From techpkiuser at gmail.com Fri Aug 2 04:19:41 2013 From: techpkiuser at gmail.com (pki tech) Date: Fri, 2 Aug 2013 09:49:41 +0530 Subject: [Pki-users] Implications of Root Certificate reissue with a new key pair Message-ID: Dear all, I have been trying to regain my PKI system after a root certificate renewal with a NEW ROOT KEY PAIR. but still failing to start the CA instance. I'm using DogTag 9.0 over Fedora 15 with two tier local PKI hierarchy with root CA and one subordinate CA. Steps followed; 1. renew the caSigningCert via the pkiconsole with a new key pair and same DN as earlier 2. restart the CA instance Then the ca instance is not starting and returns the followings [root at root admin]# /sbin/service pki-cad restart pki-ca Stopping pki-ca: [FAILED] Starting pki-ca: [ OK ] [root at root admin]# /sbin/service pki-cad status pki-ca dead but subsys locked [WARNING] I do understand that the subsystem certs and other system certificates need to be renewed after the root key renewal. I did try that out by renewing all the system certs via pkiconsole after the root key renewal without restarting the CA instance. but it was a blind guess and got the following hits in the debug log. [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert tag=signing [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname() failed:caSigningCert cert-pki-ca [02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate verification [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert tag=ocsp_signing [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca [02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate verification [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert tag=sslserver [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname() failed:Server-Cert cert-pki-ca [02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=Server-Cert cert-pki-ca] CIMC certificate verification [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert tag=subsystem [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname() failed:subsystemCert cert-pki-ca [02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=subsystemCert cert-pki-ca] CIMC certificate verification [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert tag=audit_signing [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname() failed:auditSigningCert cert-pki-ca [02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate verification It will be a great if someone could help me out to update the rest of the system certificates after the root key renewal and restore the CA functionality. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From jayakishore.thunga at hotmail.com Mon Aug 5 09:01:06 2013 From: jayakishore.thunga at hotmail.com (Jayakishore Thunga) Date: Mon, 5 Aug 2013 14:31:06 +0530 Subject: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag Message-ID: Hi , I am configuring external HSM called SoftHSM to certificate system. Here is my configuration DogTag 9.0Fedora 15 After pkicreate, i created softhsm entry into the db. Here are the details [root at fed15vmnew alias]# modutil -dbdir . -nocertdb -listListing of PKCS #11 Modules----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. SOFTHSM PKCS #11 Module library name: /usr/lib/softhsm/libsofthsm.so slots: 1 slot attached status: loaded slot: SoftHSM token: softhsm----------------------------------------------------------- [root at fed15vmnew alias]# modutil -dbdir . -nocertdb -list "SOFTHSM PKCS #11 Module"-----------------------------------------------------------Name: SOFTHSM PKCS #11 ModuleLibrary file: /usr/lib/softhsm/libsofthsm.soManufacturer: SoftHSMDescription: Implementation of PKCS11PKCS #11 Version 2.20Library Version: 1.3Cipher Enable Flags: NoneDefault Mechanism Flags: RSA Slot: SoftHSM Slot Mechanism Flags: RSA Manufacturer: SoftHSM Type: Software Version Number: 1.3 Firmware Version: 1.3 Status: Enabled Token Name: softhsm Token Manufacturer: SoftHSM Token Model: SoftHSM Token Serial Number: 1 Token Version: 1.3 Token Firmware Version: 1.3 Access: NOT Write Protected Login Type: Login required User Pin: Initialized /var/lib/pki-ca/conf/password.confadded this linehardware-softhsm=12345&Modified /var/lib/pki-ca/conf/serverCertNick.confsofthsm:Server-Cert cert-pki-ca After this, configuration link doesn't open https://fed15vmnew.newnet.local:9445/ca/admin/console/config/login?pin=mgjpN14xJzgNR97RW7dtIf password.conf & serverCertNick.conf are unmodified then, configuration link opens and SoftHSM module is listed as Found, but doesn't allow to set it as default for the CA system. Please help in setting up external HSM to be configured with certificate system. Thanks, Br,Kishore8105176926 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Aug 5 17:18:43 2013 From: jmagne at redhat.com (John Magne) Date: Mon, 5 Aug 2013 13:18:43 -0400 (EDT) Subject: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag In-Reply-To: References: Message-ID: <1852051453.11666982.1375723123492.JavaMail.root@redhat.com> You should get to a screen on the wizard that asks you to choose a module? You are not seeing this? TAke a look at the end of the log file /var/lib/pki-ca/logs/debug and see if anything sticks out with respect to your token. Also, you might want to run through a test installation with the internal module just to see if you can get a regular CA running ok. thanks, jack ----- Original Message ----- From: "Jayakishore Thunga" To: pki-users at redhat.com Sent: Monday, August 5, 2013 2:01:06 AM Subject: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag Hi , I am configuring external HSM called SoftHSM to certificate system. Here is my configuration DogTag 9.0 Fedora 15 After pkicreate, i created softhsm entry into the db. Here are the details [root at fed15vmnew alias]# modutil -dbdir . -nocertdb -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. SOFTHSM PKCS #11 Module library name: /usr/lib/softhsm/libsofthsm.so slots: 1 slot attached status: loaded slot: SoftHSM token: softhsm ----------------------------------------------------------- [root at fed15vmnew alias]# modutil -dbdir . -nocertdb -list "SOFTHSM PKCS #11 Module" ----------------------------------------------------------- Name: SOFTHSM PKCS #11 Module Library file: /usr/lib/softhsm/libsofthsm.so Manufacturer: SoftHSM Description: Implementation of PKCS11 PKCS #11 Version 2.20 Library Version: 1.3 Cipher Enable Flags: None Default Mechanism Flags: RSA Slot: SoftHSM Slot Mechanism Flags: RSA Manufacturer: SoftHSM Type: Software Version Number: 1.3 Firmware Version: 1.3 Status: Enabled Token Name: softhsm Token Manufacturer: SoftHSM Token Model: SoftHSM Token Serial Number: 1 Token Version: 1.3 Token Firmware Version: 1.3 Access: NOT Write Protected Login Type: Login required User Pin: Initialized /var/lib/pki-ca/conf/password.conf added this line hardware-softhsm=12345 & Modified /var/lib/pki-ca/conf/ serverCertNick.conf softhsm:Server-Cert cert-pki-ca After this, configuration link doesn't open https://fed15vmnew.newnet.local:9445/ca/admin/console/config/login?pin=mgjpN14xJzgNR97RW7dt If password.conf & serverCertNick.conf are unmodified then, configuration link opens and SoftHSM module is listed as Found, but doesn't allow to set it as default for the CA system. Please help in setting up external HSM to be configured with certificate system. Thanks, Br, Kishore 8105176926 _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From jayakishore.thunga at hotmail.com Tue Aug 6 09:29:15 2013 From: jayakishore.thunga at hotmail.com (Jayakishore Thunga) Date: Tue, 6 Aug 2013 14:59:15 +0530 Subject: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag In-Reply-To: <1852051453.11666982.1375723123492.JavaMail.root@redhat.com> References: , <1852051453.11666982.1375723123492.JavaMail.root@redhat.com> Message-ID: Hi Jack, test installation with the internal module is fine. Please find attached wizard image, doesn't give an option to select token under "SOFTHSM PKCS#11 MODULE". Here is debug log--------------------------------------[06/Aug/2013:14:33:54][http-9445-1]: BaseServlet:service() uri = /ca/admin/console/config/login[06/Aug/2013:14:33:54][http-9445-1]: BaseServlet::service() param name='pin' value='(sensitive)'[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Welcome[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Key Store[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=ConfigHSMLogin[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Security Domain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Display Certificate Chain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Subsystem Type[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Display Certificate Chain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Import Keys and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=PKI Hierarchy[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Internal Database[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Key Pairs[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Subject Names[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Requests and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Export Keys and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Save Keys