[Pki-users] Problems with Dogtag and CA cert signed by External CA
John Dennis
jdennis at redhat.com
Wed Oct 17 20:52:52 UTC 2012
On 10/17/2012 03:52 PM, Dwayne MacKinnon wrote:
> Hi all,
>
> A helpful fellow called alee on #dogtag-pki suggested I write the list. I've
> been playing with dogtag-pki-9.0.0-10 on 64-bit Fedora 17.
>
> I'm looking to use dogtag to run a subordinate CA that does all our everyday
> PKI stuff. So when I used pki-create and went into the webform, I went the
> "create a csr" route and signed it using a root CA I'd set up using openssl.
>
> Everything seemed to work out fine, until I got to the point where I was
> restarting pki-cad (using systemctl restart pki-cad at pki-ca.service). It
> wouldn't start.
>
> With alee's help I tracked it down to a failure of SystemCertsVerification
> during the selftests.
>
> He asked me to submit my debug log to the list, so here it is.
Interestingly enough I'm in the middle of tracking down why NSS will not
validate a self signed cert as a CA. I suspect dogtag is calling NSS's
CERT_VerifyCertificateNow (or it's equivalent) and passing it a specific
usage parameter.
There are very specific requirements to accept a CA cert as valid. More
valuable than the log would be show us what the cert looks like. I would
ordinarily tell you to dump the cert in text form using openssl x509
-text but openssl often omits detailed information on the cert
extensions which are critical (no pun intended) here. How about if you
also provide us with a PEM formatted version of the cert and we'll use
our tools to examine it's contents.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Pki-users
mailing list