[Pki-users] Usage Clarification
Marc Sauton
msauton at redhat.com
Thu Jan 19 19:47:05 UTC 2012
On 01/19/2012 11:13 AM, Nathanael D. Noblet wrote:
> On 01/19/2012 11:45 AM, Mike Helm wrote:
>> What is func?
>>
>> Is it this?
>>
>> https://fedorahosted.org/func/
>
> Yes.
>
>
>>> #1 - given the above, is dog tag able to deal with these
>>> certificates (I
>>> am so far under the impression that indeed it can)
>>
>> Deal with - what do you mean? Do you mean, process requests and provide
>> a certificate that these apps can understand? (If so the answer is
>> probably
>> yes; we use certs in many services, but we don't happen to use puppet or
>> func, altho I would like to).
>
> Yeah, that's what I was asking. I'm fairly new to the intricacies of
> certificates, I've used them for https, but when looking at
> certificates for https based websites, and the certs used for/by
> puppet there were numerous differences. I presume though that most of
> the differences are in the certificate creation process, and not the
> signing.
>
>>
>>> #2 - How does one request a certificate from the installed pki-ca?
>>
>> There are a couple possibilities. You can essentially screen scrape&
>> script the posting of the requests to the request interface.
>>
>> You can use the RA and either adapt some of the existing scripts in
>> the RA or
>> just focus on the submission portion of the RA and build an appropriate
>> request. Usually, you have to adjust the profile to do the right
>> thing -
>> to expect the right variables from the PUT url.
>>
>> You can adapt the XML interface (I think - haven't explored that).
>>>
>>> requesting a certificate would submit some form of authentication.
>>
>> They could be authenticated or not. The RA would allow you to use
>> whatever authentication you wanted - eg you could accept any request
>> from designated IP addresses, or network masks, or you could probably
>> use OAuth or Kerberos, or something else entirely.
>>
>> Or you could leave the requests to queue up unauthenticated& have
>> an agent verify the requests before manually issuing them.
>>
>> Other possibilities exist probably.
>
> Great, that's some good information.
>
>
>>> don't expect any device to request a certificate without me knowing it
>>> needs one an initiating the process somehow, so the added
>>> authentication
>>> seems un-needed in my case.
>>
>>> At the moment I'm used to puppet or func you have a puppetca function
>>> that can tell me the certificate signing requests pending approval, is
>>> this workflow fundamentally different than dogtag?
>>
>> I don't know puppet or what sounds like its internal CA (puppetca) so
>> I couldn't
>> be sure how it works. You should get a response back from either the
>> dogtag
>> CA or RA that something happened to the request
>> (accepted/approved/rejected/error)
>> and you can act on that returned value. How flexible the app is would
>> determine how useful that message will be.
>>
>> Usual disclaimers - I could be wrong!
>
>
> So an additional issue, once I configured the CA, it gives me a link
> to a page that has XXXXXX Certificate System and lists "SSL End Users
> Services" as well as "Agent Services". All I did was go through the
> setup of the CA service. If I click on either of those, I get a white
> blank screen. I have no idea how to debug this, I can't seem to find
> any error messages in /var/log/pki-ca to even point me anywhere, when
> I do request those pages, *nothing* shows up in any of the many log
> files in that directory. Any pointers?
>
> The urls are:
>
> https://hostname:9445/ca/services
>
> which has links to:
>
> https://hostname:9444/ca/ee/ca
> https://hostname:9443/ca/agent/ca
>
> Pointers would be much appreciated.
>
You can get request status using HTTP or HTTPS from the "ee" / "end
entity" interface, HTTPS with client authentication for agent interface.
To get the forms, the path are like
enrolling for a SSL server cert using the profile caServerCert
from HTTPS no client auth interface
https://...:9444/ca/ee/ca/profileSelect?profileId=caServerCert
for a given request:
https://...:9444/ca/ee/ca/checkRequest.html
using client auth for an "agent"
https://...:9443/ca/agent/ca/profileReview?requestId=x
I suggest to see the 8.1 online doc (not 7.3 like referenced earlier)
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/index.html
if e-mail notifications are needed for some enrollment and issuance
events, see:
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Notifications.html#Types_of_Automated_Notifications
There is some information in the web.xml file, located for example at
/var/lib/pki-ca/webapps/ca/WEB-INF/web.xml
see
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/removing-unused-web.xml.html
The XML API will likely be updated and documented later upstream or as
part of common criteria.
M.
More information about the Pki-users
mailing list