and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Import CA's Certificate Chain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Administrator[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Import Administrator's Certificate[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Done[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: done[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: process[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet:service() uri = /ca/admin/console/config/wizard[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: op=display[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: size=19[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: in display[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: firstpanel[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel=com.netscape.cms.servlet.csadmin.WelcomePanel at 1f2af1c[06/Aug/2013:14:33:54][http-9445-1]: WelcomePanel: display()[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: process[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet:service() uri = /ca/admin/console/config/wizard[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet::service() param name='p' value='0'[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet::service() param name='op' value='next'[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: op=next[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: size=19[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: in next 0[06/Aug/2013:14:33:56][http-9445-1]: getNextPanel input p=0[06/Aug/2013:14:33:56][http-9445-1]: getNextPanel output p=1[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: display()[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got module NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got module SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: supported modules count= 2[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got from config module: NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: module found: NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token nick name=NSS Generic Crypto Services[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token logged in?false[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token is present?true[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token NSS Generic Crypto Services not to be added[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token nick name=Internal Key Storage Token[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token logged in?true[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token is present?true[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: adding module NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got from config module: SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: module found: SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: adding module SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel subpanelno =2[06/Aug/2013:14:33:56][http-9445-1]: panel no=1[06/Aug/2013:14:33:56][http-9445-1]: panel name=module[06/Aug/2013:14:33:56][http-9445-1]: total number of panels=19 CS.cfg changes--------------------------preop.configModules.count=2preop.configModules.module0.commonName=NSS Internal PKCS #11 Modulepreop.configModules.module0.imagePath=../img/clearpixel.gifpreop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Modulepreop.configModules.module1.commonName=SOFTHSM PKCS#11 MODULEpreop.configModules.module1.imagePath=../img/clearpixel.gifpreop.configModules.module1.userFriendlyName=SOFTHSM PKCS#11 MODULE preop.module.token=softhsm modutil -dbdir . -list (in /var/lib/pki-ca/alias)--------------------------Listing of PKCS #11 Modules----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. SOFTHSM PKCS#11 MODULE library name: /usr/lib/softhsm/libsofthsm.so slots: 1 slot attached status: loaded slot: SoftHSM token: softhsm Br,Kishore8105176926 > Date: Mon, 5 Aug 2013 13:18:43 -0400 > From: jmagne at redhat.com > To: jayakishore.thunga at hotmail.com > CC: pki-users at redhat.com > Subject: Re: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag > > You should get to a screen on the wizard that asks you to choose a module? > > You are not seeing this? > > TAke a look at the end of the log file /var/lib/pki-ca/logs/debug and see if anything sticks out with respect to your token. > > > Also, you might want to run through a test installation with the internal module just to see if you can get a regular CA running ok. > > thanks, > jack > > > ----- Original Message ----- > From: "Jayakishore Thunga" > To: pki-users at redhat.com > Sent: Monday, August 5, 2013 2:01:06 AM > Subject: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag > > Hi , > > I am configuring external HSM called SoftHSM to certificate system. Here is my configuration > DogTag 9.0 > Fedora 15 > > After pkicreate, i created softhsm entry into the db. Here are the details > > [root at fed15vmnew alias]# modutil -dbdir . -nocertdb -list > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > > 2. SOFTHSM PKCS #11 Module > library name: /usr/lib/softhsm/libsofthsm.so > slots: 1 slot attached > status: loaded > > slot: SoftHSM > token: softhsm > ----------------------------------------------------------- > > > [root at fed15vmnew alias]# modutil -dbdir . -nocertdb -list "SOFTHSM PKCS #11 Module" > ----------------------------------------------------------- > Name: SOFTHSM PKCS #11 Module > Library file: /usr/lib/softhsm/libsofthsm.so > Manufacturer: SoftHSM > Description: Implementation of PKCS11 > PKCS #11 Version 2.20 > Library Version: 1.3 > Cipher Enable Flags: None > Default Mechanism Flags: RSA > > Slot: SoftHSM > Slot Mechanism Flags: RSA > Manufacturer: SoftHSM > Type: Software > Version Number: 1.3 > Firmware Version: 1.3 > Status: Enabled > Token Name: softhsm > Token Manufacturer: SoftHSM > Token Model: SoftHSM > Token Serial Number: 1 > Token Version: 1.3 > Token Firmware Version: 1.3 > Access: NOT Write Protected > Login Type: Login required > User Pin: Initialized > > /var/lib/pki-ca/conf/password.conf > added this line > hardware-softhsm=12345 > & > Modified /var/lib/pki-ca/conf/ serverCertNick.conf > softhsm:Server-Cert cert-pki-ca > > After this, configuration link doesn't open https://fed15vmnew.newnet.local:9445/ca/admin/console/config/login?pin=mgjpN14xJzgNR97RW7dt > If password.conf & serverCertNick.conf are unmodified then, configuration link opens and SoftHSM module is listed as Found, but doesn't allow to set it as default for the CA system. > > Please help in setting up external HSM to be configured with certificate system. > > Thanks, > > Br, > Kishore > 8105176926 > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: wizard.png Type: image/png Size: 113851 bytes Desc: not available URL: From jmagne at redhat.com Tue Aug 6 16:53:34 2013 From: jmagne at redhat.com (John Magne) Date: Tue, 6 Aug 2013 12:53:34 -0400 (EDT) Subject: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag In-Reply-To: References: <1852051453.11666982.1375723123492.JavaMail.root@redhat.com> Message-ID: <1458121076.12251838.1375808014861.JavaMail.root@redhat.com> Jayak: Thanks for the info. Will have to take a closer look at this when I can have a moment. Will try to as soon as possible, lots of stuff going on right this second. ----- Original Message ----- From: "Jayakishore Thunga" To: "John Magne" Cc: pki-users at redhat.com Sent: Tuesday, August 6, 2013 2:29:15 AM Subject: RE: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag Hi Jack, test installation with the internal module is fine. Please find attached wizard image, doesn't give an option to select token under "SOFTHSM PKCS#11 MODULE". Here is debug log--------------------------------------[06/Aug/2013:14:33:54][http-9445-1]: BaseServlet:service() uri = /ca/admin/console/config/login[06/Aug/2013:14:33:54][http-9445-1]: BaseServlet::service() param name='pin' value='(sensitive)'[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Welcome[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Key Store[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=ConfigHSMLogin[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Security Domain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Display Certificate Chain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Subsystem Type[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Display Certificate Chain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Import Keys and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=PKI Hierarchy[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Internal Database[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Key Pairs[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Subject Names[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Requests and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Export Keys and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Save Keys and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Import CA's Certificate Chain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Administrator[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Import Administrator's Certificate[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Done[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: done[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: process[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet:service() uri = /ca/admin/console/config/wizard[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: op=display[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: size=19[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: in display[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: firstpanel[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel=com.netscape.cms.servlet.csadmin.WelcomePanel at 1f2af1c[06/Aug/2013:14:33:54][http-9445-1]: WelcomePanel: display()[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: process[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet:service() uri = /ca/admin/console/config/wizard[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet::service() param name='p' value='0'[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet::service() param name='op' value='next'[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: op=next[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: size=19[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: in next 0[06/Aug/2013:14:33:56][http-9445-1]: getNextPanel input p=0[06/Aug/2013:14:33:56][http-9445-1]: getNextPanel output p=1[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: display()[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got module NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got module SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: supported modules count= 2[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got from config module: NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: module found: NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token nick name=NSS Generic Crypto Services[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token logged in?false[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token is present?true[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token NSS Generic Crypto Services not to be added[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token nick name=Internal Key Storage Token[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token logged in?true[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token is present?true[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: adding module NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got from config module: SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: module found: SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: adding module SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel subpanelno =2[06/Aug/2013:14:33:56][http-9445-1]: panel no=1[06/Aug/2013:14:33:56][http-9445-1]: panel name=module[06/Aug/2013:14:33:56][http-9445-1]: total number of panels=19 CS.cfg changes--------------------------preop.configModules.count=2preop.configModules.module0.commonName=NSS Internal PKCS #11 Modulepreop.configModules.module0.imagePath=../img/clearpixel.gifpreop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Modulepreop.configModules.module1.commonName=SOFTHSM PKCS#11 MODULEpreop.configModules.module1.imagePath=../img/clearpixel.gifpreop.configModules.module1.userFriendlyName=SOFTHSM PKCS#11 MODULE preop.module.token=softhsm modutil -dbdir . -list (in /var/lib/pki-ca/alias)--------------------------Listing of PKCS #11 Modules----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. SOFTHSM PKCS#11 MODULE library name: /usr/lib/softhsm/libsofthsm.so slots: 1 slot attached status: loaded slot: SoftHSM token: softhsm Br,Kishore8105176926 > Date: Mon, 5 Aug 2013 13:18:43 -0400 > From: jmagne at redhat.com > To: jayakishore.thunga at hotmail.com > CC: pki-users at redhat.com > Subject: Re: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag > > You should get to a screen on the wizard that asks you to choose a module? > > You are not seeing this? > > TAke a look at the end of the log file /var/lib/pki-ca/logs/debug and see if anything sticks out with respect to your token. > > > Also, you might want to run through a test installation with the internal module just to see if you can get a regular CA running ok. > > thanks, > jack > > > ----- Original Message ----- > From: "Jayakishore Thunga" > To: pki-users at redhat.com > Sent: Monday, August 5, 2013 2:01:06 AM > Subject: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag > > Hi , > > I am configuring external HSM called SoftHSM to certificate system. Here is my configuration > DogTag 9.0 > Fedora 15 > > After pkicreate, i created softhsm entry into the db. Here are the details > > [root at fed15vmnew alias]# modutil -dbdir . -nocertdb -list > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > > 2. SOFTHSM PKCS #11 Module > library name: /usr/lib/softhsm/libsofthsm.so > slots: 1 slot attached > status: loaded > > slot: SoftHSM > token: softhsm > ----------------------------------------------------------- > > > [root at fed15vmnew alias]# modutil -dbdir . -nocertdb -list "SOFTHSM PKCS #11 Module" > ----------------------------------------------------------- > Name: SOFTHSM PKCS #11 Module > Library file: /usr/lib/softhsm/libsofthsm.so > Manufacturer: SoftHSM > Description: Implementation of PKCS11 > PKCS #11 Version 2.20 > Library Version: 1.3 > Cipher Enable Flags: None > Default Mechanism Flags: RSA > > Slot: SoftHSM > Slot Mechanism Flags: RSA > Manufacturer: SoftHSM > Type: Software > Version Number: 1.3 > Firmware Version: 1.3 > Status: Enabled > Token Name: softhsm > Token Manufacturer: SoftHSM > Token Model: SoftHSM > Token Serial Number: 1 > Token Version: 1.3 > Token Firmware Version: 1.3 > Access: NOT Write Protected > Login Type: Login required > User Pin: Initialized > > /var/lib/pki-ca/conf/password.conf > added this line > hardware-softhsm=12345 > & > Modified /var/lib/pki-ca/conf/ serverCertNick.conf > softhsm:Server-Cert cert-pki-ca > > After this, configuration link doesn't open https://fed15vmnew.newnet.local:9445/ca/admin/console/config/login?pin=mgjpN14xJzgNR97RW7dt > If password.conf & serverCertNick.conf are unmodified then, configuration link opens and SoftHSM module is listed as Found, but doesn't allow to set it as default for the CA system. > > Please help in setting up external HSM to be configured with certificate system. > > Thanks, > > Br, > Kishore > 8105176926 > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users Ja From relst at relst.nl Thu Aug 8 03:41:45 2013 From: relst at relst.nl (Remy van Elst) Date: Thu, 8 Aug 2013 05:41:45 +0200 Subject: [Pki-users] OCSP reply logging Message-ID: Hello, Is it possible to have the ocsp subsystem log the status part (good, unkown etc.) of the replies it sents out? I've got it configured correctly and the responses it gives are as expected. However in transaction.log I can see that it replies, but not the status of the reply (and the certificate it replies to), and with debug logging turned on I have a multi-line ocsp response in a log file, and I don't feel like parsing that. Is there a (preferably simple) way to let the ocsp responder log the certificate, the status of that certificate and the requesting entity (for example by IP) in a plain-text format? --? Remy van Elst https://raymii.org - https://sparklingnetwork.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Aug 13 18:13:51 2013 From: cfu at redhat.com (Christina Fu) Date: Tue, 13 Aug 2013 11:13:51 -0700 Subject: [Pki-users] OCSP reply logging In-Reply-To: References: Message-ID: <520A775F.2040208@redhat.com> On 08/07/2013 08:41 PM, Remy van Elst wrote: > Hello, > > Is it possible to have the ocsp subsystem log the status part (good, > unkown etc.) of the replies it sents out? I've got it configured > correctly and the responses it gives are as expected. However in > transaction.log I can see that it replies, but not the status of the > reply (and the certificate it replies to), and with debug logging > turned on I have a multi-line ocsp response in a log file, and I don't > feel like parsing that. > > Is there a (preferably simple) way to let the ocsp responder log the > certificate, the status of that certificate and the requesting entity > (for example by IP) in a plain-text format? If you are processing logs, the best log to process would have been the logs under /logs/signedAudit, where each log message is formulated systematically. However, since there is no requirement in Common Criteria to log the result of the OCSP responses, there is no such log messages existing. It can be potentially added however, in the code, so that they can be added by the administrator in the configuration. If this is something that you are very interested in, I encourage you to file a feature request with some plausible reason on Dogtag so that it can be reviewed and considered for future release. Christina > > -- > Remy van Elst > https://raymii.org - https://sparklingnetwork.nl > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdemansana at philasd.org Mon Aug 19 20:57:06 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Mon, 19 Aug 2013 16:57:06 -0400 (EDT) Subject: [Pki-users] Finding CRL Issuing Point Message-ID: <24743955.886.1376945824382.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Hi, Here's another noob question for you. Where can I find the configuration/pointer to the CRL Issuing Point? I have an understanding that this extension needs to be specified on the certificate in order to have the certificate status checked when the server is accessed. Thanks, Michelle Taggart From awnuk at redhat.com Mon Aug 19 22:03:00 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Mon, 19 Aug 2013 15:03:00 -0700 Subject: [Pki-users] Finding CRL Issuing Point In-Reply-To: <24743955.886.1376945824382.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> References: <24743955.886.1376945824382.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <52129614.5060402@redhat.com> You could try to follow https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Issuing_CRLs.html#Configuring_CRLs_for_Each_Issuing_Point and https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#CRL_Distribution_Points_Extension_Default Thanks, Andrew On 08/19/2013 01:57 PM, Taggart, Michelle wrote: > Hi, > > Here's another noob question for you. > > Where can I find the configuration/pointer to the CRL Issuing Point? I have an understanding that this extension needs to be specified on the certificate in order to have the certificate status checked when the server is accessed. > > Thanks, > > Michelle Taggart > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From Oleg.Antonenko at adaptivemobile.com Tue Aug 20 14:10:16 2013 From: Oleg.Antonenko at adaptivemobile.com (Oleg Antonenko) Date: Tue, 20 Aug 2013 14:10:16 +0000 Subject: [Pki-users] Using SCEP Message-ID: <34A5A0661B86944184C25952A4F169908691A840@Exchange-AMS.adaptivemobile.com> Hi! I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP. But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag. >From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA. As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP. Is that correct? I did not get an impression that I have to do same when sending SCEP requests directly to CA. Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly? Thanks in advance, Oleg From awnuk at redhat.com Tue Aug 20 17:14:40 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Tue, 20 Aug 2013 10:14:40 -0700 Subject: [Pki-users] Using SCEP In-Reply-To: <34A5A0661B86944184C25952A4F169908691A840@Exchange-AMS.adaptivemobile.com> References: <34A5A0661B86944184C25952A4F169908691A840@Exchange-AMS.adaptivemobile.com> Message-ID: <5213A400.1040507@redhat.com> SCEP is disabled by default in CA, so you need to enable SCEP first: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Enrolling_a_Certificate_in_a_Cisco_Router.html#enabling-scep If you want to use SCEP with CA authentication, you need to enable FlatFileAuthentication plug-in: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Flat_file_Authentication If you want to use SCEP with RA authentication, you need to follow RA's UI to create one time pins for SCEP requests. RA is using SQLite as its repository so no need to create directory entries. I would advise you to use SCEP with CA only as more improvements were provided in this area. Thanks, Andrew On 08/20/2013 07:10 AM, Oleg Antonenko wrote: > Hi! > I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP. > But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag. > > >From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA. > As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP. > Is that correct? > > I did not get an impression that I have to do same when sending SCEP requests directly to CA. > Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly? > > Thanks in advance, > Oleg > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From Oleg.Antonenko at adaptivemobile.com Tue Aug 20 18:00:25 2013 From: Oleg.Antonenko at adaptivemobile.com (Oleg Antonenko) Date: Tue, 20 Aug 2013 18:00:25 +0000 Subject: [Pki-users] Using SCEP In-Reply-To: <5213A400.1040507@redhat.com> References: <34A5A0661B86944184C25952A4F169908691A840@Exchange-AMS.adaptivemobile.com> <5213A400.1040507@redhat.com> Message-ID: <34A5A0661B86944184C25952A4F169908691A990@Exchange-AMS.adaptivemobile.com> Hi Andrew, Thanks a mil for so speedy response and references. Reading the Automated Enrolment guide I had a thought that Cert Based Auth might work for us. Here is a line from the guide - "There are other circumstances when it may be useful to use certificate-based authentication for initially requesting a certificate. For example, tokens may be bulk-loaded with generic certificates which are then used to authenticate the users when they enroll for their user certificates..." Do you know if a single generic (or transport) cert could be used for signing SCEP requests for multiple users? If so, I presume we will need both - a transport private key and transport cert for signing requests? Thanks, Oleg -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Andrew Wnuk Sent: 20 August 2013 18:15 To: pki-users at redhat.com Subject: Re: [Pki-users] Using SCEP SCEP is disabled by default in CA, so you need to enable SCEP first: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Enrolling_a_Certificate_in_a_Cisco_Router.html#enabling-scep If you want to use SCEP with CA authentication, you need to enable FlatFileAuthentication plug-in: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Flat_file_Authentication If you want to use SCEP with RA authentication, you need to follow RA's UI to create one time pins for SCEP requests. RA is using SQLite as its repository so no need to create directory entries. I would advise you to use SCEP with CA only as more improvements were provided in this area. Thanks, Andrew On 08/20/2013 07:10 AM, Oleg Antonenko wrote: > Hi! > I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP. > But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag. > > >From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA. > As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP. > Is that correct? > > I did not get an impression that I have to do same when sending SCEP requests directly to CA. > Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly? > > Thanks in advance, > Oleg > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From awnuk at redhat.com Tue Aug 20 22:37:39 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Tue, 20 Aug 2013 15:37:39 -0700 Subject: [Pki-users] Using SCEP In-Reply-To: <34A5A0661B86944184C25952A4F169908691A990@Exchange-AMS.adaptivemobile.com> References: <34A5A0661B86944184C25952A4F169908691A840@Exchange-AMS.adaptivemobile.com> <5213A400.1040507@redhat.com> <34A5A0661B86944184C25952A4F169908691A990@Exchange-AMS.adaptivemobile.com> Message-ID: <5213EFB3.30806@redhat.com> On 08/20/2013 11:00 AM, Oleg Antonenko wrote: > Hi Andrew, > Thanks a mil for so speedy response and references. > > Reading the Automated Enrolment guide I had a thought that Cert Based Auth might work for us. Good choice. > > Here is a line from the guide - > > "There are other circumstances when it may be useful to use certificate-based authentication for initially requesting a certificate. For example, tokens may be bulk-loaded with generic certificates which are then used to authenticate the users when they enroll for their user certificates..." > > Do you know if a single generic (or transport) cert could be used for signing SCEP requests for multiple users? Transport certificates are used by CA to protect escrowed encryption keys transported to KRA/DRM . I see no relation between transport keys and SCEP. Could you provide more details? > If so, I presume we will need both - a transport private key and transport cert for signing requests? > > Thanks, > Oleg > > > > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Andrew Wnuk > Sent: 20 August 2013 18:15 > To: pki-users at redhat.com > Subject: Re: [Pki-users] Using SCEP > > SCEP is disabled by default in CA, so you need to enable SCEP first: > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Enrolling_a_Certificate_in_a_Cisco_Router.html#enabling-scep > > If you want to use SCEP with CA authentication, you need to enable FlatFileAuthentication plug-in: > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Flat_file_Authentication > > If you want to use SCEP with RA authentication, you need to follow RA's UI to create one time pins for SCEP requests. RA is using SQLite as its repository so no need to create directory entries. > > I would advise you to use SCEP with CA only as more improvements were provided in this area. > > Thanks, > Andrew > > > > On 08/20/2013 07:10 AM, Oleg Antonenko wrote: >> Hi! >> I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP. >> But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag. >> >> >From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA. >> As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP. >> Is that correct? >> >> I did not get an impression that I have to do same when sending SCEP requests directly to CA. >> Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly? >> >> Thanks in advance, >> Oleg >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From Oleg.Antonenko at adaptivemobile.com Wed Aug 21 08:41:44 2013 From: Oleg.Antonenko at adaptivemobile.com (Oleg Antonenko) Date: Wed, 21 Aug 2013 08:41:44 +0000 Subject: [Pki-users] Using SCEP In-Reply-To: <5213EFB3.30806@redhat.com> References: <34A5A0661B86944184C25952A4F169908691A840@Exchange-AMS.adaptivemobile.com> <5213A400.1040507@redhat.com> <34A5A0661B86944184C25952A4F169908691A990@Exchange-AMS.adaptivemobile.com> <5213EFB3.30806@redhat.com> Message-ID: <34A5A0661B86944184C25952A4F169908691AA09@Exchange-AMS.adaptivemobile.com> Hi Andrew, Yes, the story is quite simple. We have to issue certificates to Apple iOS and Android devices via SCEP. For iOS this process - in theory - should be natively supported by iOS, so that would be our first evaluation test. For Android we will have to develop a client application which can talk SCEP. So once we succeed with iOS devices we'd start developing for Android. My confusion is probably coming from not fully understanding the CA workflow for issuing certs via SCEP requests. In the SCEP specification they say that a PKCS#10 request shall be signed by either - - a self-signed cert generated by the requestor itself, or - a cert originally issued by the CA for the requestor - e.g. for reissuance Then the pkcs#10 is wrapped in PKCS#7 envelope signed by the CA public key. So I need to understand how CA would process SCEP requests - - Does it support PKCS#10 req signed by a self-signed cert generated by the requestor? - Does it support PKCS#10 req signed by a cert issued by the CA but not for the requestor exclusively - e.g. a single generic cert issued to e.g. "CN=Device Enrolment, O=Company X" ? - Any alternatives? Thanks a mil, Oleg -----Original Message----- From: Andrew Wnuk [mailto:awnuk at redhat.com] Sent: 20 August 2013 23:38 To: Oleg Antonenko Cc: pki-users at redhat.com Subject: Re: [Pki-users] Using SCEP On 08/20/2013 11:00 AM, Oleg Antonenko wrote: > Hi Andrew, > Thanks a mil for so speedy response and references. > > Reading the Automated Enrolment guide I had a thought that Cert Based Auth might work for us. Good choice. > > Here is a line from the guide - > > "There are other circumstances when it may be useful to use certificate-based authentication for initially requesting a certificate. For example, tokens may be bulk-loaded with generic certificates which are then used to authenticate the users when they enroll for their user certificates..." > > Do you know if a single generic (or transport) cert could be used for signing SCEP requests for multiple users? Transport certificates are used by CA to protect escrowed encryption keys transported to KRA/DRM . I see no relation between transport keys and SCEP. Could you provide more details? > If so, I presume we will need both - a transport private key and transport cert for signing requests? > > Thanks, > Oleg > > > > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Andrew Wnuk > Sent: 20 August 2013 18:15 > To: pki-users at redhat.com > Subject: Re: [Pki-users] Using SCEP > > SCEP is disabled by default in CA, so you need to enable SCEP first: > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Enrolling_a_Certificate_in_a_Cisco_Router.html#enabling-scep > > If you want to use SCEP with CA authentication, you need to enable FlatFileAuthentication plug-in: > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Flat_file_Authentication > > If you want to use SCEP with RA authentication, you need to follow RA's UI to create one time pins for SCEP requests. RA is using SQLite as its repository so no need to create directory entries. > > I would advise you to use SCEP with CA only as more improvements were provided in this area. > > Thanks, > Andrew > > > > On 08/20/2013 07:10 AM, Oleg Antonenko wrote: >> Hi! >> I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP. >> But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag. >> >> >From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA. >> As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP. >> Is that correct? >> >> I did not get an impression that I have to do same when sending SCEP requests directly to CA. >> Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly? >> >> Thanks in advance, >> Oleg >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From alexander.w.jung at gmail.com Wed Aug 21 19:32:11 2013 From: alexander.w.jung at gmail.com (Alexander Jung) Date: Wed, 21 Aug 2013 21:32:11 +0200 Subject: [Pki-users] Using SCEP In-Reply-To: <34A5A0661B86944184C25952A4F169908691AA09@Exchange-AMS.adaptivemobile.com> References: <34A5A0661B86944184C25952A4F169908691A840@Exchange-AMS.adaptivemobile.com> <5213A400.1040507@redhat.com> <34A5A0661B86944184C25952A4F169908691A990@Exchange-AMS.adaptivemobile.com> <5213EFB3.30806@redhat.com> <34A5A0661B86944184C25952A4F169908691AA09@Exchange-AMS.adaptivemobile.com> Message-ID: Hi, we gathered some experience using scep and dogtag. To be a little more precise we are issuing certs to cisco routers by the thousands (the whole sales force needs these...) The current implementation works, but leaves still some space for improvement :-) Your client initially needs a password that must be known to the ca in the flatfileauth-file used for your scep profile. The CA has a simple (more example) application to request such a password, we tied it to our order system to further authenticate those requests. When your CA certificate (or the certificate you are using for scep) sits in a HSM, you'll need quite an extension for the existing code, as the current code will not be able to decrypt the requests (in this case due to ciscos error - but we have to serve our clients...) The flatfileauth module still has a longstanding bug (from the iplanet days of the dogtag code), that prevents it to work with other tag-names than the default ones, easy to fix, but hair tearing when you debug it. (See https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html for details) The cisco client still complains on some operations not being implemented, but works after those modifications Yours, Alexander -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdemansana at philasd.org Wed Aug 21 19:36:17 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Wed, 21 Aug 2013 15:36:17 -0400 (EDT) Subject: [Pki-users] User Authentication on the CA End-Entity portal Message-ID: <22346505.802.1377113776386.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Hi, On Dogtag 10, is there a way to restrict the EE page to authenticate (either by certificate or credentials, credentials more preferred) before accessing the page? Thanks, Michelle (pbbunny) From Oleg.Antonenko at adaptivemobile.com Thu Aug 22 09:55:13 2013 From: Oleg.Antonenko at adaptivemobile.com (Oleg Antonenko) Date: Thu, 22 Aug 2013 09:55:13 +0000 Subject: [Pki-users] Using SCEP In-Reply-To: References: <34A5A0661B86944184C25952A4F169908691A840@Exchange-AMS.adaptivemobile.com> <5213A400.1040507@redhat.com> <34A5A0661B86944184C25952A4F169908691A990@Exchange-AMS.adaptivemobile.com> <5213EFB3.30806@redhat.com> <34A5A0661B86944184C25952A4F169908691AA09@Exchange-AMS.adaptivemobile.com> Message-ID: <34A5A0661B86944184C25952A4F169908691ABB3@Exchange-AMS.adaptivemobile.com> Hi Alexander, Thanks a lot for the info and confirmation, that sounds reassuring :) We're thinking to keep FlatfileAuth as a Plan B option. But at the moment I think the best would be the "Cert Based Auth"... So I'd like to narrow down my questions raised earlier, and would really appreciate your input. This is an extract from the SCEP specification - 2.1.1.3. Requester Uses Existing CA-Issued or Self-Signed Certificates In this protocol, the communication between the requester and the certificate authority is secured by using PKCS#7 [RFC2315] as the messaging protocol (see Section 4). PKCS#7 RFC2315], however, is a data format which assumes the communicating entities already possess the peer's certificates and requires both parties use the issuer names and issuer assigned certificate serial numbers to identify the certificate in order to verify the signature and decrypt the message. * If the requesting system already has a certificate issued by the CA, that certificate SHOULD be presented as credentials for the renewal of that certificate if the CA supports the "Renewal" capability and the CA policy permits the certificate to be renewed. * If the requesting system has no certificate issued by the CA, but has credentials from a different CA, that certificate MAY be presented as credentials instead of a self-signed certificate. Policy settings on the SCEP server will determine if the request can be accepted or not. * If the requester does not have an appropriate existing certificate, then a self signed certificate must be used instead. The self signed certificate MUST use the same subjectName as in the pkcs10 Request. One of those certificates should be used to sign the overall PKCS#7 envelope sent by clients in "PKCSReq" message to the CA. My hunch is that iOS devices use identity certificates issued by Apple for signing SCEP messages (i.e. PKCS#7). Could anyone confirm that the second and third bullet points (i.e. credentials from a different CA & self signed certificate) are supported in Dogtag? If yes, could you also clarify one more thing please? * Does the CA compare the CN in the signing cert with the CN in the PKCS#10 ? With thanks, Oleg From: Alexander Jung [mailto:alexander.w.jung at gmail.com] Sent: 21 August 2013 20:32 To: Oleg Antonenko Cc: Andrew Wnuk; pki-users at redhat.com Subject: Re: [Pki-users] Using SCEP Hi, we gathered some experience using scep and dogtag. To be a little more precise we are issuing certs to cisco routers by the thousands (the whole sales force needs these...) The current implementation works, but leaves still some space for improvement :-) Your client initially needs a password that must be known to the ca in the flatfileauth-file used for your scep profile. The CA has a simple (more example) application to request such a password, we tied it to our order system to further authenticate those requests. When your CA certificate (or the certificate you are using for scep) sits in a HSM, you'll need quite an extension for the existing code, as the current code will not be able to decrypt the requests (in this case due to ciscos error - but we have to serve our clients...) The flatfileauth module still has a longstanding bug (from the iplanet days of the dogtag code), that prevents it to work with other tag-names than the default ones, easy to fix, but hair tearing when you debug it. (See https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html for details) The cisco client still complains on some operations not being implemented, but works after those modifications Yours, Alexander -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Mon Aug 26 20:04:47 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Mon, 26 Aug 2013 13:04:47 -0700 Subject: [Pki-users] Using SCEP In-Reply-To: <34A5A0661B86944184C25952A4F169908691AA09@Exchange-AMS.adaptivemobile.com> References: <34A5A0661B86944184C25952A4F169908691A840@Exchange-AMS.adaptivemobile.com> <5213A400.1040507@redhat.com> <34A5A0661B86944184C25952A4F169908691A990@Exchange-AMS.adaptivemobile.com> <5213EFB3.30806@redhat.com> <34A5A0661B86944184C25952A4F169908691AA09@Exchange-AMS.adaptivemobile.com> Message-ID: <521BB4DF.6010503@redhat.com> On 08/21/2013 01:41 AM, Oleg Antonenko wrote: > Hi Andrew, > Yes, the story is quite simple. > We have to issue certificates to Apple iOS and Android devices via SCEP. > > For iOS this process - in theory - should be natively supported by iOS, so that would be our first evaluation test. > For Android we will have to develop a client application which can talk SCEP. > So once we succeed with iOS devices we'd start developing for Android. > > My confusion is probably coming from not fully understanding the CA workflow for issuing certs via SCEP requests. > > In the SCEP specification they say that a PKCS#10 request shall be signed by either - > - a self-signed cert generated by the requestor itself, or > - a cert originally issued by the CA for the requestor - e.g. for reissuance > Then the pkcs#10 is wrapped in PKCS#7 envelope signed by the CA public key. > > So I need to understand how CA would process SCEP requests - > - Does it support PKCS#10 req signed by a self-signed cert generated by the requestor? > - Does it support PKCS#10 req signed by a cert issued by the CA but not for the requestor exclusively - e.g. a single generic cert issued to e.g. "CN=Device Enrolment, O=Company X" ? > - Any alternatives? I hope that any of the above options would work as long as the request signature can be validated. > > Thanks a mil, > Oleg > > > > -----Original Message----- > From: Andrew Wnuk [mailto:awnuk at redhat.com] > Sent: 20 August 2013 23:38 > To: Oleg Antonenko > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] Using SCEP > > On 08/20/2013 11:00 AM, Oleg Antonenko wrote: >> Hi Andrew, >> Thanks a mil for so speedy response and references. >> >> Reading the Automated Enrolment guide I had a thought that Cert Based Auth might work for us. > Good choice. >> Here is a line from the guide - >> >> "There are other circumstances when it may be useful to use certificate-based authentication for initially requesting a certificate. For example, tokens may be bulk-loaded with generic certificates which are then used to authenticate the users when they enroll for their user certificates..." >> >> Do you know if a single generic (or transport) cert could be used for signing SCEP requests for multiple users? > Transport certificates are used by CA to protect escrowed encryption keys transported to KRA/DRM . I see no relation between transport keys and SCEP. Could you provide more details? >> If so, I presume we will need both - a transport private key and transport cert for signing requests? >> >> Thanks, >> Oleg >> >> >> >> >> -----Original Message----- >> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Andrew Wnuk >> Sent: 20 August 2013 18:15 >> To: pki-users at redhat.com >> Subject: Re: [Pki-users] Using SCEP >> >> SCEP is disabled by default in CA, so you need to enable SCEP first: >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Enrolling_a_Certificate_in_a_Cisco_Router.html#enabling-scep >> >> If you want to use SCEP with CA authentication, you need to enable FlatFileAuthentication plug-in: >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Flat_file_Authentication >> >> If you want to use SCEP with RA authentication, you need to follow RA's UI to create one time pins for SCEP requests. RA is using SQLite as its repository so no need to create directory entries. >> >> I would advise you to use SCEP with CA only as more improvements were provided in this area. >> >> Thanks, >> Andrew >> >> >> >> On 08/20/2013 07:10 AM, Oleg Antonenko wrote: >>> Hi! >>> I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP. >>> But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag. >>> >>> >From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA. >>> As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP. >>> Is that correct? >>> >>> I did not get an impression that I have to do same when sending SCEP requests directly to CA. >>> Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly? >>> >>> Thanks in advance, >>> Oleg >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users From awnuk at redhat.com Mon Aug 26 20:24:14 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Mon, 26 Aug 2013 13:24:14 -0700 Subject: [Pki-users] Using SCEP In-Reply-To: References: <34A5A0661B86944184C25952A4F169908691A840@Exchange-AMS.adaptivemobile.com> <5213A400.1040507@redhat.com> <34A5A0661B86944184C25952A4F169908691A990@Exchange-AMS.adaptivemobile.com> <5213EFB3.30806@redhat.com> <34A5A0661B86944184C25952A4F169908691AA09@Exchange-AMS.adaptivemobile.com> Message-ID: <521BB96E.3030902@redhat.com> On 08/21/2013 12:32 PM, Alexander Jung wrote: > Hi, > > we gathered some experience using scepand dogtag. To be a little more > precise we are issuingcerts to ciscorouters by the thousands (the > whole salesforceneeds these...) > > The current implementation works, but leaves still some space for > improvement :-) > > Your client initially needs a password that must be known to the ca in > the flatfileauth-file used for your scepprofile. The CA has a simple > (more example) application to request such a password, we tied it to > our order system to further authenticate those requests. > > When your CA certificate (or the certificate you are using for scep) > sits in a HSM, you'll need quite an extension for the existing code, > as the current code will not be able to decrypt the requests (in this > case due to ciscoserror - but we have to serve our clients...) > > The flatfileauthmodule still has a longstanding bug (from the > iplanetdays of the dogtagcode), that prevents it to work with other > tag-names than the default ones, easy to fix, but hair tearing when > you debug it. (See > https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html > for > details) > > The ciscoclient still complains on some operations not being > implemented, but works after those modifications > > Yours, > > Alexander Hi Alexander, Thank you for detailed description. Could you open tickets or bugs describing above issues? This would really help us to clean them. Thanks, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdemansana at philasd.org Tue Aug 27 21:18:57 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Tue, 27 Aug 2013 17:18:57 -0400 (EDT) Subject: [Pki-users] Bulk Revocation not working In-Reply-To: <32350207.238.1377638008671.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <23512282.242.1377638336854.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Hi, I'm trying to perform bulk revocation through the web portal of my CA instance. I'm able to successfully perform my search string using the "Issuing Information: Revoke certificates issued during the period: Start date same as end date" criteria, and brought all the proper search result, but when I click on "Revoke all # Certificates, it gives me the following error message: Certificate Details The details of the certificate being revoked are below: No Matching Certificates Found This works if I make the end date a day after the start date. I believe the issue is isolated to this scenario. Thanks, Michelle From awnuk at redhat.com Tue Aug 27 22:13:58 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Tue, 27 Aug 2013 15:13:58 -0700 Subject: [Pki-users] Bulk Revocation not working In-Reply-To: <23512282.242.1377638336854.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> References: <23512282.242.1377638336854.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <521D24A6.1030103@redhat.com> Hi Michelle, Could you provide more details about your revocation steps? Thank you, Andrew On 08/27/2013 02:18 PM, Taggart, Michelle wrote: > Hi, > > I'm trying to perform bulk revocation through the web portal of my CA instance. I'm able to successfully perform my search string using the "Issuing Information: Revoke certificates issued during the period: Start date same as end date" criteria, and brought all the proper search result, but when I click on "Revoke all # Certificates, it gives me the following error message: > > > Certificate Details > The details of the certificate being revoked are below: > No Matching Certificates Found > > This works if I make the end date a day after the start date. I believe the issue is isolated to this scenario. > > Thanks, > > Michelle > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From mdemansana at philasd.org Wed Aug 28 13:32:16 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Wed, 28 Aug 2013 09:32:16 -0400 (EDT) Subject: [Pki-users] Bulk Revocation not working In-Reply-To: <521D24A6.1030103@redhat.com> Message-ID: <7918362.462.1377696735131.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Hi Andrew, Here are the steps: 1) Go to https://servername:8443/ca/agent/ca 2) Select "Revoke Certificates" 3) Checkmark "Issuing Information - Revoke certificates expire during the period:" 4) Start date: 20 August 2013 End date: 20 August 2013 5) Select "Find" 6) If the certificates listed on the search results is more than one, at the bottom select "Revoke All # Certificates" 7) In the Certificate Revocation Confirmation page, the Certificate Details shows the following: The details of the certificate being revoked are below: No Matching Certificates Found" The key to this error is that the start and the end date of the certificates being search for is the same. Thanks, Michelle ----- Original Message ----- From: "Andrew Wnuk" To: pki-users at redhat.com Sent: Tuesday, August 27, 2013 6:13:58 PM Subject: Re: [Pki-users] Bulk Revocation not working Hi Michelle, Could you provide more details about your revocation steps? Thank you, Andrew On 08/27/2013 02:18 PM, Taggart, Michelle wrote: > Hi, > > I'm trying to perform bulk revocation through the web portal of my CA instance. I'm able to successfully perform my search string using the "Issuing Information: Revoke certificates issued during the period: Start date same as end date" criteria, and brought all the proper search result, but when I click on "Revoke all # Certificates, it gives me the following error message: > > > Certificate Details > The details of the certificate being revoked are below: > No Matching Certificates Found > > This works if I make the end date a day after the start date. I believe the issue is isolated to this scenario. > > Thanks, > > Michelle > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From orrious at yahoo.com Tue Aug 27 22:31:59 2013 From: orrious at yahoo.com (orrious at yahoo.com) Date: Tue, 27 Aug 2013 15:31:59 -0700 (PDT) Subject: [Pki-users] Enterprise CA Architecture Message-ID: <1377642719.19932.YahooMailNeo@web162703.mail.bf1.yahoo.com> Hi Everyone, I am setting up a Dogtag 9.0.3 CA PoC and have a couple deployment questions.? My goal is to have a secure and redundant CA and subsystems.? The RA is external, redundant, and outside the scope of the discussion (for now).? OCSP services will more than likely be distributed in multiple Server/LB pairs behind a single GTM VIP. I am documenting each step of the install and will happily provide it so others don't have to ask the same questions.? Thank you for taking the time to read and provide feedback. Scenario: I have successfully deployed CA1 and cloned CA2 from CA1.? The VIP: CA.lab load balances all incoming ports to both servers, during testing. Q1.) When I configure OCSP1, it will not allow me to configure it to the VIP: CA.lab.? Instead I must select either CA1.lab or CA2.lab.? Is there a way to configure the OCSP to connect to the VIP rather than a specific CA server? Q2.) If I am unable to configure OCSP against a VIP, should I configure OCSP1->CA1 and OCSP2->CA2? Q3.) If Q2 is True and one of the CA's is down will OCSP failover to the other CA or will it just not answer a request. Q4.) For the Dogtag Web pages, how do I change the server name in the URI to the VIP, rather than the actual host name of the server?? i.e, I go to https://ca.lab:9445/ca/services.? Depending on the server I am load balanced to, the URLs for "Dogtag Certificate System", 'SSL End Users Services", and "Agent Services" all go to CA1.lab:944x/ca.. rather than https://ca.lab:944x/ca This also pertains to OCSP pages. Q5.) Certificates issues by default contain the OCSP service of the CA server that issued the Certificate.? i.e.? http://ca1.lab:9180/ca/ocsp.? Can this URI be changed to the LB VIP: http://ca.lab:9180/ca/ocsp or can the VIP only be added to the certificate?? If it can only be added, can the priority be changed so the VIP is queried first, as the CA would be firewalled in production and inaccessible. Q6.) Should the OCSP services become unavailable, I would also like to publish the CRL in the certificates.? What is the best performance for large CRLs, say 100K entries; a web page or LDAP? ? Kind Regards, Paul From awnuk at redhat.com Wed Aug 28 15:35:21 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 28 Aug 2013 08:35:21 -0700 Subject: [Pki-users] Bulk Revocation not working In-Reply-To: <7918362.462.1377696735131.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> References: <7918362.462.1377696735131.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <521E18B9.3070608@redhat.com> Hi Michelle, I followed your scenario on CA v9 and I see no problems. You may need to check CA's debug log and access log of CA's internal DS. Thank you, Andrew On 08/28/2013 06:32 AM, Taggart, Michelle wrote: > Hi Andrew, > > Here are the steps: > > 1) Go to https://servername:8443/ca/agent/ca > 2) Select "Revoke Certificates" > 3) Checkmark "Issuing Information - Revoke certificates expire during the period:" > 4) Start date: 20 August 2013 > End date: 20 August 2013 > 5) Select "Find" > 6) If the certificates listed on the search results is more than one, at the bottom select "Revoke All # Certificates" > 7) In the Certificate Revocation Confirmation page, the Certificate Details shows the following: The details of the certificate being revoked are below: No Matching Certificates Found" > > The key to this error is that the start and the end date of the certificates being search for is the same. > > Thanks, > > Michelle > > ----- Original Message ----- > From: "Andrew Wnuk" > To: pki-users at redhat.com > Sent: Tuesday, August 27, 2013 6:13:58 PM > Subject: Re: [Pki-users] Bulk Revocation not working > > Hi Michelle, > > Could you provide more details about your revocation steps? > > Thank you, > Andrew > > On 08/27/2013 02:18 PM, Taggart, Michelle wrote: >> Hi, >> >> I'm trying to perform bulk revocation through the web portal of my CA instance. I'm able to successfully perform my search string using the "Issuing Information: Revoke certificates issued during the period: Start date same as end date" criteria, and brought all the proper search result, but when I click on "Revoke all # Certificates, it gives me the following error message: >> >> >> Certificate Details >> The details of the certificate being revoked are below: >> No Matching Certificates Found >> >> This works if I make the end date a day after the start date. I believe the issue is isolated to this scenario. >> >> Thanks, >> >> Michelle >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From jmagne at redhat.com Wed Aug 28 17:37:25 2013 From: jmagne at redhat.com (John Magne) Date: Wed, 28 Aug 2013 13:37:25 -0400 (EDT) Subject: [Pki-users] [Pki-devel] Enterprise CA Architecture In-Reply-To: <1377642719.19932.YahooMailNeo@web162703.mail.bf1.yahoo.com> References: <1377642719.19932.YahooMailNeo@web162703.mail.bf1.yahoo.com> Message-ID: <131548497.5301789.1377711445922.JavaMail.root@redhat.com> As for your OCSP query, try this: Use the console to edit the certificate profile you are using. I'm assuming it is caUserCert You can also do this with config files if you want. Look in /var/lib/pki-ca/profiles/ca/caUserCert.cfg Anyway, there is an entry of the AIA extension that looks like this in the file: policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl policyset.userCertSet.5.default.name=AIA Extension Default policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 policyset.userCertSet.5.default.params.authInfoAccessCritical=false policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 Either using editor or the console, put something in there for this setting: policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=blah-url Restart the server and try to issue a cert with this profile. Also, when the agent approves the cert request, it has the chance to change this setting on that page as well. For your load balancer issue. Just as a quick test you might venture into your OCSP's conf/CS.cfg file and observe the entries that are pointing you to the CA. I haven't not tried this but it might be possible to change one of those settings to your LB and see what happens. If there is a more elegant way to do this, others can chime in. thanks, jack ----- Original Message ----- > From: orrious at yahoo.com > To: pki-users at redhat.com, pki-devel at redhat.com > Sent: Tuesday, August 27, 2013 3:31:59 PM > Subject: [Pki-devel] Enterprise CA Architecture > > Hi Everyone, > > > I am setting up a Dogtag 9.0.3 CA PoC and have a couple deployment questions. > ? My goal is to have a secure and redundant CA and subsystems.? The RA is > external, redundant, and outside the scope of the discussion (for now). > ? OCSP services will more than likely be distributed in multiple Server/LB > pairs behind a single GTM VIP. > > > I am documenting each step of the install and will happily provide it so > others don't have to ask the same questions. > > > Thank you for taking the time to read and provide feedback. > > > > Scenario: > > I have successfully deployed CA1 and cloned CA2 from CA1.? The VIP: CA.lab > load balances all incoming ports to both servers, during testing. > > > Q1.) When I configure OCSP1, it will not allow me to configure it to the VIP: > CA.lab.? Instead I must select either CA1.lab or CA2.lab.? Is there a way to > configure the OCSP to connect to the VIP rather than a specific CA server? > > > Q2.) If I am unable to configure OCSP against a VIP, should I configure > OCSP1->CA1 and OCSP2->CA2? > > Q3.) If Q2 is True and one of the CA's is down will OCSP failover to the > other CA or will it just not answer a request. > > Q4.) For the Dogtag Web pages, how do I change the server name in the URI to > the VIP, rather than the actual host name of the server?? i.e, I go to > https://ca.lab:9445/ca/services.? Depending on the server I am load balanced > to, the URLs for "Dogtag Certificate System", 'SSL End Users Services", and > "Agent Services" all go to CA1.lab:944x/ca.. rather than > https://ca.lab:944x/ca This also pertains to OCSP pages. > > Q5.) Certificates issues by default contain the OCSP service of the CA server > that issued the Certificate.? i.e.? http://ca1.lab:9180/ca/ocsp.? Can this > URI be changed to the LB VIP: http://ca.lab:9180/ca/ocsp or can the VIP only > be added to the certificate?? If it can only be added, can the priority be > changed so the VIP is queried first, as the CA would be firewalled in > production and inaccessible. > > > Q6.) Should the OCSP services become unavailable, I would also like to > publish the CRL in the certificates.? What is the best performance for large > CRLs, say 100K entries; a web page or LDAP? > > > > > ? > > Kind Regards, > Paul > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel > From orrious at yahoo.com Fri Aug 30 00:26:39 2013 From: orrious at yahoo.com (orrious at yahoo.com) Date: Thu, 29 Aug 2013 17:26:39 -0700 (PDT) Subject: [Pki-users] [Pki-devel] Enterprise CA Architecture In-Reply-To: <131548497.5301789.1377711445922.JavaMail.root@redhat.com> References: <1377642719.19932.YahooMailNeo@web162703.mail.bf1.yahoo.com> <131548497.5301789.1377711445922.JavaMail.root@redhat.com> Message-ID: <1377822399.9478.YahooMailNeo@web162705.mail.bf1.yahoo.com> Thanks Jack, That did it.? I'll add some "Lessons Learned" as well. 1.) You must first disable the profile you want to edit in CA Agent.? Then open pkiconsole to edit the actual Certificate Profile.? ??? -This step is easily missed! 2.) If you don't know what profile you're trying to edit, from CA Agent -> List Requests -> Show all requests. ??? -Since I'm working with SCEP, I needed to find out what profile was being used, so I could modify it with the correct OCSP URI. For the remaining questions: Q1. Q2.Q3, and Q6 are not valid.? I had incorrectly assumed that the OCSP relayed requests or pulled the CRL, thus being the initiator.? This is not the case.? When the OCSP registers with the CA, the CA creates a OCSPPublisher that is setup to publish the CRL to the OCSP.? ***Note:? Each OCSP you register over writes the prior.? If all of your OCSPs are cloned from a single instance, this does not cause an issue.? If they are clones of a single OCSP instance, LDAP handles the replication for the group.? If you have multiple OCSP clusters, this causes an issue though.? You will need to manually go into pkiconsole and create a new OCSPPublisher and Publishing Rule for the previous OCSP. Example:? OCSP1 registers Master with CA1? ->? OCSPPublisher=OCSP1 OCSP2 Clone of OCSP1 registers with CA1? ->? OCSPPublisher=OCSP2? (Still works because OCSP1 and OCSP2 have LDAP replication.) OCSP3 registers Master with CA1? ->? OCSPPublisher=OCSP3? (OCSP1 and 2 no longer get CRL.? OCSP3 gets it.) OCSP4 Clone of OCSP3 registers with CA1? ->? OCSPPublisher=OCSP4? (OCSP1 and 2 no longer get CRL.? OCSP4 gets it and LDAP replicates it to OCSP3.) Solution: Register OCSPPublisher1 as a new Publisher and create a Publishing Rule for it. Ensure you have 1 OCSPPublisher for each cluster of OCSPs. Solution Enhancement:? Automatically name the OCSPPublisher the name of the OCSP Server, if it's not a Clone of an existing OCSP instance and create the appropriate Publishing Rule. Thank you Paul ----- Original Message ----- From: John Magne To: orrious at yahoo.com Cc: pki-users at redhat.com; pki-devel at redhat.com Sent: Wednesday, August 28, 2013 1:37 PM Subject: Re: [Pki-devel] Enterprise CA Architecture As for your OCSP query, try this: Use the console to edit the certificate profile you are using. I'm assuming it is caUserCert You can also do this with config files if you want. Look in /var/lib/pki-ca/profiles/ca/caUserCert.cfg Anyway, there is an entry of the AIA extension that looks like this in the file: policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl policyset.userCertSet.5.default.name=AIA Extension Default policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 policyset.userCertSet.5.default.params.authInfoAccessCritical=false policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 Either using editor or the console, put something in there for this setting: policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=blah-url Restart the server and try to issue a cert with this profile. Also, when the agent approves the cert request, it has the chance to change this setting on that page as well. For your load balancer issue. Just as a quick test you might venture into your OCSP's conf/CS.cfg file and observe the entries that are pointing you to the CA. I haven't not tried this but it might be possible to change one of those settings to your LB and see what happens. If there is a more elegant way to do this, others can chime in. thanks, jack ----- Original Message ----- > From: orrious at yahoo.com > To: pki-users at redhat.com, pki-devel at redhat.com > Sent: Tuesday, August 27, 2013 3:31:59 PM > Subject: [Pki-devel] Enterprise CA Architecture > > Hi Everyone, > > > I am setting up a Dogtag 9.0.3 CA PoC and have a couple deployment questions. > ? My goal is to have a secure and redundant CA and subsystems.? The RA is > external, redundant, and outside the scope of the discussion (for now). > ? OCSP services will more than likely be distributed in multiple Server/LB > pairs behind a single GTM VIP. > > > I am documenting each step of the install and will happily provide it so > others don't have to ask the same questions. > > > Thank you for taking the time to read and provide feedback. > > > > Scenario: > > I have successfully deployed CA1 and cloned CA2 from CA1.? The VIP: CA.lab > load balances all incoming ports to both servers, during testing. > > > Q1.) When I configure OCSP1, it will not allow me to configure it to the VIP: > CA.lab.? Instead I must select either CA1.lab or CA2.lab.? Is there a way to > configure the OCSP to connect to the VIP rather than a specific CA server? > > > Q2.) If I am unable to configure OCSP against a VIP, should I configure > OCSP1->CA1 and OCSP2->CA2? > > Q3.) If Q2 is True and one of the CA's is down will OCSP failover to the > other CA or will it just not answer a request. > > Q4.) For the Dogtag Web pages, how do I change the server name in the URI to > the VIP, rather than the actual host name of the server?? i.e, I go to > https://ca.lab:9445/ca/services.? Depending on the server I am load balanced > to, the URLs for "Dogtag Certificate System", 'SSL End Users Services", and > "Agent Services" all go to CA1.lab:944x/ca.. rather than > https://ca.lab:944x/ca This also pertains to OCSP pages. > > Q5.) Certificates issues by default contain the OCSP service of the CA server > that issued the Certificate.? i.e.? http://ca1.lab:9180/ca/ocsp.? Can this > URI be changed to the LB VIP: http://ca.lab:9180/ca/ocsp or can the VIP only > be added to the certificate?? If it can only be added, can the priority be > changed so the VIP is queried first, as the CA would be firewalled in > production and inaccessible. > > > Q6.) Should the OCSP services become unavailable, I would also like to > publish the CRL in the certificates.? What is the best performance for large > CRLs, say 100K entries; a web page or LDAP? > > > > > ? > > Kind Regards, > Paul > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel >