From mmercier at gmail.com Wed Sep 7 15:31:44 2011 From: mmercier at gmail.com (Mike Mercier) Date: Wed, 7 Sep 2011 11:31:44 -0400 Subject: [Pki-users] Dogtag pki-ca-1.1.0-1.fc10 Message-ID: Hello, I am attempting to migrate a Dogtag installation to a new system, I have been looking through the RHCS documentation and was wonderding what version of RHCS is closest to Dogtag 1.1.0-1.fc10? Thanks, Mike From alexander.w.jung at gmail.com Thu Sep 8 15:31:01 2011 From: alexander.w.jung at gmail.com (Alexander Jung) Date: Thu, 8 Sep 2011 17:31:01 +0200 Subject: [Pki-users] cloning a CA fails Message-ID: Hello, I try to clone a 1.3.6 dogtag on Fedora 13 to a 9.0.11.1 dogtag on Fedora 15 (in order to migrate the F13 to F15). I hung at the ldap-setup until i read the documentation and entered the fqdn instead of localhost. The next step, the creation of the local ssl server certificate fails. The debuglog of the pki-instance on F15 says: [*10:26][http-9455-4]: panel name=subjectname [*10:26][http-9455-4]: total number of panels=19 [*10:53][http-9455-4]: WizardServlet: process [*10:53][http-9455-4]: WizardServlet:service() uri = /ca/admin/console/config/wizard [*10:53][http-9455-4]: WizardServlet::service() param name='p' value='11' [*10:53][http-9455-4]: WizardServlet::service() param name='op' value='next' [*10:53][http-9455-4]: WizardServlet::service() param name='sslserver_nick' value='Server-Cert cert-ca4-test3' [*10:53][http-9455-4]: WizardServlet::service() param name='sslserver' value='CN=ca4p-adm3.ind.allianz,o=clone' [*10:53][http-9455-4]: WizardServlet: op=next [*10:53][http-9455-4]: WizardServlet: size=19 [*10:53][http-9455-4]: WizardServlet: in next 11 [*10:53][http-9455-4]: NamePanel: in update() [*10:53][http-9455-4]: NamePanel: clone configuration detected [*10:53][http-9455-4]: NamePanel: configCertWithTag start [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=signing tag=sslserver [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=ocsp_signing tag=sslserver [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=sslserver tag=sslserver [*10:53][http-9455-4]: configCertWithTag: Setting nickname for sslserver to Server-Cert cert-ca4-test3 [*10:53][http-9455-4]: NamePanel: configCert called [*10:53][http-9455-4]: NamePanel: in configCert caType is local [*10:53][http-9455-4]: NamePanel: subsystem ca [*10:53][http-9455-4]: NamePanel: updateConfig() for certTag sslserver [*10:53][http-9455-4]: NamePanel: updateConfig() done [*10:53][http-9455-4]: Creating local certificate... certTag=sslserver [*10:53][http-9455-4]: Repository: in getNextSerialNumber. [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() [*10:53][http-9455-4]: masterConn is connected: true [*10:53][http-9455-4]: getConn: conn is connected true [*10:53][http-9455-4]: getConn: mNumConns now 2 [*10:53][http-9455-4]: Repository: getSerialNumber. [*10:53][http-9455-4]: returnConn: mNumConns now 3 [*10:53][http-9455-4]: Repository: in InitCache [*10:53][http-9455-4]: Repository: Instance of Certificate Repository. [*10:53][http-9455-4]: Repository: minSerial fec0001 maxSerial: fed0000 [*10:53][http-9455-4]: CertificateRepository: in getLastSerialNumberInRange: low 267124737 high 267190272 [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() [*10:53][http-9455-4]: masterConn is connected: true [*10:53][http-9455-4]: getConn: conn is connected true [*10:53][http-9455-4]: getConn: mNumConns now 2 [*10:53][http-9455-4]: In findCertRecordsInList with Jumpto 267190272 [*10:53][http-9455-4]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (certstatus=*) attrs: null pageSize -5 startFrom 09267190272 [*10:53][http-9455-4]: returnConn: mNumConns now 3 [*10:53][http-9455-4]: getEntries returning 6 [*10:53][http-9455-4]: mTop 886 [*10:53][http-9455-4]: Getting Virtual List size: 892 [*10:53][http-9455-4]: CertificateRepository:getLastSerialNumberInRange: recList size 892 [*10:53][http-9455-4]: CertificateRepository:getLastSerialNumberInRange: ltSize 892 [*10:53][http-9455-4]: getElementAt: 0 mTop 886 [*10:53][http-9455-4]: reverse direction getting index 5 [*10:53][http-9455-4]: CertificateRepository:getLastCertRecordSerialNo: serialno 10990 [*10:53][http-9455-4]: getElementAt: 1 mTop 886 [*10:53][http-9455-4]: reverse direction getting index 4 [*10:53][http-9455-4]: CertificateRepository:getLastCertRecordSerialNo: serialno 10989 [*10:53][http-9455-4]: getElementAt: 2 mTop 886 [*10:53][http-9455-4]: reverse direction getting index 3 [*10:53][http-9455-4]: CertificateRepository:getLastCertRecordSerialNo: serialno 10988 [*10:53][http-9455-4]: getElementAt: 3 mTop 886 [*10:53][http-9455-4]: reverse direction getting index 2 [*10:53][http-9455-4]: CertificateRepository:getLastCertRecordSerialNo: serialno 10987 [*10:53][http-9455-4]: getElementAt: 4 mTop 886 [*10:53][http-9455-4]: reverse direction getting index 1 [*10:53][http-9455-4]: CertificateRepository:getLastCertRecordSerialNo: serialno 10986 [*10:53][http-9455-4]: CertificateRepository:getLastCertRecordSerialNo: returning 267124736 [*10:53][http-9455-4]: Repository: mLastSerialNo: 267124736 [*10:53][http-9455-4]: Repository: getNextSerialNumber: returning retSerial 267124737 [*10:53][http-9455-4]: Creating local certificate... issuerdn=CN=Certificate Authority,OU=ca4-test1,O=CA4 Test fuer VI-Test [*10:53][http-9455-4]: Creating local certificate... dn=CN=ca4p-adm3.ind.allianz,o=clone [*10:53][http-9455-4]: Cert Template: [ Version: V3 Subject: CN=ca4p-adm3.ind.allianz,O=clone Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: RSA Public Key Algorithm: RSA modulus: 00b7c180 23fad71a ab335e29 88316908 2f9deaf3 7d3e5b0d 84872c66 10511ebd aa3c6053 bd2d2c19 134ab3f6 33ef8d4f a424dba0 2ae2bcc6 637274fa be0219de 3e62b73a 490bd2b9 83fd4236 ccb50741 14308bbb 7d5566cc 80139961 b39eb23a 9ab11c9b 08356428 665c54d0 c65c46c9 4d4a340d 1ac47688 86d425f6 fc8b5521 1aa420be 8ac1aae4 3f870ac2 b31fa7b3 023c8cb9 10a6b60f a39282b5 49d33042 acf1deca 6c2b2bf3 44b0484f f02b8f4c 640d8822 f762e7f4 99fed751 43d05f34 fd54fedd 70d770f5 b4c52478 dda19027 18e94df3 3fc901e5 0182384c 8d61da0a 35a29bc4 3bd93836 246ebfdb b65853de 07d3d0bf eb103e85 0a4e3e89 a7008207 3b publicExponent: 010001 Validity: [From: *:10:53 CEST 2011, To: *:10:53 CEST 2011] Issuer: CN=Certificate Authority,OU=ca4-test1,O=CA4 Test fuer VI-Test SerialNumber: [ 0fec0001 ] ] [*10:53][http-9455-4]: CertUtil: createLocalRequest for serial: 267124737 [*10:53][http-9455-4]: Repository: in getNextSerialNumber. [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() [*10:53][http-9455-4]: masterConn is connected: true [*10:53][http-9455-4]: getConn: conn is connected true [*10:53][http-9455-4]: getConn: mNumConns now 2 [*10:53][http-9455-4]: Repository: getSerialNumber. [*10:53][http-9455-4]: returnConn: mNumConns now 3 [*10:53][http-9455-4]: Repository: in InitCache [*10:53][http-9455-4]: Repository: Instance of Request Repository or CRLRepository. [*10:53][http-9455-4]: Repository: minSerial 9800001 maxSerial: 9810000 [*10:53][http-9455-4]: RequestRepository: in getLastSerialNumberInRange: min 9800001 max 9810000 [*10:53][http-9455-4]: RequestRepository: mRequestQueue com.netscape.cmscore.request.RequestQueue at 5ee771f3 [*10:53][http-9455-4]: RequestRepository: about to call mRequestQueue.getLastRequestIdInRange [*10:53][http-9455-4]: RequestQueue: getLastRequestId: low 9800001 high 9810000 [*10:53][http-9455-4]: RequestQueue: getLastRequestId: filter (requeststate=*) fromId 9810000 [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() [*10:53][http-9455-4]: masterConn is connected: true [*10:53][http-9455-4]: getConn: conn is connected true [*10:53][http-9455-4]: getConn: mNumConns now 2 [*10:53][http-9455-4]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (requeststate=*) attrs: null pageSize -5 startFrom 079810000 [*10:53][http-9455-4]: returnConn: mNumConns now 3 [*10:54][http-9455-4]: getEntries returning 6 [*10:54][http-9455-4]: mTop 889 [*10:54][http-9455-4]: Getting Virtual List size: 904 [*10:54][http-9455-4]: RequestQueue: getLastRequestId: size 904 [*10:54][http-9455-4]: RequestQueue: getSizeBeforeJumpTo: 895 [*10:54][http-9455-4]: getElementAt: 0 mTop 889 [*10:54][http-9455-4]: reverse direction getting index 4 [*10:54][http-9455-4]: RequestQueue: curReqId: 894 [*10:54][http-9455-4]: getElementAt: 2 mTop 889 [*10:54][http-9455-4]: reverse direction getting index 3 [*10:54][http-9455-4]: RequestQueue: curReqId: 893 [*10:54][http-9455-4]: getElementAt: 3 mTop 889 [*10:54][http-9455-4]: reverse direction getting index 2 [*10:54][http-9455-4]: RequestQueue: curReqId: 892 [*10:54][http-9455-4]: getElementAt: 4 mTop 889 [*10:54][http-9455-4]: reverse direction getting index 1 [*10:54][http-9455-4]: RequestQueue: curReqId: 891 [*10:54][http-9455-4]: CertificateRepository:getLastCertRecordSerialNo: returning 9800000 [*10:54][http-9455-4]: Repository: mLastSerialNo: 9800000 [*10:54][http-9455-4]: Repository: getNextSerialNumber: returning retSerial 9800001 [*10:54][http-9455-4]: certUtil: newRequest called [*10:54][http-9455-4]: certUtil: calling setRequestStatus [*10:54][http-9455-4]: CertUtil profile name= serverCert.profile [*10:54][http-9455-4]: AuthInfoAccess: createExtension i=0 *[*10:54][http-9455-4]: CertUtil::createSelfSignedCert() - CA private key is null!* java.io.IOException: CA private key is null at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:401) at com.netscape.cms.servlet.csadmin.NamePanel.configCert(NamePanel.java:560) at com.netscape.cms.servlet.csadmin.NamePanel.configCertWithTag(NamePanel.java:649) at com.netscape.cms.servlet.csadmin.NamePanel.update(NamePanel.java:747) at com.netscape.cms.servlet.wizard.WizardServlet.goNextApply(WizardServlet.java:315) at com.netscape.cms.servlet.wizard.WizardServlet.goNext(WizardServlet.java:294) at com.netscape.cms.servlet.wizard.WizardServlet.handleRequest(WizardServlet.java:490) at org.apache.velocity.servlet.VelocityServlet.doRequest(VelocityServlet.java:365) at org.apache.velocity.servlet.VelocityServlet.doPost(VelocityServlet.java:332) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.netscape.cms.servlet.filter.AdminRequestFilter.doFilter(AdminRequestFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:679) [*10:54][http-9455-4]: NamePanel configCert() exception caught:java.io.IOException: CA private key is null [*10:54][http-9455-4]: NamePanel configCert: failed to add metainfo. Exception: java.lang.NullPointerException I imported all the certs from the master CA through the master p12-export and also by single cert&key export (pk12util) and tried the setup several times from scratch. I have no idea how to fix that. Can somebody please give me a hint ? Mit freundlichen Gr??en, Alexander Jung -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Thu Sep 8 15:47:45 2011 From: alee at redhat.com (Ade Lee) Date: Thu, 08 Sep 2011 11:47:45 -0400 Subject: [Pki-users] cloning a CA fails In-Reply-To: References: Message-ID: <1315496865.8199.137.camel@localhost.localdomain> The error you specify indicates that the certs and keys were in fact not imported from the master. You can confirm this by looking at which keys and certs are in your nss db. certutil -L -d /var/lib/clone_instance/alias The right way to extract the keys from the master is to use PKCS12Export. Export the keys and place the resulting PK12 file in the alias directory (/var/lib/clone_instance/alias) and make sure it is readable by pkiuser. I usually just chown the file to pkiuser. You will be prompted for the filename (just the base name - so for /var/lib/clone_instance/alias/foo.p12 -- you would enter foo.p12) and password on the Key Restore Panel. At this point, you will likely need to restart the clone installation from scratch to make sure everything is clean. If that does not work, zip up and attach the full master and clone debug logs. Ade On Thu, 2011-09-08 at 17:31 +0200, Alexander Jung wrote: > Hello, > > I try to clone a 1.3.6 dogtag on Fedora 13 to a 9.0.11.1 dogtag on > Fedora 15 (in order to migrate the F13 to F15). > > I hung at the ldap-setup until i read the documentation and entered > the fqdn instead of localhost. > > The next step, the creation of the local ssl server certificate > fails. The debuglog of the pki-instance on F15 says: > [*10:26][http-9455-4]: panel name=subjectname > [*10:26][http-9455-4]: total number of panels=19 > [*10:53][http-9455-4]: WizardServlet: process > [*10:53][http-9455-4]: WizardServlet:service() uri > = /ca/admin/console/config/wizard > [*10:53][http-9455-4]: WizardServlet::service() param name='p' > value='11' > [*10:53][http-9455-4]: WizardServlet::service() param name='op' > value='next' > [*10:53][http-9455-4]: WizardServlet::service() param > name='sslserver_nick' value='Server-Cert cert-ca4-test3' > [*10:53][http-9455-4]: WizardServlet::service() param name='sslserver' > value='CN=ca4p-adm3.ind.allianz,o=clone' > [*10:53][http-9455-4]: WizardServlet: op=next > [*10:53][http-9455-4]: WizardServlet: size=19 > [*10:53][http-9455-4]: WizardServlet: in next 11 > [*10:53][http-9455-4]: NamePanel: in update() > [*10:53][http-9455-4]: NamePanel: clone configuration detected > [*10:53][http-9455-4]: NamePanel: configCertWithTag start > [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=signing > tag=sslserver > [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=ocsp_signing > tag=sslserver > [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=sslserver > tag=sslserver > [*10:53][http-9455-4]: configCertWithTag: Setting nickname for > sslserver to Server-Cert cert-ca4-test3 > [*10:53][http-9455-4]: NamePanel: configCert called > [*10:53][http-9455-4]: NamePanel: in configCert caType is local > [*10:53][http-9455-4]: NamePanel: subsystem ca > [*10:53][http-9455-4]: NamePanel: updateConfig() for certTag sslserver > [*10:53][http-9455-4]: NamePanel: updateConfig() done > [*10:53][http-9455-4]: Creating local certificate... certTag=sslserver > [*10:53][http-9455-4]: Repository: in getNextSerialNumber. > [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() > [*10:53][http-9455-4]: masterConn is connected: true > [*10:53][http-9455-4]: getConn: conn is connected true > [*10:53][http-9455-4]: getConn: mNumConns now 2 > [*10:53][http-9455-4]: Repository: getSerialNumber. > [*10:53][http-9455-4]: returnConn: mNumConns now 3 > [*10:53][http-9455-4]: Repository: in InitCache > [*10:53][http-9455-4]: Repository: Instance of Certificate Repository. > [*10:53][http-9455-4]: Repository: minSerial fec0001 maxSerial: > fed0000 > [*10:53][http-9455-4]: CertificateRepository: in > getLastSerialNumberInRange: low 267124737 high 267190272 > [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() > [*10:53][http-9455-4]: masterConn is connected: true > [*10:53][http-9455-4]: getConn: conn is connected true > [*10:53][http-9455-4]: getConn: mNumConns now 2 > [*10:53][http-9455-4]: In findCertRecordsInList with Jumpto 267190272 > [*10:53][http-9455-4]: In DBVirtualList filter attrs startFrom sortKey > pageSize filter: (certstatus=*) attrs: null pageSize -5 startFrom > 09267190272 > [*10:53][http-9455-4]: returnConn: mNumConns now 3 > [*10:53][http-9455-4]: getEntries returning 6 > [*10:53][http-9455-4]: mTop 886 > [*10:53][http-9455-4]: Getting Virtual List size: 892 > [*10:53][http-9455-4]: > CertificateRepository:getLastSerialNumberInRange: recList size 892 > [*10:53][http-9455-4]: > CertificateRepository:getLastSerialNumberInRange: ltSize 892 > [*10:53][http-9455-4]: getElementAt: 0 mTop 886 > [*10:53][http-9455-4]: reverse direction getting index 5 > [*10:53][http-9455-4]: > CertificateRepository:getLastCertRecordSerialNo: serialno 10990 > [*10:53][http-9455-4]: getElementAt: 1 mTop 886 > [*10:53][http-9455-4]: reverse direction getting index 4 > [*10:53][http-9455-4]: > CertificateRepository:getLastCertRecordSerialNo: serialno 10989 > [*10:53][http-9455-4]: getElementAt: 2 mTop 886 > [*10:53][http-9455-4]: reverse direction getting index 3 > [*10:53][http-9455-4]: > CertificateRepository:getLastCertRecordSerialNo: serialno 10988 > [*10:53][http-9455-4]: getElementAt: 3 mTop 886 > [*10:53][http-9455-4]: reverse direction getting index 2 > [*10:53][http-9455-4]: > CertificateRepository:getLastCertRecordSerialNo: serialno 10987 > [*10:53][http-9455-4]: getElementAt: 4 mTop 886 > [*10:53][http-9455-4]: reverse direction getting index 1 > [*10:53][http-9455-4]: > CertificateRepository:getLastCertRecordSerialNo: serialno 10986 > [*10:53][http-9455-4]: > CertificateRepository:getLastCertRecordSerialNo: returning 267124736 > [*10:53][http-9455-4]: Repository: mLastSerialNo: 267124736 > [*10:53][http-9455-4]: Repository: getNextSerialNumber: returning > retSerial 267124737 > [*10:53][http-9455-4]: Creating local certificate... > issuerdn=CN=Certificate Authority,OU=ca4-test1,O=CA4 Test fuer VI-Test > [*10:53][http-9455-4]: Creating local certificate... > dn=CN=ca4p-adm3.ind.allianz,o=clone > [*10:53][http-9455-4]: Cert Template: [ > Version: V3 > Subject: CN=ca4p-adm3.ind.allianz,O=clone > Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 > > Key: RSA Public Key > Algorithm: RSA > modulus: > 00b7c180 23fad71a ab335e29 88316908 2f9deaf3 7d3e5b0d 84872c66 > 10511ebd > aa3c6053 bd2d2c19 134ab3f6 33ef8d4f a424dba0 2ae2bcc6 637274fa > be0219de > 3e62b73a 490bd2b9 83fd4236 ccb50741 14308bbb 7d5566cc 80139961 > b39eb23a > 9ab11c9b 08356428 665c54d0 c65c46c9 4d4a340d 1ac47688 86d425f6 > fc8b5521 > 1aa420be 8ac1aae4 3f870ac2 b31fa7b3 023c8cb9 10a6b60f a39282b5 > 49d33042 > acf1deca 6c2b2bf3 44b0484f f02b8f4c 640d8822 f762e7f4 99fed751 > 43d05f34 > fd54fedd 70d770f5 b4c52478 dda19027 18e94df3 3fc901e5 0182384c > 8d61da0a > 35a29bc4 3bd93836 246ebfdb b65853de 07d3d0bf eb103e85 0a4e3e89 > a7008207 > 3b > > publicExponent: > 010001 > > Validity: [From: *:10:53 CEST 2011, > To: *:10:53 CEST 2011] > Issuer: CN=Certificate Authority,OU=ca4-test1,O=CA4 Test fuer > VI-Test > SerialNumber: [ 0fec0001 ] > > ] > [*10:53][http-9455-4]: CertUtil: createLocalRequest for serial: > 267124737 > [*10:53][http-9455-4]: Repository: in getNextSerialNumber. > [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() > [*10:53][http-9455-4]: masterConn is connected: true > [*10:53][http-9455-4]: getConn: conn is connected true > [*10:53][http-9455-4]: getConn: mNumConns now 2 > [*10:53][http-9455-4]: Repository: getSerialNumber. > [*10:53][http-9455-4]: returnConn: mNumConns now 3 > [*10:53][http-9455-4]: Repository: in InitCache > [*10:53][http-9455-4]: Repository: Instance of Request Repository or > CRLRepository. > [*10:53][http-9455-4]: Repository: minSerial 9800001 maxSerial: > 9810000 > [*10:53][http-9455-4]: RequestRepository: in > getLastSerialNumberInRange: min 9800001 max 9810000 > [*10:53][http-9455-4]: RequestRepository: mRequestQueue > com.netscape.cmscore.request.RequestQueue at 5ee771f3 > [*10:53][http-9455-4]: RequestRepository: about to call > mRequestQueue.getLastRequestIdInRange > [*10:53][http-9455-4]: RequestQueue: getLastRequestId: low 9800001 > high 9810000 > [*10:53][http-9455-4]: RequestQueue: getLastRequestId: filter > (requeststate=*) fromId 9810000 > [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() > [*10:53][http-9455-4]: masterConn is connected: true > [*10:53][http-9455-4]: getConn: conn is connected true > [*10:53][http-9455-4]: getConn: mNumConns now 2 > [*10:53][http-9455-4]: In DBVirtualList filter attrs startFrom sortKey > pageSize filter: (requeststate=*) attrs: null pageSize -5 startFrom > 079810000 > [*10:53][http-9455-4]: returnConn: mNumConns now 3 > [*10:54][http-9455-4]: getEntries returning 6 > [*10:54][http-9455-4]: mTop 889 > [*10:54][http-9455-4]: Getting Virtual List size: 904 > [*10:54][http-9455-4]: RequestQueue: getLastRequestId: size 904 > [*10:54][http-9455-4]: RequestQueue: getSizeBeforeJumpTo: 895 > [*10:54][http-9455-4]: getElementAt: 0 mTop 889 > [*10:54][http-9455-4]: reverse direction getting index 4 > [*10:54][http-9455-4]: RequestQueue: curReqId: 894 > [*10:54][http-9455-4]: getElementAt: 2 mTop 889 > [*10:54][http-9455-4]: reverse direction getting index 3 > [*10:54][http-9455-4]: RequestQueue: curReqId: 893 > [*10:54][http-9455-4]: getElementAt: 3 mTop 889 > [*10:54][http-9455-4]: reverse direction getting index 2 > [*10:54][http-9455-4]: RequestQueue: curReqId: 892 > [*10:54][http-9455-4]: getElementAt: 4 mTop 889 > [*10:54][http-9455-4]: reverse direction getting index 1 > [*10:54][http-9455-4]: RequestQueue: curReqId: 891 > [*10:54][http-9455-4]: > CertificateRepository:getLastCertRecordSerialNo: returning 9800000 > [*10:54][http-9455-4]: Repository: mLastSerialNo: 9800000 > [*10:54][http-9455-4]: Repository: getNextSerialNumber: returning > retSerial 9800001 > [*10:54][http-9455-4]: certUtil: newRequest called > [*10:54][http-9455-4]: certUtil: calling setRequestStatus > [*10:54][http-9455-4]: CertUtil profile name= serverCert.profile > [*10:54][http-9455-4]: AuthInfoAccess: createExtension i=0 > [*10:54][http-9455-4]: CertUtil::createSelfSignedCert() - CA private > key is null! > java.io.IOException: CA private key is null > at > com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:401) > at > com.netscape.cms.servlet.csadmin.NamePanel.configCert(NamePanel.java:560) > at > com.netscape.cms.servlet.csadmin.NamePanel.configCertWithTag(NamePanel.java:649) > at > com.netscape.cms.servlet.csadmin.NamePanel.update(NamePanel.java:747) > at > com.netscape.cms.servlet.wizard.WizardServlet.goNextApply(WizardServlet.java:315) > at > com.netscape.cms.servlet.wizard.WizardServlet.goNext(WizardServlet.java:294) > at > com.netscape.cms.servlet.wizard.WizardServlet.handleRequest(WizardServlet.java:490) > at > org.apache.velocity.servlet.VelocityServlet.doRequest(VelocityServlet.java:365) > at > org.apache.velocity.servlet.VelocityServlet.doPost(VelocityServlet.java:332) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:637) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > com.netscape.cms.servlet.filter.AdminRequestFilter.doFilter(AdminRequestFilter.java:105) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) > at org.apache.coyote.http11.Http11Protocol > $Http11ConnectionHandler.process(Http11Protocol.java:588) > at org.apache.tomcat.util.net.JIoEndpoint > $Worker.run(JIoEndpoint.java:489) > at java.lang.Thread.run(Thread.java:679) > [*10:54][http-9455-4]: NamePanel configCert() exception > caught:java.io.IOException: CA private key is null > [*10:54][http-9455-4]: NamePanel configCert: failed to add metainfo. > Exception: java.lang.NullPointerException > > > I imported all the certs from the master CA through the master > p12-export and also by single cert&key export (pk12util) and tried > the setup several times from scratch. > I have no idea how to fix that. Can somebody please give me a hint ? > > Mit freundlichen Gr??en, > > Alexander Jung > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From kchamart at redhat.com Thu Sep 8 16:19:57 2011 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Thu, 08 Sep 2011 21:49:57 +0530 Subject: [Pki-users] cloning a CA fails In-Reply-To: <1315496865.8199.137.camel@localhost.localdomain> References: <1315496865.8199.137.camel@localhost.localdomain> Message-ID: <4E68EB2D.7090903@redhat.com> On 09/08/2011 09:17 PM, Ade Lee wrote: > The error you specify indicates that the certs and keys were in fact not > imported from the master. > > You can confirm this by looking at which keys and certs are in your nss > db. > > certutil -L -d /var/lib/clone_instance/alias > > The right way to extract the keys from the master is to use > PKCS12Export. Export the keys and place the resulting PK12 file in the > alias directory (/var/lib/clone_instance/alias) and make sure it is > readable by pkiuser. I usually just chown the file to pkiuser. You > will be prompted for the filename (just the base name - so for > /var/lib/clone_instance/alias/foo.p12 -- you would enter foo.p12) and > password on the Key Restore Panel. > > At this point, you will likely need to restart the clone installation > from scratch to make sure everything is clean. > > If that does not work, zip up and attach the full master and clone debug > logs. yep. Just to extend what Ade said above, I posted my cloning methodology here. Let us know if that works for you. https://www.redhat.com/archives/pki-users/2009-October/msg00006.html -- /kashyap > > Ade > > > On Thu, 2011-09-08 at 17:31 +0200, Alexander Jung wrote: >> Hello, >> >> I try to clone a 1.3.6 dogtag on Fedora 13 to a 9.0.11.1 dogtag on >> Fedora 15 (in order to migrate the F13 to F15). >> >> I hung at the ldap-setup until i read the documentation and entered >> the fqdn instead of localhost. >> >> The next step, the creation of the local ssl server certificate >> fails. The debuglog of the pki-instance on F15 says: >> [*10:26][http-9455-4]: panel name=subjectname >> [*10:26][http-9455-4]: total number of panels=19 >> [*10:53][http-9455-4]: WizardServlet: process >> [*10:53][http-9455-4]: WizardServlet:service() uri >> = /ca/admin/console/config/wizard >> [*10:53][http-9455-4]: WizardServlet::service() param name='p' >> value='11' >> [*10:53][http-9455-4]: WizardServlet::service() param name='op' >> value='next' >> [*10:53][http-9455-4]: WizardServlet::service() param >> name='sslserver_nick' value='Server-Cert cert-ca4-test3' >> [*10:53][http-9455-4]: WizardServlet::service() param name='sslserver' >> value='CN=ca4p-adm3.ind.allianz,o=clone' >> [*10:53][http-9455-4]: WizardServlet: op=next >> [*10:53][http-9455-4]: WizardServlet: size=19 >> [*10:53][http-9455-4]: WizardServlet: in next 11 >> [*10:53][http-9455-4]: NamePanel: in update() >> [*10:53][http-9455-4]: NamePanel: clone configuration detected >> [*10:53][http-9455-4]: NamePanel: configCertWithTag start >> [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=signing >> tag=sslserver >> [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=ocsp_signing >> tag=sslserver >> [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=sslserver >> tag=sslserver >> [*10:53][http-9455-4]: configCertWithTag: Setting nickname for >> sslserver to Server-Cert cert-ca4-test3 >> [*10:53][http-9455-4]: NamePanel: configCert called >> [*10:53][http-9455-4]: NamePanel: in configCert caType is local >> [*10:53][http-9455-4]: NamePanel: subsystem ca >> [*10:53][http-9455-4]: NamePanel: updateConfig() for certTag sslserver >> [*10:53][http-9455-4]: NamePanel: updateConfig() done >> [*10:53][http-9455-4]: Creating local certificate... certTag=sslserver >> [*10:53][http-9455-4]: Repository: in getNextSerialNumber. >> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() >> [*10:53][http-9455-4]: masterConn is connected: true >> [*10:53][http-9455-4]: getConn: conn is connected true >> [*10:53][http-9455-4]: getConn: mNumConns now 2 >> [*10:53][http-9455-4]: Repository: getSerialNumber. >> [*10:53][http-9455-4]: returnConn: mNumConns now 3 >> [*10:53][http-9455-4]: Repository: in InitCache >> [*10:53][http-9455-4]: Repository: Instance of Certificate Repository. >> [*10:53][http-9455-4]: Repository: minSerial fec0001 maxSerial: >> fed0000 >> [*10:53][http-9455-4]: CertificateRepository: in >> getLastSerialNumberInRange: low 267124737 high 267190272 >> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() >> [*10:53][http-9455-4]: masterConn is connected: true >> [*10:53][http-9455-4]: getConn: conn is connected true >> [*10:53][http-9455-4]: getConn: mNumConns now 2 >> [*10:53][http-9455-4]: In findCertRecordsInList with Jumpto 267190272 >> [*10:53][http-9455-4]: In DBVirtualList filter attrs startFrom sortKey >> pageSize filter: (certstatus=*) attrs: null pageSize -5 startFrom >> 09267190272 >> [*10:53][http-9455-4]: returnConn: mNumConns now 3 >> [*10:53][http-9455-4]: getEntries returning 6 >> [*10:53][http-9455-4]: mTop 886 >> [*10:53][http-9455-4]: Getting Virtual List size: 892 >> [*10:53][http-9455-4]: >> CertificateRepository:getLastSerialNumberInRange: recList size 892 >> [*10:53][http-9455-4]: >> CertificateRepository:getLastSerialNumberInRange: ltSize 892 >> [*10:53][http-9455-4]: getElementAt: 0 mTop 886 >> [*10:53][http-9455-4]: reverse direction getting index 5 >> [*10:53][http-9455-4]: >> CertificateRepository:getLastCertRecordSerialNo: serialno 10990 >> [*10:53][http-9455-4]: getElementAt: 1 mTop 886 >> [*10:53][http-9455-4]: reverse direction getting index 4 >> [*10:53][http-9455-4]: >> CertificateRepository:getLastCertRecordSerialNo: serialno 10989 >> [*10:53][http-9455-4]: getElementAt: 2 mTop 886 >> [*10:53][http-9455-4]: reverse direction getting index 3 >> [*10:53][http-9455-4]: >> CertificateRepository:getLastCertRecordSerialNo: serialno 10988 >> [*10:53][http-9455-4]: getElementAt: 3 mTop 886 >> [*10:53][http-9455-4]: reverse direction getting index 2 >> [*10:53][http-9455-4]: >> CertificateRepository:getLastCertRecordSerialNo: serialno 10987 >> [*10:53][http-9455-4]: getElementAt: 4 mTop 886 >> [*10:53][http-9455-4]: reverse direction getting index 1 >> [*10:53][http-9455-4]: >> CertificateRepository:getLastCertRecordSerialNo: serialno 10986 >> [*10:53][http-9455-4]: >> CertificateRepository:getLastCertRecordSerialNo: returning 267124736 >> [*10:53][http-9455-4]: Repository: mLastSerialNo: 267124736 >> [*10:53][http-9455-4]: Repository: getNextSerialNumber: returning >> retSerial 267124737 >> [*10:53][http-9455-4]: Creating local certificate... >> issuerdn=CN=Certificate Authority,OU=ca4-test1,O=CA4 Test fuer VI-Test >> [*10:53][http-9455-4]: Creating local certificate... >> dn=CN=ca4p-adm3.ind.allianz,o=clone >> [*10:53][http-9455-4]: Cert Template: [ >> Version: V3 >> Subject: CN=ca4p-adm3.ind.allianz,O=clone >> Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 >> >> Key: RSA Public Key >> Algorithm: RSA >> modulus: >> 00b7c180 23fad71a ab335e29 88316908 2f9deaf3 7d3e5b0d 84872c66 >> 10511ebd >> aa3c6053 bd2d2c19 134ab3f6 33ef8d4f a424dba0 2ae2bcc6 637274fa >> be0219de >> 3e62b73a 490bd2b9 83fd4236 ccb50741 14308bbb 7d5566cc 80139961 >> b39eb23a >> 9ab11c9b 08356428 665c54d0 c65c46c9 4d4a340d 1ac47688 86d425f6 >> fc8b5521 >> 1aa420be 8ac1aae4 3f870ac2 b31fa7b3 023c8cb9 10a6b60f a39282b5 >> 49d33042 >> acf1deca 6c2b2bf3 44b0484f f02b8f4c 640d8822 f762e7f4 99fed751 >> 43d05f34 >> fd54fedd 70d770f5 b4c52478 dda19027 18e94df3 3fc901e5 0182384c >> 8d61da0a >> 35a29bc4 3bd93836 246ebfdb b65853de 07d3d0bf eb103e85 0a4e3e89 >> a7008207 >> 3b >> >> publicExponent: >> 010001 >> >> Validity: [From: *:10:53 CEST 2011, >> To: *:10:53 CEST 2011] >> Issuer: CN=Certificate Authority,OU=ca4-test1,O=CA4 Test fuer >> VI-Test >> SerialNumber: [ 0fec0001 ] >> >> ] >> [*10:53][http-9455-4]: CertUtil: createLocalRequest for serial: >> 267124737 >> [*10:53][http-9455-4]: Repository: in getNextSerialNumber. >> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() >> [*10:53][http-9455-4]: masterConn is connected: true >> [*10:53][http-9455-4]: getConn: conn is connected true >> [*10:53][http-9455-4]: getConn: mNumConns now 2 >> [*10:53][http-9455-4]: Repository: getSerialNumber. >> [*10:53][http-9455-4]: returnConn: mNumConns now 3 >> [*10:53][http-9455-4]: Repository: in InitCache >> [*10:53][http-9455-4]: Repository: Instance of Request Repository or >> CRLRepository. >> [*10:53][http-9455-4]: Repository: minSerial 9800001 maxSerial: >> 9810000 >> [*10:53][http-9455-4]: RequestRepository: in >> getLastSerialNumberInRange: min 9800001 max 9810000 >> [*10:53][http-9455-4]: RequestRepository: mRequestQueue >> com.netscape.cmscore.request.RequestQueue at 5ee771f3 >> [*10:53][http-9455-4]: RequestRepository: about to call >> mRequestQueue.getLastRequestIdInRange >> [*10:53][http-9455-4]: RequestQueue: getLastRequestId: low 9800001 >> high 9810000 >> [*10:53][http-9455-4]: RequestQueue: getLastRequestId: filter >> (requeststate=*) fromId 9810000 >> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn() >> [*10:53][http-9455-4]: masterConn is connected: true >> [*10:53][http-9455-4]: getConn: conn is connected true >> [*10:53][http-9455-4]: getConn: mNumConns now 2 >> [*10:53][http-9455-4]: In DBVirtualList filter attrs startFrom sortKey >> pageSize filter: (requeststate=*) attrs: null pageSize -5 startFrom >> 079810000 >> [*10:53][http-9455-4]: returnConn: mNumConns now 3 >> [*10:54][http-9455-4]: getEntries returning 6 >> [*10:54][http-9455-4]: mTop 889 >> [*10:54][http-9455-4]: Getting Virtual List size: 904 >> [*10:54][http-9455-4]: RequestQueue: getLastRequestId: size 904 >> [*10:54][http-9455-4]: RequestQueue: getSizeBeforeJumpTo: 895 >> [*10:54][http-9455-4]: getElementAt: 0 mTop 889 >> [*10:54][http-9455-4]: reverse direction getting index 4 >> [*10:54][http-9455-4]: RequestQueue: curReqId: 894 >> [*10:54][http-9455-4]: getElementAt: 2 mTop 889 >> [*10:54][http-9455-4]: reverse direction getting index 3 >> [*10:54][http-9455-4]: RequestQueue: curReqId: 893 >> [*10:54][http-9455-4]: getElementAt: 3 mTop 889 >> [*10:54][http-9455-4]: reverse direction getting index 2 >> [*10:54][http-9455-4]: RequestQueue: curReqId: 892 >> [*10:54][http-9455-4]: getElementAt: 4 mTop 889 >> [*10:54][http-9455-4]: reverse direction getting index 1 >> [*10:54][http-9455-4]: RequestQueue: curReqId: 891 >> [*10:54][http-9455-4]: >> CertificateRepository:getLastCertRecordSerialNo: returning 9800000 >> [*10:54][http-9455-4]: Repository: mLastSerialNo: 9800000 >> [*10:54][http-9455-4]: Repository: getNextSerialNumber: returning >> retSerial 9800001 >> [*10:54][http-9455-4]: certUtil: newRequest called >> [*10:54][http-9455-4]: certUtil: calling setRequestStatus >> [*10:54][http-9455-4]: CertUtil profile name= serverCert.profile >> [*10:54][http-9455-4]: AuthInfoAccess: createExtension i=0 >> [*10:54][http-9455-4]: CertUtil::createSelfSignedCert() - CA private >> key is null! >> java.io.IOException: CA private key is null >> at >> com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:401) >> at >> com.netscape.cms.servlet.csadmin.NamePanel.configCert(NamePanel.java:560) >> at >> com.netscape.cms.servlet.csadmin.NamePanel.configCertWithTag(NamePanel.java:649) >> at >> com.netscape.cms.servlet.csadmin.NamePanel.update(NamePanel.java:747) >> at >> com.netscape.cms.servlet.wizard.WizardServlet.goNextApply(WizardServlet.java:315) >> at >> com.netscape.cms.servlet.wizard.WizardServlet.goNext(WizardServlet.java:294) >> at >> com.netscape.cms.servlet.wizard.WizardServlet.handleRequest(WizardServlet.java:490) >> at >> org.apache.velocity.servlet.VelocityServlet.doRequest(VelocityServlet.java:365) >> at >> org.apache.velocity.servlet.VelocityServlet.doPost(VelocityServlet.java:332) >> at >> javax.servlet.http.HttpServlet.service(HttpServlet.java:637) >> at >> javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> com.netscape.cms.servlet.filter.AdminRequestFilter.doFilter(AdminRequestFilter.java:105) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) >> at org.apache.coyote.http11.Http11Protocol >> $Http11ConnectionHandler.process(Http11Protocol.java:588) >> at org.apache.tomcat.util.net.JIoEndpoint >> $Worker.run(JIoEndpoint.java:489) >> at java.lang.Thread.run(Thread.java:679) >> [*10:54][http-9455-4]: NamePanel configCert() exception >> caught:java.io.IOException: CA private key is null >> [*10:54][http-9455-4]: NamePanel configCert: failed to add metainfo. >> Exception: java.lang.NullPointerException >> >> >> I imported all the certs from the master CA through the master >> p12-export and also by single cert&key export (pk12util) and tried >> the setup several times from scratch. >> I have no idea how to fix that. Can somebody please give me a hint ? >> >> Mit freundlichen Gr??en, >> >> Alexander Jung >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From alexander.w.jung at gmail.com Tue Sep 13 15:39:14 2011 From: alexander.w.jung at gmail.com (Alexander Jung) Date: Tue, 13 Sep 2011 17:39:14 +0200 Subject: [Pki-users] cloning a CA fails In-Reply-To: <4E68EB2D.7090903@redhat.com> References: <1315496865.8199.137.camel@localhost.localdomain> <4E68EB2D.7090903@redhat.com> Message-ID: Hello, in the meantime i got it working. The problem was the master CA setup: after instantating the ca the certs have been replaced by the certs from another instance - but the entires clone*.privkey.id had not been updated. After recognizing this I only had to match the (unsigned) output of certutil -K with the (signed) params in CS.cfg. I did this by inserting some "System.out.println" into com.netscape.cmsutil.crypto.CryptoUtil findPrivateKeyFromID() and patching the new .class-File into the .jar-file. Watching the catalina.out while trying to clone the ca gave then all needed infos. Another fresh install after that completed without problems. Yours, Alexander Jung -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Tue Sep 13 16:12:43 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Tue, 13 Sep 2011 09:12:43 -0700 Subject: [Pki-users] cloning a CA fails In-Reply-To: References: <1315496865.8199.137.camel@localhost.localdomain> <4E68EB2D.7090903@redhat.com> Message-ID: <4E6F80FB.50206@redhat.com> Hi Alexander, Would be kind enough to add your solution to Dogtag's "How Tos"? http://pki.fedoraproject.org/wiki/PKI_How_To Thank you, Andrew On 09/13/2011 08:39 AM, Alexander Jung wrote: > Hello, > > in the meantime i got it working. The problem was the master CA setup: > after instantating the ca the certs have been replaced by the certs > from another instance - but the entires clone*.privkey.id > had not been updated. > > After recognizing this I only had to match the (unsigned) output of > certutil -K with the (signed) params in CS.cfg. I did this by > inserting some "System.out.println" into > com.netscape.cmsutil.crypto.CryptoUtil findPrivateKeyFromID() and > patching the new .class-File into the .jar-file. Watching the > catalina.out while trying to clone the ca gave then all needed infos. > > Another fresh install after that completed without problems. > > Yours, > > Alexander Jung > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From alexander.w.jung at gmail.com Wed Sep 14 08:19:40 2011 From: alexander.w.jung at gmail.com (Alexander Jung) Date: Wed, 14 Sep 2011 10:19:40 +0200 Subject: [Pki-users] cloning a CA fails In-Reply-To: <4E6F80FB.50206@redhat.com> References: <1315496865.8199.137.camel@localhost.localdomain> <4E68EB2D.7090903@redhat.com> <4E6F80FB.50206@redhat.com> Message-ID: ok, find my howto at http://pki.fedoraproject.org/wiki/Fix_clone*.privkey.id_entries_in_CS.cfg_to_reenable_cloning Mit freundlichen Gr??en, Alexander Jung 2011/9/13 Andrew Wnuk > ** > Hi Alexander, > > Would be kind enough to add your solution to Dogtag's "How Tos"? > http://pki.fedoraproject.org/wiki/PKI_How_To > > Thank you, > Andrew > > > > On 09/13/2011 08:39 AM, Alexander Jung wrote: > > Hello, > > in the meantime i got it working. The problem was the master CA setup: > after instantating the ca the certs have been replaced by the certs from > another instance - but the entires clone*.privkey.id had not been updated. > > After recognizing this I only had to match the (unsigned) output of > certutil -K with the (signed) params in CS.cfg. I did this by inserting some > "System.out.println" into com.netscape.cmsutil.crypto.CryptoUtil > findPrivateKeyFromID() and patching the new .class-File into the .jar-file. > Watching the catalina.out while trying to clone the ca gave then all needed > infos. > > Another fresh install after that completed without problems. > > Yours, > > Alexander Jung > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Wed Sep 14 16:35:57 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 14 Sep 2011 09:35:57 -0700 Subject: [Pki-users] cloning a CA fails In-Reply-To: References: <1315496865.8199.137.camel@localhost.localdomain> <4E68EB2D.7090903@redhat.com> <4E6F80FB.50206@redhat.com> Message-ID: <4E70D7ED.7010509@redhat.com> On 09/14/2011 01:19 AM, Alexander Jung wrote: > ok, > > find my howto at > http://pki.fedoraproject.org/wiki/Fix_clone*.privkey.id_entries_in_CS.cfg_to_reenable_cloning > > Mit freundlichen Gr??en, > > Alexander Jung Thank you. > > > 2011/9/13 Andrew Wnuk > > > Hi Alexander, > > Would be kind enough to add your solution to Dogtag's "How Tos"? > http://pki.fedoraproject.org/wiki/PKI_How_To > > Thank you, > Andrew > > > > On 09/13/2011 08:39 AM, Alexander Jung wrote: >> Hello, >> >> in the meantime i got it working. The problem was the master CA >> setup: after instantating the ca the certs have been replaced by >> the certs from another instance - but the entires >> clone*.privkey.id had not been updated. >> >> After recognizing this I only had to match the (unsigned) output >> of certutil -K with the (signed) params in CS.cfg. I did this by >> inserting some "System.out.println" into >> com.netscape.cmsutil.crypto.CryptoUtil findPrivateKeyFromID() >> and patching the new .class-File into the .jar-file. Watching the >> catalina.out while trying to clone the ca gave then all needed infos. >> >> Another fresh install after that completed without problems. >> >> Yours, >> >> Alexander Jung >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Patrick.Raspante at gdc4s.com Sun Sep 25 14:18:52 2011 From: Patrick.Raspante at gdc4s.com (Patrick.Raspante at gdc4s.com) Date: Sun, 25 Sep 2011 10:18:52 -0400 Subject: [Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard Using nCipher netHSM Message-ID: Given a Master CA with existing keys in an ncipher netHSM: >From Guide: http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/In stall_Guide/cloning-a-ca.html Documentation says there need not be any extra intervention to export and import HSM keys if the new Clone resides on the same server as the Master: http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/In stall_Guide/exporting-keys.html Cannot get past step 10. Leaving the p12 path and p12 password fields blank (do no import p12's) results in an end of file sax parse error. Tried feeding the wizard a dummy p12. Get an error message "Clone is not ready". Debug log files reveals that not all require certificates have been imported. Also worth noting that before running the Clone Wizard: # cd /var/lib/CLONE-CA/alias # modutil -dbdir . -list --The netHSM module is listed # certutil -L -d . -h --Lists all of MASTER-CA's certificates/keys are available. Has anyone identified a workaround for this? Thanks -pwr -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Mon Sep 26 15:51:22 2011 From: alee at redhat.com (Ade Lee) Date: Mon, 26 Sep 2011 11:51:22 -0400 Subject: [Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard Using nCipher netHSM In-Reply-To: References: Message-ID: <1317052282.28092.18.camel@localhost.localdomain> Patrick, This should work - given that the master's keys are visible to the clone. The only thing this suggests is that the nicknames that are sent from the master to the clone are incorrect at the beginning of the install process are incorrect. To diagnose this, I'll need to know: 1. Versions of pki-ca and pki-common (rpm -q pki-ca pki-common) 2. Copy of debug log for both master and clone. 3. Copy of CS.cfg for both master and clone. 4. Is the HSM in FIPS mode? Thanks, Ade On Sun, 2011-09-25 at 10:18 -0400, Patrick.Raspante at gdc4s.com wrote: > Given a Master CA with existing keys in an ncipher netHSM: > > From Guide: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/cloning-a-ca.html > > Documentation says there need not be any extra intervention to export > and import HSM keys if the new Clone resides on the same server as the > Master: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/exporting-keys.html > > Cannot get past step 10. Leaving the p12 path and p12 password fields > blank (do no import p12's) results in an end of file sax parse error. > > Tried feeding the wizard a dummy p12. Get an error message "Clone is > not ready". Debug log files reveals that not all require certificates > have been imported. > > > > Also worth noting that before running the Clone Wizard: > > > > # cd /var/lib/CLONE-CA/alias > # modutil -dbdir . -list > > --The netHSM module is listed > > # certutil -L -d . -h > > --Lists all of MASTER-CA?s certificates/keys are available. > > > > Has anyone identified a workaround for this? > > > > Thanks > > -pwr > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From Patrick.Raspante at gdc4s.com Mon Sep 26 15:55:14 2011 From: Patrick.Raspante at gdc4s.com (Patrick.Raspante at gdc4s.com) Date: Mon, 26 Sep 2011 11:55:14 -0400 Subject: [Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard UsingnCipher netHSM In-Reply-To: <1317052282.28092.18.camel@localhost.localdomain> References: <1317052282.28092.18.camel@localhost.localdomain> Message-ID: One thing I forgot to mention, the system has been rekeyed. I think I've fallen into this situation: http://pki.fedoraproject.org/wiki/Fix_clone*.privkey.id_entries_in_CS.cfg_to_reenable_cloning The CS.cfg cloning rsa key id's and rsa modulus's were never updated in CS.cfg. -----Original Message----- From: Ade Lee [mailto:alee at redhat.com] Sent: Monday, September 26, 2011 11:51 AM To: Raspante, Patrick Cc: pki-users at redhat.com Subject: Re: [Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard UsingnCipher netHSM Patrick, This should work - given that the master's keys are visible to the clone. The only thing this suggests is that the nicknames that are sent from the master to the clone are incorrect at the beginning of the install process are incorrect. To diagnose this, I'll need to know: 1. Versions of pki-ca and pki-common (rpm -q pki-ca pki-common) 2. Copy of debug log for both master and clone. 3. Copy of CS.cfg for both master and clone. 4. Is the HSM in FIPS mode? Thanks, Ade On Sun, 2011-09-25 at 10:18 -0400, Patrick.Raspante at gdc4s.com wrote: > Given a Master CA with existing keys in an ncipher netHSM: > > From Guide: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/cloning-a-ca.html > > Documentation says there need not be any extra intervention to export > and import HSM keys if the new Clone resides on the same server as the > Master: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/exporting-keys.html > > Cannot get past step 10. Leaving the p12 path and p12 password fields > blank (do no import p12's) results in an end of file sax parse error. > > Tried feeding the wizard a dummy p12. Get an error message "Clone is > not ready". Debug log files reveals that not all require certificates > have been imported. > > > > Also worth noting that before running the Clone Wizard: > > > > # cd /var/lib/CLONE-CA/alias > # modutil -dbdir . -list > > --The netHSM module is listed > > # certutil -L -d . -h > > --Lists all of MASTER-CA?s certificates/keys are available. > > > > Has anyone identified a workaround for this? > > > > Thanks > > -pwr > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From tguthmann at iseek.com.au Wed Sep 28 22:54:41 2011 From: tguthmann at iseek.com.au (Thomas Guthmann) Date: Thu, 29 Sep 2011 08:54:41 +1000 Subject: [Pki-users] Subject content ? Where are ST and L ? Message-ID: <4E83A5B1.6090407@iseek.com.au> Hi, Before using dogtag 1.3, I used CA.pl or tinyCA and in the subject we had STate and Location which seem to not exist anymore when I create an user certificate (profile=caUserCert). Is STate and Location deprecated by any RFCs or has it proved useless for an user cert ? With dogtag 1.3 we can only enable/disable the following inputs in the Subject by tuning the profile : * UID (the LDAP directory user ID) * Email * Common Name (the name of the user) * Organizational Unit * Organization (the organization name) * Country (the country where the user is located) Ref: So my questions are : 1. is it possible to enable ST and L in the subject for a user cert ? 2. If not, is there an alternative ? I hope it is not too noob-ish questions :) Cheers, Thomas From Patrick.Raspante at gdc4s.com Thu Sep 29 14:41:09 2011 From: Patrick.Raspante at gdc4s.com (Patrick.Raspante at gdc4s.com) Date: Thu, 29 Sep 2011 10:41:09 -0400 Subject: [Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard UsingnCipher netHSM In-Reply-To: <1317052282.28092.18.camel@localhost.localdomain> References: <1317052282.28092.18.camel@localhost.localdomain> Message-ID: Ade, BTW, this is on CS8 GA. I've been able to complete the P12 import wizard page. The issue was that the Master CA's 'replicationdb' entry in the cms.passwordlist of CS.cfg was removed (unused extra prompt at startup). The rekey wasn't an issue on the p12 import page, but may be an issue for me later in the wizard during certificate generation. Patrick -----Original Message----- From: Ade Lee [mailto:alee at redhat.com] Sent: Monday, September 26, 2011 11:51 AM To: Raspante, Patrick Cc: pki-users at redhat.com Subject: Re: [Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard UsingnCipher netHSM Patrick, This should work - given that the master's keys are visible to the clone. The only thing this suggests is that the nicknames that are sent from the master to the clone are incorrect at the beginning of the install process are incorrect. To diagnose this, I'll need to know: 1. Versions of pki-ca and pki-common (rpm -q pki-ca pki-common) 2. Copy of debug log for both master and clone. 3. Copy of CS.cfg for both master and clone. 4. Is the HSM in FIPS mode? Thanks, Ade On Sun, 2011-09-25 at 10:18 -0400, Patrick.Raspante at gdc4s.com wrote: > Given a Master CA with existing keys in an ncipher netHSM: > > From Guide: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/cloning-a-ca.html > > Documentation says there need not be any extra intervention to export > and import HSM keys if the new Clone resides on the same server as the > Master: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/exporting-keys.html > > Cannot get past step 10. Leaving the p12 path and p12 password fields > blank (do no import p12's) results in an end of file sax parse error. > > Tried feeding the wizard a dummy p12. Get an error message "Clone is > not ready". Debug log files reveals that not all require certificates > have been imported. > > > > Also worth noting that before running the Clone Wizard: > > > > # cd /var/lib/CLONE-CA/alias > # modutil -dbdir . -list > > --The netHSM module is listed > > # certutil -L -d . -h > > --Lists all of MASTER-CA?s certificates/keys are available. > > > > Has anyone identified a workaround for this? > > > > Thanks > > -pwr > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From Patrick.Raspante at gdc4s.com Thu Sep 29 15:12:19 2011 From: Patrick.Raspante at gdc4s.com (Patrick.Raspante at gdc4s.com) Date: Thu, 29 Sep 2011 11:12:19 -0400 Subject: [Pki-users] CA Cloning : Failed to setup the replication for cloning Message-ID: I've been working through the steps in this document: http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/In stall_Guide/cloning-a-ca.html Made it through step 11. Stuck on the step where the wizard connects to my new directory server instance. CA hangs and spins forever, eventually erroring with "Failed to setup the replication for cloning". I think I'm running into similar issues found in these bug-zillas: https://bugzilla.redhat.com/show_bug.cgi?id=487739 https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=486191 http://www.redhat.com/archives/fedora-directory-users/2009-May/msg00128. html -- (I'm not using local host for the fqdn though) I mentioned before that I'm using CS 8.0 GA. pki-ca-8.0.3-1.el5pki pki-common-8.0.3-3.el5pki I've been told that the above issues have been already resolved in the 8.0 GA release. Looking through my GDd directory server access and debug logs, I see the new GD CA sets up the new CA backend in the directory server, and then does the indexing, but the subsequent replication agreement setup never begins. Master = GD-CA-1 Clone = GD-CA-2 ## Log snippits from=m the GD-CA-2 directory server: ==> errors <== [28/Sep/2011:18:53:28 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:18:53:28 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Finished indexing. [28/Sep/2011:19:07:54 +0000] - slapd shutting down - signaling operation threads [28/Sep/2011:19:07:54 +0000] - slapd shutting down - waiting for 22 threads to terminate [28/Sep/2011:19:07:54 +0000] - slapd shutting down - closing down internal subsystems and plugins [28/Sep/2011:19:07:54 +0000] - Waiting for 4 database threads to stop [28/Sep/2011:19:07:54 +0000] - All database threads now stopped [28/Sep/2011:19:07:54 +0000] - slapd stopped. [28/Sep/2011:19:07:59 +0000] - Red Hat-Directory/8.1.0 B2009.111.1832 starting up [28/Sep/2011:19:07:59 +0000] - slapd started. Listening on All Interfaces port 3389 for LDAP requests [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allExpiredCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allInvalidCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allInValidCertsNotBefore-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allNonRevokedCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allRevokedCaCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allRevokedCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allRevokedCertsNotAfter-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allRevokedExpiredCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allRevokedOrRevokedExpiredCaCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allRevokedOrRevokedExpiredCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allValidCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allValidCertsNotAfter-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (allValidOrRevokedCerts-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caAll-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caCanceled-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caCanceledEnrollment-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caCanceledRenewal-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caCanceledRevocation-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caComplete-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caCompleteEnrollment-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caCompleteRenewal-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caCompleteRevocation-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caEnrollment-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caPending-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caPendingEnrollment-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caPendingRenewal-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caPendingRevocation-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caRejected-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caRejectedEnrollment-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caRejectedRenewal-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caRejectedRevocation-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caRenewal-GD-CA-2). [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search (caRevocation-GD-CA-2). [28/Sep/2011:19:11:37 +0000] - ldbm: Bringing GD-ca-1.mydomain.com-GD-CA-1 offline... [28/Sep/2011:19:11:37 +0000] - ldbm: removing 'GD-ca-1.mydomain.com-GD-CA-1'. [28/Sep/2011:19:11:37 +0000] - Destructor for instance GD-ca-1.mydomain.com-GD-CA-1 called [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allExpiredCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allInvalidCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allInValidCertsNotBefore-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allNonRevokedCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allRevokedCaCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allRevokedCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allRevokedCertsNotAfter-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allRevokedExpiredCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allRevokedOrRevokedExpiredCaCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allRevokedOrRevokedExpiredCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allValidCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allValidCertsNotAfter-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: allValidOrRevokedCerts-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caAll-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caCanceled-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caCanceledEnrollment-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caCanceledRenewal-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caCanceledRevocation-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caComplete-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caCompleteEnrollment-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caCompleteRenewal-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caCompleteRevocation-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caEnrollment-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caPending-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caPendingEnrollment-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caPendingRenewal-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caPendingRevocation-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caRejected-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caRejectedEnrollment-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caRejectedRenewal-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caRejectedRevocation-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caRenewal-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing VLV: caRevocation-GD-CA-2Index [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to the database yet. [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Finished indexing. ... ==> access <== ..... [28/Sep/2011:19:11:39 +0000] conn=24 op=85 ADD dn="cn=caRejected-GD-CA-2Index, cn=caRejected-GD-CA-2, cn=GD-ca-1.mydomain.com-GD-CA-1, cn=ldbm database, cn=plugins, cn=config" [28/Sep/2011:19:11:39 +0000] conn=24 op=85 RESULT err=0 tag=105 nentries=0 etime=0 [28/Sep/2011:19:11:39 +0000] conn=24 op=86 ADD dn="cn=caRejectedEnrollment-GD-CA-2Index, cn=caRejectedEnrollment-GD-CA-2, cn=GD-ca-1.mydomain.com-GD-CA-1, cn=ldbm database, cn=plugins, cn=config" [28/Sep/2011:19:11:39 +0000] conn=24 op=86 RESULT err=0 tag=105 nentries=0 etime=0 [28/Sep/2011:19:11:39 +0000] conn=24 op=87 ADD dn="cn=caRejectedRenewal-GD-CA-2Index, cn=caRejectedRenewal-GD-CA-2, cn=GD-ca-1.mydomain.com-GD-CA-1, cn=ldbm database, cn=plugins, cn=config" [28/Sep/2011:19:11:39 +0000] conn=24 op=87 RESULT err=0 tag=105 nentries=0 etime=0 [28/Sep/2011:19:11:39 +0000] conn=24 op=88 ADD dn="cn=caRejectedRevocation-GD-CA-2Index, cn=caRejectedRevocation-GD-CA-2, cn=GD-ca-1.mydomain.com-GD-CA-1, cn=ldbm database, cn=plugins, cn=config" [28/Sep/2011:19:11:39 +0000] conn=24 op=88 RESULT err=0 tag=105 nentries=0 etime=0 [28/Sep/2011:19:11:39 +0000] conn=24 op=89 ADD dn="cn=caRenewal-GD-CA-2Index, cn=caRenewal-GD-CA-2, cn=GD-ca-1.mydomain.com-GD-CA-1, cn=ldbm database, cn=plugins, cn=config" [28/Sep/2011:19:11:39 +0000] conn=24 op=89 RESULT err=0 tag=105 nentries=0 etime=0 [28/Sep/2011:19:11:39 +0000] conn=24 op=90 ADD dn="cn=caRevocation-GD-CA-2Index, cn=caRevocation-GD-CA-2, cn=GD-ca-1.mydomain.com-GD-CA-1, cn=ldbm database, cn=plugins, cn=config" [28/Sep/2011:19:11:39 +0000] conn=24 op=90 RESULT err=0 tag=105 nentries=0 etime=0 [28/Sep/2011:19:11:39 +0000] conn=24 op=91 ADD dn="cn=index1160589769, cn=index, cn=tasks, cn=config" [28/Sep/2011:19:11:39 +0000] conn=24 op=91 RESULT err=0 tag=105 nentries=0 etime=0 [28/Sep/2011:19:11:40 +0000] conn=24 op=92 SRCH base="cn=index1160589769, cn=index, cn=tasks, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [28/Sep/2011:19:11:40 +0000] conn=24 op=92 RESULT err=0 tag=101 nentries=1 etime=0 [28/Sep/2011:19:11:40 +0000] conn=24 op=93 UNBIND [28/Sep/2011:19:11:40 +0000] conn=24 op=93 fd=80 closed - U1 ## And that's it. ## I never get to this stage ( this is from making clones of brand new CA and DS instances - not an existing master CA): [24/Sep/2011:16:46:28 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-mydomain.com-GD-CA-3" (GD-ds-1:3389): Replica has a different generation ID than the local data. [24/Sep/2011:16:46:29 +0000] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain.com-GD-ca-2 is going offline; disabling replication [24/Sep/2011:16:46:29 +0000] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [24/Sep/2011:16:46:33 +0000] - import mydomain.com-GD-CA-2: Workers finished; cleaning up... [24/Sep/2011:16:46:34 +0000] - import mydomain.com-GD-CA-2: Workers cleaned up. [24/Sep/2011:16:46:34 +0000] - import mydomain.com-GD-CA-2: Indexing complete. Post-processing... [24/Sep/2011:16:46:34 +0000] - import mydomain.com-GD-CA-2: Flushing caches... [24/Sep/2011:16:46:34 +0000] - import mydomain.com-GD-CA-2: Closing files... [24/Sep/2011:16:46:34 +0000] - import mydomain.com-GD-CA-2: Import complete. Processed 57 entries in 4 seconds. (14.25 entries/sec) [24/Sep/2011:16:46:34 +0000] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain.com-GD-ca-2 is coming online; enabling replication Thanks, Patrick -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Thu Sep 29 15:24:29 2011 From: alee at redhat.com (Ade Lee) Date: Thu, 29 Sep 2011 11:24:29 -0400 Subject: [Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard UsingnCipher netHSM In-Reply-To: References: <1317052282.28092.18.camel@localhost.localdomain> Message-ID: <1317309869.28092.100.camel@localhost.localdomain> Interesting .. This makes sense. One of things we do on the pk12 import panel is contact the master to get things like key ids and the replication password. I need to look at the error reporting in that panel so that the error is reported more clearly. And yes, the rekey would likely have been an issue later on. Glad its all working now. Ade On Thu, 2011-09-29 at 10:41 -0400, Patrick.Raspante at gdc4s.com wrote: > Ade, > > BTW, this is on CS8 GA. > > I've been able to complete the P12 import wizard page. The issue was that the Master CA's 'replicationdb' entry in the cms.passwordlist of CS.cfg was removed (unused extra prompt at startup). > > The rekey wasn't an issue on the p12 import page, but may be an issue for me later in the wizard during certificate generation. > > > Patrick > > -----Original Message----- > From: Ade Lee [mailto:alee at redhat.com] > Sent: Monday, September 26, 2011 11:51 AM > To: Raspante, Patrick > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard UsingnCipher netHSM > > Patrick, > > This should work - given that the master's keys are visible to the > clone. The only thing this suggests is that the nicknames that are sent > from the master to the clone are incorrect at the beginning of the > install process are incorrect. > > To diagnose this, I'll need to know: > > 1. Versions of pki-ca and pki-common (rpm -q pki-ca pki-common) > 2. Copy of debug log for both master and clone. > 3. Copy of CS.cfg for both master and clone. > 4. Is the HSM in FIPS mode? > > Thanks, > Ade > > On Sun, 2011-09-25 at 10:18 -0400, Patrick.Raspante at gdc4s.com wrote: > > Given a Master CA with existing keys in an ncipher netHSM: > > > > From Guide: > > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/cloning-a-ca.html > > > > Documentation says there need not be any extra intervention to export > > and import HSM keys if the new Clone resides on the same server as the > > Master: > > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/exporting-keys.html > > > > Cannot get past step 10. Leaving the p12 path and p12 password fields > > blank (do no import p12's) results in an end of file sax parse error. > > > > Tried feeding the wizard a dummy p12. Get an error message "Clone is > > not ready". Debug log files reveals that not all require certificates > > have been imported. > > > > > > > > Also worth noting that before running the Clone Wizard: > > > > > > > > # cd /var/lib/CLONE-CA/alias > > # modutil -dbdir . -list > > > > --The netHSM module is listed > > > > # certutil -L -d . -h > > > > --Lists all of MASTER-CA?s certificates/keys are available. > > > > > > > > Has anyone identified a workaround for this? > > > > > > > > Thanks > > > > -pwr > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users >