From mdemansana at philasd.org Mon Jul 22 18:47:22 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Mon, 22 Jul 2013 14:47:22 -0400 (EDT) Subject: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR In-Reply-To: <10707622.4392.1374518805075.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <4096772.4393.1374518840702.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Hi, I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? Thanks, Michelle Taggart From cfu at redhat.com Mon Jul 22 20:56:16 2013 From: cfu at redhat.com (Christina Fu) Date: Mon, 22 Jul 2013 13:56:16 -0700 Subject: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR In-Reply-To: <4096772.4393.1374518840702.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> References: <4096772.4393.1374518840702.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <51ED9C70.2000407@redhat.com> Dogtag only supports CSR in the following formats: 1. CRMF 2. PKCS #10 3. CMC with either CRMF or PKCS #10 I am not aware that a CSR can be represented in PKCS #7, but I always keep an open mind to learn new (or old) things, so I'd appreciate it if you can send us a reference link to the RFC that specifies such CSR representation using PKCS #7. If it gives us enough good reasons to support it, we will gladly consider supporting that in the future. Christina On 07/22/2013 11:47 AM, Taggart, Michelle wrote: > Hi, > > I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? > > > > Thanks, > > Michelle Taggart > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From mdemansana at philasd.org Mon Jul 22 21:14:29 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Mon, 22 Jul 2013 17:14:29 -0400 (EDT) Subject: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR In-Reply-To: <51ED9C70.2000407@redhat.com> Message-ID: <26361459.4517.1374527667527.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Hi Christina, I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;) I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need? Thanks, Michelle Taggart ----- Original Message ----- From: "Christina Fu" To: pki-users at redhat.com Sent: Monday, July 22, 2013 4:56:16 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR Dogtag only supports CSR in the following formats: 1. CRMF 2. PKCS #10 3. CMC with either CRMF or PKCS #10 I am not aware that a CSR can be represented in PKCS #7, but I always keep an open mind to learn new (or old) things, so I'd appreciate it if you can send us a reference link to the RFC that specifies such CSR representation using PKCS #7. If it gives us enough good reasons to support it, we will gladly consider supporting that in the future. Christina On 07/22/2013 11:47 AM, Taggart, Michelle wrote: > Hi, > > I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? > > > > Thanks, > > Michelle Taggart > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From cfu at redhat.com Mon Jul 22 22:03:05 2013 From: cfu at redhat.com (Christina Fu) Date: Mon, 22 Jul 2013 15:03:05 -0700 Subject: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR In-Reply-To: <26361459.4517.1374527667527.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> References: <26361459.4517.1374527667527.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <51EDAC19.5010502@redhat.com> On 07/22/2013 02:14 PM, Taggart, Michelle wrote: > Hi Christina, > > I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;) > > I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need? > The "Manual Certificate Manager Signing Certificate Enrollment" (caCACert profile) is for a generic CA signing cert enrollment. People can customize it to fit their own site requirements. For information on how to do that, you can check the documentation (Admin guide specifically): https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/ Christina > > Thanks, > > Michelle Taggart > > > ----- Original Message ----- > From: "Christina Fu" > To: pki-users at redhat.com > Sent: Monday, July 22, 2013 4:56:16 PM > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR > > Dogtag only supports CSR in the following formats: > 1. CRMF > 2. PKCS #10 > 3. CMC with either CRMF or PKCS #10 > > I am not aware that a CSR can be represented in PKCS #7, but I always > keep an open mind to learn new (or old) things, so I'd appreciate it if > you can send us a reference link to the RFC that specifies such CSR > representation using PKCS #7. If it gives us enough good reasons to > support it, we will gladly consider supporting that in the future. > > Christina > > On 07/22/2013 11:47 AM, Taggart, Michelle wrote: >> Hi, >> >> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? >> >> >> >> Thanks, >> >> Michelle Taggart >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From mdemansana at philasd.org Mon Jul 22 22:17:14 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Mon, 22 Jul 2013 18:17:14 -0400 (EDT) Subject: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR In-Reply-To: <51EDAC19.5010502@redhat.com> Message-ID: <22871882.4580.1374531433086.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> I did see that. I tried to submit the CSR into the Manual Certificate Manager Signing Certificate Enrollment form but it keeps on failing, with the following message in the ee: Certificate Profile Sorry, your request has been rejected. The reason is "Request Rejected - {0}" And here's the message/entry within the Agent page: Request Information Request ID: 35 Request Type: enrollment Request Status: rejected Requestor Host: null Assigned To: Creation Time: Mon Jul 22 18:12:09 EDT 2013 Modification Time: Mon Jul 22 18:12:09 EDT 2013 Certificate Profile Information Certificate Profile Id: caCACert Approved By: admin Certificate Profile Name: Manual Certificate Manager Signing Certificate Enrollment Certificate Profile Description: This certificate profile is for enrolling Certificate Authority certificates. Additional Notes Certificate Profile Inputs Id Input Names Input Values cert_request_type Certificate Request Type pkcs10 cert_request Certificate Request -----BEGIN CERTIFICATE REQUEST----- MIIB9DCCAV0CAQAwgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEOMAwGA1UE BxMFUGhpbGExDDAKBgNVBAoTA1NEUDELMAkGA1UECxMCVFMxITAfBgNVBAMTGHBy b3h5LmNhLm5vYy5waGlsYXNkLm5ldDEfMB0GCSqGSIb3DQEJARYQdGVzdEBwaGls YXNkLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3KwR0oL7P3MMG7tT e6mjSEO2FeE48zUJXtUUpyKK+5NNQUiBSpt6R4yj4oKO8vfQ6Qdt3l6YGH8Ro33x TlccgPB1nWOPcaCPE5dC+l5+bigOEFVj1CtHA9iARnMqb2f4E1kSik4ZcI5pM+Q4 mogs4jVP/IIF9Go8gUy9vSQbnS0CAwEAAaAqMBIGCSqGSIb3DQEJAjEFFgNTRFAw FAYJKoZIhvcNAQkHMQcTBTEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAAuRGYp7izMN cG9hPXjsKONLXNez05IVcvsgQLNkUXeuID88oXXW2CPHCLoA1mEf0A7I2zgAz4t3 FE7SOCFf3o5kkSrh4ZSsC//GJjmQfKYRRp9HC2o3hUDTTLnRp3ugiN6J6XfvSIyR OXeuevCypLnrbxnYdxUMLNCHiwbTCuf+ -----END CERTIFICATE REQUEST----- requestor_name Requestor Name test requestor_email Requestor Email test at philasd.net requestor_phone Requestor Phone I can't find any other reason for the rejection, is there a log file for it? Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "Christina Fu" To: pki-users at redhat.com Sent: Monday, July 22, 2013 6:03:05 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR On 07/22/2013 02:14 PM, Taggart, Michelle wrote: > Hi Christina, > > I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;) > > I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need? > The "Manual Certificate Manager Signing Certificate Enrollment" (caCACert profile) is for a generic CA signing cert enrollment. People can customize it to fit their own site requirements. For information on how to do that, you can check the documentation (Admin guide specifically): https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/ Christina > > Thanks, > > Michelle Taggart > > > ----- Original Message ----- > From: "Christina Fu" > To: pki-users at redhat.com > Sent: Monday, July 22, 2013 4:56:16 PM > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR > > Dogtag only supports CSR in the following formats: > 1. CRMF > 2. PKCS #10 > 3. CMC with either CRMF or PKCS #10 > > I am not aware that a CSR can be represented in PKCS #7, but I always > keep an open mind to learn new (or old) things, so I'd appreciate it if > you can send us a reference link to the RFC that specifies such CSR > representation using PKCS #7. If it gives us enough good reasons to > support it, we will gladly consider supporting that in the future. > > Christina > > On 07/22/2013 11:47 AM, Taggart, Michelle wrote: >> Hi, >> >> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? >> >> >> >> Thanks, >> >> Michelle Taggart >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From jmagne at redhat.com Mon Jul 22 22:27:13 2013 From: jmagne at redhat.com (John Magne) Date: Mon, 22 Jul 2013 18:27:13 -0400 (EDT) Subject: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR In-Reply-To: <22871882.4580.1374531433086.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> References: <22871882.4580.1374531433086.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <876643396.5099499.1374532033965.JavaMail.root@redhat.com> Try looking or even posting the /var/lib/pki-ca/logs/debug log file. This is a finely grained debug log that could provide clues to the reason for the rejection. ----- Original Message ----- From: "Michelle Taggart" To: "Christina Fu" Cc: pki-users at redhat.com Sent: Monday, July 22, 2013 3:17:14 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR I did see that. I tried to submit the CSR into the Manual Certificate Manager Signing Certificate Enrollment form but it keeps on failing, with the following message in the ee: Certificate Profile Sorry, your request has been rejected. The reason is "Request Rejected - {0}" And here's the message/entry within the Agent page: Request Information Request ID: 35 Request Type: enrollment Request Status: rejected Requestor Host: null Assigned To: Creation Time: Mon Jul 22 18:12:09 EDT 2013 Modification Time: Mon Jul 22 18:12:09 EDT 2013 Certificate Profile Information Certificate Profile Id: caCACert Approved By: admin Certificate Profile Name: Manual Certificate Manager Signing Certificate Enrollment Certificate Profile Description: This certificate profile is for enrolling Certificate Authority certificates. Additional Notes Certificate Profile Inputs Id Input Names Input Values cert_request_type Certificate Request Type pkcs10 cert_request Certificate Request -----BEGIN CERTIFICATE REQUEST----- MIIB9DCCAV0CAQAwgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEOMAwGA1UE BxMFUGhpbGExDDAKBgNVBAoTA1NEUDELMAkGA1UECxMCVFMxITAfBgNVBAMTGHBy b3h5LmNhLm5vYy5waGlsYXNkLm5ldDEfMB0GCSqGSIb3DQEJARYQdGVzdEBwaGls YXNkLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3KwR0oL7P3MMG7tT e6mjSEO2FeE48zUJXtUUpyKK+5NNQUiBSpt6R4yj4oKO8vfQ6Qdt3l6YGH8Ro33x TlccgPB1nWOPcaCPE5dC+l5+bigOEFVj1CtHA9iARnMqb2f4E1kSik4ZcI5pM+Q4 mogs4jVP/IIF9Go8gUy9vSQbnS0CAwEAAaAqMBIGCSqGSIb3DQEJAjEFFgNTRFAw FAYJKoZIhvcNAQkHMQcTBTEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAAuRGYp7izMN cG9hPXjsKONLXNez05IVcvsgQLNkUXeuID88oXXW2CPHCLoA1mEf0A7I2zgAz4t3 FE7SOCFf3o5kkSrh4ZSsC//GJjmQfKYRRp9HC2o3hUDTTLnRp3ugiN6J6XfvSIyR OXeuevCypLnrbxnYdxUMLNCHiwbTCuf+ -----END CERTIFICATE REQUEST----- requestor_name Requestor Name test requestor_email Requestor Email test at philasd.net requestor_phone Requestor Phone I can't find any other reason for the rejection, is there a log file for it? Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "Christina Fu" To: pki-users at redhat.com Sent: Monday, July 22, 2013 6:03:05 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR On 07/22/2013 02:14 PM, Taggart, Michelle wrote: > Hi Christina, > > I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;) > > I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need? > The "Manual Certificate Manager Signing Certificate Enrollment" (caCACert profile) is for a generic CA signing cert enrollment. People can customize it to fit their own site requirements. For information on how to do that, you can check the documentation (Admin guide specifically): https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/ Christina > > Thanks, > > Michelle Taggart > > > ----- Original Message ----- > From: "Christina Fu" > To: pki-users at redhat.com > Sent: Monday, July 22, 2013 4:56:16 PM > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR > > Dogtag only supports CSR in the following formats: > 1. CRMF > 2. PKCS #10 > 3. CMC with either CRMF or PKCS #10 > > I am not aware that a CSR can be represented in PKCS #7, but I always > keep an open mind to learn new (or old) things, so I'd appreciate it if > you can send us a reference link to the RFC that specifies such CSR > representation using PKCS #7. If it gives us enough good reasons to > support it, we will gladly consider supporting that in the future. > > Christina > > On 07/22/2013 11:47 AM, Taggart, Michelle wrote: >> Hi, >> >> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? >> >> >> >> Thanks, >> >> Michelle Taggart >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From mdemansana at philasd.org Mon Jul 22 22:36:22 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Mon, 22 Jul 2013 18:36:22 -0400 (EDT) Subject: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR In-Reply-To: <876643396.5099499.1374532033965.JavaMail.root@redhat.com> Message-ID: <14317577.4585.1374532580605.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> That's quite helpful! I'll dig deep into that and see if there's any indication of the error. What I'm actually not finding is the GUI version of the creation of the certificate profile. I don't have a desktop for my test Fedora, so I'm doing everything through SSH CLI or the GUI from the dogtag-pki-thene. Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "John Magne" To: "Michelle Taggart" Cc: "Christina Fu" , pki-users at redhat.com Sent: Monday, July 22, 2013 6:27:13 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR Try looking or even posting the /var/lib/pki-ca/logs/debug log file. This is a finely grained debug log that could provide clues to the reason for the rejection. ----- Original Message ----- From: "Michelle Taggart" To: "Christina Fu" Cc: pki-users at redhat.com Sent: Monday, July 22, 2013 3:17:14 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR I did see that. I tried to submit the CSR into the Manual Certificate Manager Signing Certificate Enrollment form but it keeps on failing, with the following message in the ee: Certificate Profile Sorry, your request has been rejected. The reason is "Request Rejected - {0}" And here's the message/entry within the Agent page: Request Information Request ID: 35 Request Type: enrollment Request Status: rejected Requestor Host: null Assigned To: Creation Time: Mon Jul 22 18:12:09 EDT 2013 Modification Time: Mon Jul 22 18:12:09 EDT 2013 Certificate Profile Information Certificate Profile Id: caCACert Approved By: admin Certificate Profile Name: Manual Certificate Manager Signing Certificate Enrollment Certificate Profile Description: This certificate profile is for enrolling Certificate Authority certificates. Additional Notes Certificate Profile Inputs Id Input Names Input Values cert_request_type Certificate Request Type pkcs10 cert_request Certificate Request -----BEGIN CERTIFICATE REQUEST----- MIIB9DCCAV0CAQAwgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEOMAwGA1UE BxMFUGhpbGExDDAKBgNVBAoTA1NEUDELMAkGA1UECxMCVFMxITAfBgNVBAMTGHBy b3h5LmNhLm5vYy5waGlsYXNkLm5ldDEfMB0GCSqGSIb3DQEJARYQdGVzdEBwaGls YXNkLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3KwR0oL7P3MMG7tT e6mjSEO2FeE48zUJXtUUpyKK+5NNQUiBSpt6R4yj4oKO8vfQ6Qdt3l6YGH8Ro33x TlccgPB1nWOPcaCPE5dC+l5+bigOEFVj1CtHA9iARnMqb2f4E1kSik4ZcI5pM+Q4 mogs4jVP/IIF9Go8gUy9vSQbnS0CAwEAAaAqMBIGCSqGSIb3DQEJAjEFFgNTRFAw FAYJKoZIhvcNAQkHMQcTBTEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAAuRGYp7izMN cG9hPXjsKONLXNez05IVcvsgQLNkUXeuID88oXXW2CPHCLoA1mEf0A7I2zgAz4t3 FE7SOCFf3o5kkSrh4ZSsC//GJjmQfKYRRp9HC2o3hUDTTLnRp3ugiN6J6XfvSIyR OXeuevCypLnrbxnYdxUMLNCHiwbTCuf+ -----END CERTIFICATE REQUEST----- requestor_name Requestor Name test requestor_email Requestor Email test at philasd.net requestor_phone Requestor Phone I can't find any other reason for the rejection, is there a log file for it? Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "Christina Fu" To: pki-users at redhat.com Sent: Monday, July 22, 2013 6:03:05 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR On 07/22/2013 02:14 PM, Taggart, Michelle wrote: > Hi Christina, > > I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;) > > I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need? > The "Manual Certificate Manager Signing Certificate Enrollment" (caCACert profile) is for a generic CA signing cert enrollment. People can customize it to fit their own site requirements. For information on how to do that, you can check the documentation (Admin guide specifically): https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/ Christina > > Thanks, > > Michelle Taggart > > > ----- Original Message ----- > From: "Christina Fu" > To: pki-users at redhat.com > Sent: Monday, July 22, 2013 4:56:16 PM > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR > > Dogtag only supports CSR in the following formats: > 1. CRMF > 2. PKCS #10 > 3. CMC with either CRMF or PKCS #10 > > I am not aware that a CSR can be represented in PKCS #7, but I always > keep an open mind to learn new (or old) things, so I'd appreciate it if > you can send us a reference link to the RFC that specifies such CSR > representation using PKCS #7. If it gives us enough good reasons to > support it, we will gladly consider supporting that in the future. > > Christina > > On 07/22/2013 11:47 AM, Taggart, Michelle wrote: >> Hi, >> >> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? >> >> >> >> Thanks, >> >> Michelle Taggart >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From alee at redhat.com Tue Jul 23 02:11:12 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 22 Jul 2013 22:11:12 -0400 Subject: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR In-Reply-To: <14317577.4585.1374532580605.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> References: <14317577.4585.1374532580605.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <1374545472.2951.60.camel@aleeredhat.laptop> You can install and run the console (pki-console) on your client machine. It will connect to your dogtag instance using the admin port. Ade On Mon, 2013-07-22 at 18:36 -0400, Taggart, Michelle wrote: > That's quite helpful! I'll dig deep into that and see if there's any indication of the error. > > What I'm actually not finding is the GUI version of the creation of the certificate profile. I don't have a desktop for my test Fedora, so I'm doing everything through SSH CLI or the GUI from the dogtag-pki-thene. > > Thanks, > > Michelle Taggart > x5166 > > ----- Original Message ----- > From: "John Magne" > To: "Michelle Taggart" > Cc: "Christina Fu" , pki-users at redhat.com > Sent: Monday, July 22, 2013 6:27:13 PM > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR > > Try looking or even posting the /var/lib/pki-ca/logs/debug log file. > > This is a finely grained debug log that could provide clues to the reason for the rejection. > > ----- Original Message ----- > From: "Michelle Taggart" > To: "Christina Fu" > Cc: pki-users at redhat.com > Sent: Monday, July 22, 2013 3:17:14 PM > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR > > I did see that. I tried to submit the CSR into the Manual Certificate Manager Signing Certificate Enrollment form but it keeps on failing, with the following message in the ee: > > Certificate Profile > Sorry, your request has been rejected. The reason is "Request Rejected - {0}" > > > And here's the message/entry within the Agent page: > > Request Information > Request ID: 35 > Request Type: enrollment > Request Status: rejected > Requestor Host: null > Assigned To: > Creation Time: Mon Jul 22 18:12:09 EDT 2013 > Modification Time: Mon Jul 22 18:12:09 EDT 2013 > > Certificate Profile Information > Certificate Profile Id: caCACert > Approved By: admin > Certificate Profile Name: Manual Certificate Manager Signing Certificate Enrollment > Certificate Profile Description: This certificate profile is for enrolling Certificate Authority certificates. > > Additional Notes > > Certificate Profile Inputs > Id Input Names Input Values > cert_request_type Certificate Request Type pkcs10 > cert_request Certificate Request -----BEGIN CERTIFICATE REQUEST----- MIIB9DCCAV0CAQAwgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEOMAwGA1UE BxMFUGhpbGExDDAKBgNVBAoTA1NEUDELMAkGA1UECxMCVFMxITAfBgNVBAMTGHBy b3h5LmNhLm5vYy5waGlsYXNkLm5ldDEfMB0GCSqGSIb3DQEJARYQdGVzdEBwaGls YXNkLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3KwR0oL7P3MMG7tT e6mjSEO2FeE48zUJXtUUpyKK+5NNQUiBSpt6R4yj4oKO8vfQ6Qdt3l6YGH8Ro33x TlccgPB1nWOPcaCPE5dC+l5+bigOEFVj1CtHA9iARnMqb2f4E1kSik4ZcI5pM+Q4 mogs4jVP/IIF9Go8gUy9vSQbnS0CAwEAAaAqMBIGCSqGSIb3DQEJAjEFFgNTRFAw FAYJKoZIhvcNAQkHMQcTBTEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAAuRGYp7izMN cG9hPXjsKONLXNez05IVcvsgQLNkUXeuID88oXXW2CPHCLoA1mEf0A7I2zgAz4t3 FE7SOCFf3o5kkSrh4ZSsC//GJjmQfKYRRp9HC2o3hUDTTLnRp3ugiN6J6XfvSIyR OXeuevCypLnrbxnYdxUMLNCHiwbTCuf+ -----END CERTIFICATE REQUEST----- > requestor_name Requestor Name test > requestor_email Requestor Email test at philasd.net > requestor_phone Requestor Phone > > > I can't find any other reason for the rejection, is there a log file for it? > > > Thanks, > > Michelle Taggart > x5166 > > ----- Original Message ----- > From: "Christina Fu" > To: pki-users at redhat.com > Sent: Monday, July 22, 2013 6:03:05 PM > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR > > On 07/22/2013 02:14 PM, Taggart, Michelle wrote: > > Hi Christina, > > > > I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;) > > > > I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need? > > > > The "Manual Certificate Manager Signing Certificate Enrollment" > (caCACert profile) is for a generic CA signing cert enrollment. People > can customize it to fit their own site requirements. > For information on how to do that, you can check the documentation > (Admin guide specifically): > https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/ > > Christina > > > > > Thanks, > > > > Michelle Taggart > > > > > > ----- Original Message ----- > > From: "Christina Fu" > > To: pki-users at redhat.com > > Sent: Monday, July 22, 2013 4:56:16 PM > > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR > > > > Dogtag only supports CSR in the following formats: > > 1. CRMF > > 2. PKCS #10 > > 3. CMC with either CRMF or PKCS #10 > > > > I am not aware that a CSR can be represented in PKCS #7, but I always > > keep an open mind to learn new (or old) things, so I'd appreciate it if > > you can send us a reference link to the RFC that specifies such CSR > > representation using PKCS #7. If it gives us enough good reasons to > > support it, we will gladly consider supporting that in the future. > > > > Christina > > > > On 07/22/2013 11:47 AM, Taggart, Michelle wrote: > >> Hi, > >> > >> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? > >> > >> > >> > >> Thanks, > >> > >> Michelle Taggart > >> > >> _______________________________________________ > >> Pki-users mailing list > >> Pki-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From mdemansana at philasd.org Tue Jul 23 17:38:38 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Tue, 23 Jul 2013 13:38:38 -0400 (EDT) Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute In-Reply-To: <4518733.4982.1374600867105.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <4178265.4983.1374601116284.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Hi, I'm quite new at the concept, but is there a way to clone a server certificate profile and give it an intermediary CA attribute? I'm trying to generate a cert that a proxy server uses to decrypt SSL traffic. The CSR that the proxy creates requests for a server certificate with subCA ability, for issuing certificates. Thanks, Michelle T From jmagne at redhat.com Tue Jul 23 18:18:23 2013 From: jmagne at redhat.com (John Magne) Date: Tue, 23 Jul 2013 14:18:23 -0400 (EDT) Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute In-Reply-To: <4178265.4983.1374601116284.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> References: <4178265.4983.1374601116284.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <743730859.5660606.1374603503125.JavaMail.root@redhat.com> You could go into the directory /var/lib/pki-ca/profiles/ca Find the profile you want to clone, which is in a file XXXX.cfg Copy that file to a new name that you want. Put an entry for that new profile in the conf/CS.cfg file under the heading: profiles.list Then you could either manually edit this file if you know how to, or use the pkiconsole to add stuff to it. In order for the console to be able to edit a profile, it must be marked as "disabled" in the agent web interface. ----- Original Message ----- From: "Michelle Taggart" To: pki-users at redhat.com Sent: Tuesday, July 23, 2013 10:38:38 AM Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute Hi, I'm quite new at the concept, but is there a way to clone a server certificate profile and give it an intermediary CA attribute? I'm trying to generate a cert that a proxy server uses to decrypt SSL traffic. The CSR that the proxy creates requests for a server certificate with subCA ability, for issuing certificates. Thanks, Michelle T _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From mdemansana at philasd.org Tue Jul 23 19:24:12 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Tue, 23 Jul 2013 15:24:12 -0400 (EDT) Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute In-Reply-To: <743730859.5660606.1374603503125.JavaMail.root@redhat.com> Message-ID: <17653561.5014.1374607450258.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> I do see that. What I'm confused is to what bits or attributes within the profile I need to include/exclude/add in order to make the sample Server Cert profile to also do CA function. Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "John Magne" To: "Michelle Taggart" Cc: pki-users at redhat.com Sent: Tuesday, July 23, 2013 2:18:23 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute You could go into the directory /var/lib/pki-ca/profiles/ca Find the profile you want to clone, which is in a file XXXX.cfg Copy that file to a new name that you want. Put an entry for that new profile in the conf/CS.cfg file under the heading: profiles.list Then you could either manually edit this file if you know how to, or use the pkiconsole to add stuff to it. In order for the console to be able to edit a profile, it must be marked as "disabled" in the agent web interface. ----- Original Message ----- From: "Michelle Taggart" To: pki-users at redhat.com Sent: Tuesday, July 23, 2013 10:38:38 AM Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute Hi, I'm quite new at the concept, but is there a way to clone a server certificate profile and give it an intermediary CA attribute? I'm trying to generate a cert that a proxy server uses to decrypt SSL traffic. The CSR that the proxy creates requests for a server certificate with subCA ability, for issuing certificates. Thanks, Michelle T _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From mdemansana at philasd.org Tue Jul 23 20:53:52 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Tue, 23 Jul 2013 16:53:52 -0400 (EDT) Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute In-Reply-To: <17653561.5014.1374607450258.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <17759174.5048.1374612830314.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> This might sound confusing, so let me rephrase. Is there an existing template to create a subordinate CA certificate? If not, is there a cheatsheet on creating one? I am able to get to the pkiconsole piece to create a new profile, but I'm hoping that I don't have to create one because truthfully that piece is starting to become way over my head. ;) Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "Michelle Taggart" To: "John Magne" Cc: pki-users at redhat.com Sent: Tuesday, July 23, 2013 3:24:12 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute I do see that. What I'm confused is to what bits or attributes within the profile I need to include/exclude/add in order to make the sample Server Cert profile to also do CA function. Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "John Magne" To: "Michelle Taggart" Cc: pki-users at redhat.com Sent: Tuesday, July 23, 2013 2:18:23 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute You could go into the directory /var/lib/pki-ca/profiles/ca Find the profile you want to clone, which is in a file XXXX.cfg Copy that file to a new name that you want. Put an entry for that new profile in the conf/CS.cfg file under the heading: profiles.list Then you could either manually edit this file if you know how to, or use the pkiconsole to add stuff to it. In order for the console to be able to edit a profile, it must be marked as "disabled" in the agent web interface. ----- Original Message ----- From: "Michelle Taggart" To: pki-users at redhat.com Sent: Tuesday, July 23, 2013 10:38:38 AM Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute Hi, I'm quite new at the concept, but is there a way to clone a server certificate profile and give it an intermediary CA attribute? I'm trying to generate a cert that a proxy server uses to decrypt SSL traffic. The CSR that the proxy creates requests for a server certificate with subCA ability, for issuing certificates. Thanks, Michelle T _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From jmagne at redhat.com Tue Jul 23 22:43:56 2013 From: jmagne at redhat.com (John Magne) Date: Tue, 23 Jul 2013 18:43:56 -0400 (EDT) Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute In-Reply-To: <17759174.5048.1374612830314.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> References: <17759174.5048.1374612830314.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <930235141.5755106.1374619436053.JavaMail.root@redhat.com> I believe alee and those guys in irc were steering you right. The existing profile "caCACert" should be what you want, a CA cert signed by the current/root CA. The cert should have the right extensions to be a CA cert for a sub CA. If you want to add other things, you can go into the console and make minor mods to that profile. The console allows you to add different types of extensions to the cert profile. ----- Original Message ----- From: "Michelle Taggart" To: "John Magne" Cc: pki-users at redhat.com Sent: Tuesday, July 23, 2013 1:53:52 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute This might sound confusing, so let me rephrase. Is there an existing template to create a subordinate CA certificate? If not, is there a cheatsheet on creating one? I am able to get to the pkiconsole piece to create a new profile, but I'm hoping that I don't have to create one because truthfully that piece is starting to become way over my head. ;) Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "Michelle Taggart" To: "John Magne" Cc: pki-users at redhat.com Sent: Tuesday, July 23, 2013 3:24:12 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute I do see that. What I'm confused is to what bits or attributes within the profile I need to include/exclude/add in order to make the sample Server Cert profile to also do CA function. Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "John Magne" To: "Michelle Taggart" Cc: pki-users at redhat.com Sent: Tuesday, July 23, 2013 2:18:23 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute You could go into the directory /var/lib/pki-ca/profiles/ca Find the profile you want to clone, which is in a file XXXX.cfg Copy that file to a new name that you want. Put an entry for that new profile in the conf/CS.cfg file under the heading: profiles.list Then you could either manually edit this file if you know how to, or use the pkiconsole to add stuff to it. In order for the console to be able to edit a profile, it must be marked as "disabled" in the agent web interface. ----- Original Message ----- From: "Michelle Taggart" To: pki-users at redhat.com Sent: Tuesday, July 23, 2013 10:38:38 AM Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute Hi, I'm quite new at the concept, but is there a way to clone a server certificate profile and give it an intermediary CA attribute? I'm trying to generate a cert that a proxy server uses to decrypt SSL traffic. The CSR that the proxy creates requests for a server certificate with subCA ability, for issuing certificates. Thanks, Michelle T _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From cfu at redhat.com Tue Jul 23 23:43:00 2013 From: cfu at redhat.com (Christina Fu) Date: Tue, 23 Jul 2013 16:43:00 -0700 Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute In-Reply-To: <17759174.5048.1374612830314.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> References: <17759174.5048.1374612830314.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> Message-ID: <51EF1504.6040304@redhat.com> What defines the characteristics of a certificate is in the Extensions. The profile caCACert.cfg defines a generic CA cert which contains the necessary Extensions such as Basic Constraints, Subject Key Identifier, key usage and extended key usage etc. for a CA. The profile caServerCert.cfg defines a generic SSL server cert which contains the necessary key usage and extended key usage etc. for an SSL server cert. Technically, if you take the union of the two profiles in terms of the key and extended key usage, you come up with a CA cert that can act as an SSL server cert. RFC 5280 contains more detail on which bits should or should not go with which if you are interested in learning more. Also, intermediate CA or not, the profile should be the same, unless the Path Length Constraint in Basic Constraints matters to you, though which should be calculated for you if not unlimited. Christina On 07/23/2013 01:53 PM, Taggart, Michelle wrote: > This might sound confusing, so let me rephrase. > > Is there an existing template to create a subordinate CA certificate? If not, is there a cheatsheet on creating one? I am able to get to the pkiconsole piece to create a new profile, but I'm hoping that I don't have to create one because truthfully that piece is starting to become way over my head. ;) > > Thanks, > > Michelle Taggart > x5166 > > ----- Original Message ----- > From: "Michelle Taggart" > To: "John Magne" > Cc: pki-users at redhat.com > Sent: Tuesday, July 23, 2013 3:24:12 PM > Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute > > I do see that. What I'm confused is to what bits or attributes within the profile I need to include/exclude/add in order to make the sample Server Cert profile to also do CA function. > > > > Thanks, > > Michelle Taggart > x5166 > > ----- Original Message ----- > From: "John Magne" > To: "Michelle Taggart" > Cc: pki-users at redhat.com > Sent: Tuesday, July 23, 2013 2:18:23 PM > Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute > > You could go into the directory /var/lib/pki-ca/profiles/ca > > Find the profile you want to clone, which is in a file XXXX.cfg > > Copy that file to a new name that you want. > > Put an entry for that new profile in the conf/CS.cfg file under the heading: > profiles.list > > > Then you could either manually edit this file if you know how to, or use the pkiconsole to add stuff to it. > > In order for the console to be able to edit a profile, it must be marked as "disabled" in the agent web interface. > > ----- Original Message ----- > From: "Michelle Taggart" > To: pki-users at redhat.com > Sent: Tuesday, July 23, 2013 10:38:38 AM > Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute > > Hi, > > I'm quite new at the concept, but is there a way to clone a server certificate profile and give it an intermediary CA attribute? I'm trying to generate a cert that a proxy server uses to decrypt SSL traffic. The CSR that the proxy creates requests for a server certificate with subCA ability, for issuing certificates. > > Thanks, > > Michelle T > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From mdemansana at philasd.org Wed Jul 24 19:20:47 2013 From: mdemansana at philasd.org (Taggart, Michelle) Date: Wed, 24 Jul 2013 15:20:47 -0400 (EDT) Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute In-Reply-To: <51EF1504.6040304@redhat.com> Message-ID: <24372327.102.1374693645358.JavaMail.mdemansana@mac-w80189y1agz.admin.philasd.net> This is extremely helpful. I was able to make the profile work, I actually had to make a custom profile, but no other specifics required. Thank you so much for the expedient help. I'm hoping that in the future I can help and contribute in this project! :) Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "Christina Fu" To: pki-users at redhat.com Sent: Tuesday, July 23, 2013 7:43:00 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute What defines the characteristics of a certificate is in the Extensions. The profile caCACert.cfg defines a generic CA cert which contains the necessary Extensions such as Basic Constraints, Subject Key Identifier, key usage and extended key usage etc. for a CA. The profile caServerCert.cfg defines a generic SSL server cert which contains the necessary key usage and extended key usage etc. for an SSL server cert. Technically, if you take the union of the two profiles in terms of the key and extended key usage, you come up with a CA cert that can act as an SSL server cert. RFC 5280 contains more detail on which bits should or should not go with which if you are interested in learning more. Also, intermediate CA or not, the profile should be the same, unless the Path Length Constraint in Basic Constraints matters to you, though which should be calculated for you if not unlimited. Christina On 07/23/2013 01:53 PM, Taggart, Michelle wrote: > This might sound confusing, so let me rephrase. > > Is there an existing template to create a subordinate CA certificate? If not, is there a cheatsheet on creating one? I am able to get to the pkiconsole piece to create a new profile, but I'm hoping that I don't have to create one because truthfully that piece is starting to become way over my head. ;) > > Thanks, > > Michelle Taggart > x5166 > > ----- Original Message ----- > From: "Michelle Taggart" > To: "John Magne" > Cc: pki-users at redhat.com > Sent: Tuesday, July 23, 2013 3:24:12 PM > Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute > > I do see that. What I'm confused is to what bits or attributes within the profile I need to include/exclude/add in order to make the sample Server Cert profile to also do CA function. > > > > Thanks, > > Michelle Taggart > x5166 > > ----- Original Message ----- > From: "John Magne" > To: "Michelle Taggart" > Cc: pki-users at redhat.com > Sent: Tuesday, July 23, 2013 2:18:23 PM > Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute > > You could go into the directory /var/lib/pki-ca/profiles/ca > > Find the profile you want to clone, which is in a file XXXX.cfg > > Copy that file to a new name that you want. > > Put an entry for that new profile in the conf/CS.cfg file under the heading: > profiles.list > > > Then you could either manually edit this file if you know how to, or use the pkiconsole to add stuff to it. > > In order for the console to be able to edit a profile, it must be marked as "disabled" in the agent web interface. > > ----- Original Message ----- > From: "Michelle Taggart" > To: pki-users at redhat.com > Sent: Tuesday, July 23, 2013 10:38:38 AM > Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute > > Hi, > > I'm quite new at the concept, but is there a way to clone a server certificate profile and give it an intermediary CA attribute? I'm trying to generate a cert that a proxy server uses to decrypt SSL traffic. The CSR that the proxy creates requests for a server certificate with subCA ability, for issuing certificates. > > Thanks, > > Michelle T > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From alee at redhat.com Fri Jul 26 18:12:42 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 26 Jul 2013 14:12:42 -0400 Subject: [Pki-users] Announcing the release of Dogtag 10.0.4 Message-ID: <1374862362.2341.74.camel@aleeredhat.laptop> The Dogtag team is proud to announce the fourth errata build for Dogtag 10.0. Builds are available for Fedora 18 and Fedora 19 in the updates-testing repositories. Please try them out and provide karma to move them to the F18 and F19 stable repositories. == Build Versions == pki-core-10.0.4-1 pki-ra-10.0.4-1 pki-tps-10.0.4-1 dogtag-pki-10.0.4-1 dogtag-pki-theme-10.0.4-1 pki-console-10.0.4-1 == Highlights since Dogtag 10.0.3 == * Enhanced pkispawn to provide automatic backup and restore mechanism for files modified during the upgrade process. * Improved the summary information at the end of pkispawn to include, among other things, the location of the agent PKCS #12 file. * Fixes to pkispawn and the installation servlets to fix cloning. * Fix to pkispawn to correctly overwrite the pki_issuing_ca when configuring with an external CA. This resolves an issue reported by IPA in BZ #986901. * Numerous fixes to resolve build issues on F19 and RHEL. == Detailed Changes since Dogtag 10.0.3 == akoneru (1): #645 Display the admin p12 file location in the installation summary alee (6): #680 Missing apache-commons-cli dependency #665 cloning is broken for second instance in shared subsystems BZ #973224 - resteasy-base must be split into subpackages -- Add build dependency on systemd to fix build failures on f19. -- Modify pkispawn to handle case where no subsystem certs are generated -- Modify java-tools startup scripts to use correct JNI path awnuk (1): BZ #961522 - Allow key to be exported. cfu (1): BZ #971561 - server-side key generation causes NullPointerException if a parameter is not supplied by the caller (TPS) edewata (6) #582 Man page for pki-upgrade #583 Automatic backup and rollback on upgrade BZ #986901 - Fix confguration issues with external CA. BZ #985111 - token authentication problem on rhel -- Removing JNI_JAR_DIR from /etc/pki/pki.conf. -- Fixed library paths for RHEL. mharmsen (2): BZ #986506 - exclude pki-kra, pki-ocsp and pki-tks from rhel BZ #975939 - RHCS 8.1: "END CERTIFICATE" tag is not on it's own line