[Pki-users] Problems with Dogtag and CA cert signed by External CA

[David Partridge]

If using graphical interface and you exceed timelimit on the form for
importing certificates signed by external CA, close browser and make sure as
you navigate back to screen to associate CSR's with certificates that the
little boxes that "remove existing database" or to that effect are NOT
checked.  You are destroying your initial CA database that has the CSR in
the request branch when you try to associate the CSR's aka requests with the
certificates.

David M. Partridge
Senior Identity Management and Security Engineer 
Tangible Software | 2010 Corporate Ridge, #620
McLean, Virginia 22102 | dpartridge at tangible.net
Direct: 800-913-9901 x3001 | Cell: 571-286-9628
Fax: 703-288-1226 | DCO Jabber: david.partridge2 at chat.dco.dod.mil

CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message.



> -----Original Message-----
> From: Dwayne MacKinnon [mailto:dmk at ncf.ca]
> Sent: Thursday, October 18, 2012 11:50 AM
> To: John Dennis
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] Problems with Dogtag and CA cert signed by
> External CA
> 
> On October 17, 2012 04:52:52 PM John Dennis wrote:
> > On 10/17/2012 03:52 PM, Dwayne MacKinnon wrote:
> > > Hi all,
> > >
> > > A helpful fellow called alee on #dogtag-pki suggested I write the
> list.
> > > I've been playing with dogtag-pki-9.0.0-10 on 64-bit Fedora 17.
> > >
> > > I'm looking to use dogtag to run a subordinate CA that does all our
> > > everyday PKI stuff. So when I used pki-create and went into the
> > > webform, I went the "create a csr" route and signed it using a root
> > > CA I'd set up using openssl.
> > >
> > > Everything seemed to work out fine, until I got to the point where
> I
> > > was restarting pki-cad (using systemctl restart
> > > pki-cad at pki-ca.service). It wouldn't start.
> > >
> > > With alee's help I tracked it down to a failure of
> > > SystemCertsVerification during the selftests.
> > >
> > > He asked me to submit my debug log to the list, so here it is.
> >
> > Interestingly enough I'm in the middle of tracking down why NSS will
> > not validate a self signed cert as a CA. I suspect dogtag is calling
> > NSS's CERT_VerifyCertificateNow (or it's equivalent) and passing it a
> > specific usage parameter.
> >
> > There are very specific requirements to accept a CA cert as valid.
> > More valuable than the log would be show us what the cert looks like.
> > I would ordinarily tell you to dump the cert in text form using
> > openssl x509 -text but openssl often omits detailed information on
> the
> > cert extensions which are critical (no pun intended) here. How about
> > if you also provide us with a PEM formatted version of the cert and
> > we'll use our tools to examine it's contents.
> 
> Sure. I've generated a clone cert with phony credentials. It's attached.
> Thanks for the assistance.
> 
> Cheers,
> DMK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5739 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20130109/34cdcef7/attachment.bin>