:22:09 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: Your message of "Wed, 08 Jun 2011 15:33:33 PDT." <4DEFF8BD.5040903@redhat.com> Message-ID: <201106082322.p58NM9DF004161@fionn.es.net> Andrew Wnuk writes: > On 06/08/2011 02:46 PM, Mike Helm wrote: > > Andrew Wnuk writes: > >> Will Safari on iPad work similar way? > > ipad/iphone seems to lack crypto services - there's nothing presented > > by,& no keys are generated. I don't find any UI for certificate > > management either but I don't know very much about this platform. > > > > We suspect Apple is going to (or maybe does) support certificates by > > generating keys, signing,& pushing to the device. I'd like to be > > wrong about all of this - if we had some certificate UI we could > > start supporting this platform in some capacity, which would be very > > welcome. Thanks, ==mwh > > I saw some references on the net saying that iPad could use SCEP > protocol to deploy certificates. > (http://images.apple.com/ipad/business/pdf/iPad_Deployment_Scenarios.pdf) > Have you tried this? No we haven't but thanks for that tip - will definitely look into this. My _guess_ at this point is that the platform can't generate the keys, it needs to get them from somewhere else. Having never used SCEP I don't know if the ipad platform can use a bare key pair to craft a signed SCEP request or not. Otherwise, I read the page as discussing various methods the ipad can use to download a certificate from a smarter one - like your Mac laptop. However, the page doesn't seem to distinguish the private key handling from cert handling, so.... Hand-me-down certificates fit our working scenarios today but we'll soon have customers that want to conduct these transactions directly on their mobile platform. I think that'll mean we have to have a key pair generator or some other trusted service. Thanks, ==mwh From dpal at redhat.com Wed Jun 8 23:27:52 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Jun 2011 19:27:52 -0400 Subject: [Pki-users] keygen support in RA In-Reply-To: <201106082322.p58NM9DF004161@fionn.es.net> References: <201106082322.p58NM9DF004161@fionn.es.net> Message-ID: <4DF00578.5060901@redhat.com> On 06/08/2011 07:22 PM, Mike Helm wrote: > Andrew Wnuk writes: >> On 06/08/2011 02:46 PM, Mike Helm wrote: >>> Andrew Wnuk writes: >>>> Will Safari on iPad work similar way? >>> ipad/iphone seems to lack crypto services - there's nothing presented >>> by,& no keys are generated. I don't find any UI for certificate >>> management either but I don't know very much about this platform. >>> >>> We suspect Apple is going to (or maybe does) support certificates by >>> generating keys, signing,& pushing to the device. I'd like to be >>> wrong about all of this - if we had some certificate UI we could >>> start supporting this platform in some capacity, which would be very >>> welcome. Thanks, ==mwh >> I saw some references on the net saying that iPad could use SCEP >> protocol to deploy certificates. >> (http://images.apple.com/ipad/business/pdf/iPad_Deployment_Scenarios.pdf) >> Have you tried this? > No we haven't but thanks for that tip - will definitely look into this. > > My _guess_ at this point is that the platform can't generate the keys, > it needs to get them from somewhere else. Having never used SCEP I don't > know if the ipad platform can use a bare key pair to craft a signed SCEP > request or not. Otherwise, I read the page as discussing various methods the ipad > can use to download a certificate from a smarter one - like your Mac laptop. > However, the page doesn't seem to distinguish the private key handling from > cert handling, so.... > > Hand-me-down certificates fit our working scenarios today but we'll soon have customers that > want to conduct these transactions directly on their mobile platform. I think that'll > mean we have to have a key pair generator or some other trusted service. > > Thanks, ==mwh > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users I wonder if certmonger would be useful in this case. It can request certificates on behalf other constituents. It definitely works with IPA but it might not work with raw Dogtag. Would you consider evaluating this approach? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From awnuk at redhat.com Wed Jun 8 23:43:06 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 08 Jun 2011 16:43:06 -0700 Subject: [Pki-users] keygen support in RA In-Reply-To: <201106082322.p58NM9DF004161@fionn.es.net> References: <201106082322.p58NM9DF004161@fionn.es.net> Message-ID: <4DF0090A.4030103@redhat.com> On 06/08/2011 04:22 PM, Mike Helm wrote: > No we haven't but thanks for that tip - will definitely look into this. > > My_guess_ at this point is that the platform can't generate the keys, > it needs to get them from somewhere else. Having never used SCEP I don't > know if the ipad platform can use a bare key pair to craft a signed SCEP > request or not. Otherwise, I read the page as discussing various methods the ipad > can use to download a certificate from a smarter one - like your Mac laptop. > However, the page doesn't seem to distinguish the private key handling from > cert handling, so.... > > Hand-me-down certificates fit our working scenarios today but we'll soon have customers that > want to conduct these transactions directly on their mobile platform. I think that'll > mean we have to have a key pair generator or some other trusted service. > > Thanks, ==mwh Here is an interesting quote from above pdf file: /... iPad generates a certificate enrollment request using the SCEP protocol. This SCEP enrollment request talks directly to the enterprise certificate authority and enables iPad to receive the identity certificate from the certificate authority in response. ... / which means that follows SCEP (included in Dogtag) and general PKI rules. Thank you, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmercier at gmail.com Tue Jun 14 12:24:04 2011 From: mmercier at gmail.com (Mike Mercier) Date: Tue, 14 Jun 2011 08:24:04 -0400 Subject: [Pki-users] Migration from tinyca to DogTag Message-ID: Hello, I have a system setup currently running tinyca and would like to migrate it to DogTag, has anyone ever successfully managed to do this? Is this even possible? I would like to keep all existing certificates (and revoked) intact. I did a quick search on Google and didn't seem to find any relevant results. Thanks, Mike From jdemarchi at iseek.com.au Thu Jun 23 03:35:03 2011 From: jdemarchi at iseek.com.au (Julian De Marchi) Date: Thu, 23 Jun 2011 13:35:03 +1000 Subject: [Pki-users] dogtag virtual image Message-ID: <4E02B467.80005@iseek.com.au> heya-- I would like to test dogtag for my company. I was wondering if there is some sort of virtual appliance of dogtag that one can simple run to test with. --julian From kchamart at redhat.com Thu Jun 23 04:58:59 2011 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Thu, 23 Jun 2011 10:28:59 +0530 Subject: [Pki-users] dogtag virtual image In-Reply-To: <4E02B467.80005@iseek.com.au> References: <4E02B467.80005@iseek.com.au> Message-ID: <4E02C813.6000208@redhat.com> On 06/23/2011 09:05 AM, Julian De Marchi wrote: > heya-- > > I would like to test dogtag for my company. I was wondering if there is > some sort of virtual appliance of dogtag that one can simple run to test > with. Julian, not that I know of. But you can install and configure a basic Certificate Authority in around 20 minutes. Though not perfect, for starters you can take a look at this for install/configuring dogtag -- https://fedoraproject.org/wiki/QA:Testcase_Dogtag_Certificate_System_Configure -- /kashyap > > --julian > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From jdemarchi at iseek.com.au Thu Jun 23 05:18:44 2011 From: jdemarchi at iseek.com.au (Julian De Marchi) Date: Thu, 23 Jun 2011 15:18:44 +1000 Subject: [Pki-users] dogtag virtual image In-Reply-To: <4E02C813.6000208@redhat.com> References: <4E02B467.80005@iseek.com.au> <4E02C813.6000208@redhat.com> Message-ID: <4E02CCB4.3080004@iseek.com.au> > Though not perfect, for starters you can take a look at this for > install/configuring dogtag -- > https://fedoraproject.org/wiki/QA:Testcase_Dogtag_Certificate_System_Configure This is a great guide for testing purposes. Can't believe I missed it.... Thanks, it has helped me alot! -- Julian De Marchi Systems Engineer (p) 1300 661 668 (f) 1300 661 540 (e) jdemarchi at iseek.com.au http://www.iseek.com.au 46 Logan Road Woolloongabba QLD 4102 From jdemarchi at iseek.com.au Thu Jun 23 07:14:44 2011 From: jdemarchi at iseek.com.au (Julian De Marchi) Date: Thu, 23 Jun 2011 17:14:44 +1000 Subject: [Pki-users] Adding new admin using certs Message-ID: <4E02E7E4.3030107@iseek.com.au> heya-- I am trying to add a new user to the system. I assume I need to issue a cert for the user, but I am struggling to find info for doing this. Can someone point me in the correct direction for reading about how to do this? Many thanks! --julian From awnuk at redhat.com Thu Jun 23 15:44:50 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 23 Jun 2011 08:44:50 -0700 Subject: [Pki-users] Adding new admin using certs In-Reply-To: <4E02E7E4.3030107@iseek.com.au> References: <4E02E7E4.3030107@iseek.com.au> Message-ID: <4E035F72.5000004@redhat.com> On 06/23/2011 12:14 AM, Julian De Marchi wrote: > heya-- > > I am trying to add a new user to the system. I assume I need to issue a > cert for the user, but I am struggling to find info for doing this. > > Can someone point me in the correct direction for reading about how to > do this? > > Many thanks! > > --julian > Start console, go to "Users and Groups" and add agent or admin. Thank you, Andrew From alee at redhat.com Thu Jun 23 16:46:07 2011 From: alee at redhat.com (Ade Lee) Date: Thu, 23 Jun 2011 12:46:07 -0400 Subject: [Pki-users] Adding new admin using certs In-Reply-To: <4E035F72.5000004@redhat.com> References: <4E02E7E4.3030107@iseek.com.au> <4E035F72.5000004@redhat.com> Message-ID: <1308847568.10312.36.camel@localhost.localdomain> The RHCS 8.1 documentation is pretty complete and mostly applicable to dogtag. http://docs.redhat.com/docs/en-US/index.html Go to Red Hat Certificate System/ 8.1/ Admin Guide Ade On Thu, 2011-06-23 at 08:44 -0700, Andrew Wnuk wrote: > On 06/23/2011 12:14 AM, Julian De Marchi wrote: > > heya-- > > > > I am trying to add a new user to the system. I assume I need to issue a > > cert for the user, but I am struggling to find info for doing this. > > > > Can someone point me in the correct direction for reading about how to > > do this? > > > > Many thanks! > > > > --julian > > > > Start console, go to "Users and Groups" and add agent or admin. > > Thank you, > Andrew > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From awnuk at redhat.com Thu Jun 23 17:21:21 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 23 Jun 2011 10:21:21 -0700 Subject: [Pki-users] Adding new admin using certs In-Reply-To: <1308847568.10312.36.camel@localhost.localdomain> References: <4E02E7E4.3030107@iseek.com.au> <4E035F72.5000004@redhat.com> <1308847568.10312.36.camel@localhost.localdomain> Message-ID: <4E037611.2010803@redhat.com> On 06/23/2011 09:46 AM, Ade Lee wrote: > The RHCS 8.1 documentation is pretty complete and mostly applicable to > dogtag. > > http://docs.redhat.com/docs/en-US/index.html > > Go to Red Hat Certificate System/ 8.1/ Admin Guide http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/index.html > Ade > > On Thu, 2011-06-23 at 08:44 -0700, Andrew Wnuk wrote: >> On 06/23/2011 12:14 AM, Julian De Marchi wrote: >>> heya-- >>> >>> I am trying to add a new user to the system. I assume I need to issue a >>> cert for the user, but I am struggling to find info for doing this. >>> >>> Can someone point me in the correct direction for reading about how to >>> do this? >>> >>> Many thanks! >>> >>> --julian >>> >> Start console, go to "Users and Groups" and add agent or admin. >> >> Thank you, >> Andrew >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users From jdemarchi at iseek.com.au Thu Jun 23 22:50:38 2011 From: jdemarchi at iseek.com.au (Julian De Marchi) Date: Fri, 24 Jun 2011 08:50:38 +1000 Subject: [Pki-users] Adding new admin using certs In-Reply-To: <1308847568.10312.36.camel@localhost.localdomain> References: <4E02E7E4.3030107@iseek.com.au> <4E035F72.5000004@redhat.com> <1308847568.10312.36.camel@localhost.localdomain> Message-ID: <4E03C33E.2010900@iseek.com.au> On 06/24/2011 02:46 AM, Ade Lee wrote: > The RHCS 8.1 documentation is pretty complete and mostly applicable to > dogtag. > > http://docs.redhat.com/docs/en-US/index.html > > Go to Red Hat Certificate System/ 8.1/ Admin Guide Thanks for all who pointed this out to me. Again, exactly what I was after. :) --julian From karmen.lei at gmail.com Mon Jun 27 17:54:49 2011 From: karmen.lei at gmail.com (Karmen Lei) Date: Mon, 27 Jun 2011 12:54:49 -0500 Subject: [Pki-users] Using a different directory server Message-ID: <70E7D4C9-BAB0-4254-A783-73AAC7780A0F@gmail.com> Hi, While I can get the DogTag PKI to work with 389 Directory Server, I have trouble using a different directory server, I get missing entries in the access log for "cn=ldbm database,cn=plugins,cn=config". Can someone tell me what the requirements are if I want to switch to using another directory server for DogTag PKI? Thanks in advance... Karmen From dhiva at es.net Tue Jun 28 01:09:17 2011 From: dhiva at es.net (dhiva) Date: Mon, 27 Jun 2011 18:09:17 -0700 Subject: [Pki-users] Using a different directory server In-Reply-To: <70E7D4C9-BAB0-4254-A783-73AAC7780A0F@gmail.com> References: <70E7D4C9-BAB0-4254-A783-73AAC7780A0F@gmail.com> Message-ID: <4E0929BD.60308@es.net> I believe 'VLV' details goes in here. Virtual list, which represents indexed results. The CA configuration usually creates all the required entries here. vlv.ldif and vlvtasks.ldif under /conf should tell you what is required. I always go thru the CA install and configuration, just before creating a key pair and stop. So i can get a usable ldap instance as a backup. thanks dhiva On 6/27/11 10:54 AM, Karmen Lei wrote: > Hi, > > While I can get the DogTag PKI to work with 389 Directory Server, I have trouble using a different directory server, I get missing entries in the access log for "cn=ldbm database,cn=plugins,cn=config". Can someone tell me what the requirements are if I want to switch to using another directory server for DogTag PKI? > > Thanks in advance... > > Karmen > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From alee at redhat.com Wed Jun 29 14:51:15 2011 From: alee at redhat.com (Ade Lee) Date: Wed, 29 Jun 2011 10:51:15 -0400 Subject: [Pki-users] Using a different directory server In-Reply-To: <4E0929BD.60308@es.net> References: <70E7D4C9-BAB0-4254-A783-73AAC7780A0F@gmail.com> <4E0929BD.60308@es.net> Message-ID: <1309359075.7351.10.camel@localhost.localdomain> dhiva, Thats an interesting approach to getting a ldap backup. Another option you should consider is setting up a clone. The clone database will use the same baseDN as the master system, and will set up replication agreements to automatically sync up the instances. You can even turn off the clone PKI instance to run as a cold standby if you wanted. Karmen, All the schema, indexes and so on used by dogtag will be in the ldif files in $instance_path/conf/*.ldif. Some of these - like the indexes or vlv indexes will rely on 389- related structure. You could try tweaking these ldif files before starting your installation to use the relevant structures in your db. Ade On Mon, 2011-06-27 at 18:09 -0700, dhiva wrote: > I believe 'VLV' details goes in here. Virtual list, which represents > indexed results. > The CA configuration usually creates all the required entries here. > vlv.ldif and vlvtasks.ldif under /conf should tell you > what is required. > > I always go thru the CA install and configuration, just before creating > a key pair and stop. > So i can get a usable ldap instance as a backup. > > thanks > dhiva > > > On 6/27/11 10:54 AM, Karmen Lei wrote: > > Hi, > > > > While I can get the DogTag PKI to work with 389 Directory Server, I have trouble using a different directory server, I get missing entries in the access log for "cn=ldbm database,cn=plugins,cn=config". Can someone tell me what the requirements are if I want to switch to using another directory server for DogTag PKI? > > > > Thanks in advance... > > > > Karmen > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From karmen.lei at gmail.com Wed Jun 29 15:03:00 2011 From: karmen.lei at gmail.com (Karmen Lei) Date: Wed, 29 Jun 2011 10:03:00 -0500 Subject: [Pki-users] Using a different directory server In-Reply-To: <1309359075.7351.10.camel@localhost.localdomain> References: <70E7D4C9-BAB0-4254-A783-73AAC7780A0F@gmail.com> <4E0929BD.60308@es.net> <1309359075.7351.10.camel@localhost.localdomain> Message-ID: <7AAF5B6D-B95F-4569-8484-2EA344D18220@gmail.com> Hi Ade and Dhiva, Thanks a lot for your input, I was able to migrate the schema files over to my directory and DogTag seems to be working fine after pointing to my directory. I will migrate the indexes and vlv indexes too, forgot to do that :-p I will not try to use DogTag config wizard to point to the new directory right away because there's no way for me to emulate the Redhat DS config in my server, I was too stubborn on trying to make the DogTag config work with my directory. Karmen On Jun 29, 2011, at 9:51 AM, Ade Lee wrote: > dhiva, > > Thats an interesting approach to getting a ldap backup. Another option > you should consider is setting up a clone. The clone database will use > the same baseDN as the master system, and will set up replication > agreements to automatically sync up the instances. You can even turn > off the clone PKI instance to run as a cold standby if you wanted. > > Karmen, > > All the schema, indexes and so on used by dogtag will be in the ldif > files in $instance_path/conf/*.ldif. Some of these - like the indexes > or vlv indexes will rely on 389- related structure. You could try > tweaking these ldif files before starting your installation to use the > relevant structures in your db. > > Ade > > > On Mon, 2011-06-27 at 18:09 -0700, dhiva wrote: >> I believe 'VLV' details goes in here. Virtual list, which represents >> indexed results. >> The CA configuration usually creates all the required entries here. >> vlv.ldif and vlvtasks.ldif under /conf should tell you >> what is required. >> >> I always go thru the CA install and configuration, just before creating >> a key pair and stop. >> So i can get a usable ldap instance as a backup. >> >> thanks >> dhiva >> >> >> On 6/27/11 10:54 AM, Karmen Lei wrote: >>> Hi, >>> >>> While I can get the DogTag PKI to work with 389 Directory Server, I have trouble using a different directory server, I get missing entries in the access log for "cn=ldbm database,cn=plugins,cn=config". Can someone tell me what the requirements are if I want to switch to using another directory server for DogTag PKI? >>> >>> Thanks in advance... >>> >>> Karmen >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From harshanahnd at gmail.com Thu Jun 30 11:45:23 2011 From: harshanahnd at gmail.com (Harshana Porawagama) Date: Thu, 30 Jun 2011 17:15:23 +0530 Subject: [Pki-users] Certificates renewed without the confirmation from a RA Agent Message-ID: Hi, When renewing a certificate that is issued by RA the process is, SSL End User Certificates >> User Enrollment >> Renewal - User and click on the Renewal button. What I observed is that the RA subsystem renew the certificates without a confirmation from a RA Agent. When logged in as RA agent and check the status of requests, it displays as, renewal APPROVED agents test at techcert.lk 2011-6-30 12:42:10 0 It seems like approved from an agent. Does anybody know how to fix this issue ? Regards, Harshana -------------- next part -------------- An HTML attachment was scrubbed... URL: