[Pki-users] Usage Clarification

Thu Jan 19 19:13:53 UTC 2012

On 01/19/2012 11:45 AM, Mike Helm wrote:
> What is func?
>
> Is it this?
>
> https://fedorahosted.org/func/

Yes.

>> #1 - given the above, is dog tag able to deal with these certificates (I
>> am so far under the impression that indeed it can)
>
> Deal with - what do you mean?  Do you mean, process requests and provide
> a certificate that these apps can understand?  (If so the answer is probably
> yes; we use certs in many services, but we don't happen to use puppet or
> func, altho  I would like to).

Yeah, that's what I was asking. I'm fairly new to the intricacies of 
certificates, I've used them for https, but when looking at certificates 
for https based websites, and the certs used for/by puppet there were 
numerous differences. I presume though that most of the differences are 
in the certificate creation process, and not the signing.

>
>> #2 - How does one request a certificate from the installed pki-ca?
>
> There are a couple possibilities.  You can essentially screen scrape&
> script the posting of  the requests to the request interface.
>
> You can use the RA and either adapt some of the existing scripts in the RA or
> just focus on the submission portion of the RA and build an appropriate
> request.  Usually, you have to adjust the profile to do the right thing -
> to expect the right variables from the PUT url.
>
> You can adapt the XML interface (I think - haven't explored that).
>>
>> requesting a certificate would submit some form of authentication.
>
> They could be authenticated or not.  The RA would allow you to use
> whatever authentication you wanted - eg you could accept any request
> from designated IP addresses, or network masks, or you could probably
> use OAuth or Kerberos, or something else entirely.
>
> Or you could leave the requests to queue up unauthenticated&  have
> an agent verify the requests before manually issuing them.
>
> Other possibilities exist probably.

Great, that's some good information.

>> don't expect any device to request a certificate without me knowing it
>> needs one an initiating the process somehow, so the added authentication
>> seems un-needed in my case.
>
>> At the moment I'm used to puppet or func you have a puppetca function
>> that can tell me the certificate signing requests pending approval, is
>> this workflow fundamentally different than dogtag?
>
> I don't know puppet or what sounds like its internal CA (puppetca) so I couldn't
> be sure how it works.  You should get a response back from either the dogtag
> CA or RA that something happened to the request (accepted/approved/rejected/error)
> and you can act on that returned value.   How flexible the app is would
> determine how useful that message will be.
>
> Usual disclaimers - I could be wrong!

So an additional issue, once I configured the CA, it gives me a link to 
a page that has XXXXXX Certificate System and lists "SSL End Users 
Services" as well as "Agent Services". All I did was go through the 
setup of the CA service. If I click on either of those, I get a white 
blank screen. I have no idea how to debug this, I can't seem to find any 
error messages in /var/log/pki-ca to even point me anywhere, when I do 
request those pages, *nothing* shows up in any of the many log files in 
that directory. Any pointers?

The urls are:

https://hostname:9445/ca/services

which has links to:

https://hostname:9444/ca/ee/ca
https://hostname:9443/ca/agent/ca

Pointers would be much appreciated.

-- 
Nathanael d. Noblet
t 403.875.4613