[Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR

Taggart, Michelle mdemansana at philasd.org
Mon Jul 22 22:17:14 UTC 2013 

I did see that.  I tried to submit the CSR into the Manual Certificate Manager Signing Certificate Enrollment form but it keeps on failing, with the following message in the ee:

Certificate Profile
Sorry, your request has been rejected. The reason is "Request Rejected - {0}"


And here's the message/entry within the Agent page:

Request Information
Request ID: 	35
Request Type: 	enrollment
Request Status: 	rejected
Requestor Host: 	null
Assigned To: 	
Creation Time: 	Mon Jul 22 18:12:09 EDT 2013
Modification Time: 	Mon Jul 22 18:12:09 EDT 2013

Certificate Profile Information
Certificate Profile Id: 	caCACert
Approved By: 	admin
Certificate Profile Name: 	Manual Certificate Manager Signing Certificate Enrollment
Certificate Profile Description: 	This certificate profile is for enrolling Certificate Authority certificates.

Additional Notes

Certificate Profile Inputs
Id 	Input Names 	Input Values
cert_request_type 	Certificate Request Type 	pkcs10
cert_request 	Certificate Request 	-----BEGIN CERTIFICATE REQUEST----- MIIB9DCCAV0CAQAwgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEOMAwGA1UE BxMFUGhpbGExDDAKBgNVBAoTA1NEUDELMAkGA1UECxMCVFMxITAfBgNVBAMTGHBy b3h5LmNhLm5vYy5waGlsYXNkLm5ldDEfMB0GCSqGSIb3DQEJARYQdGVzdEBwaGls YXNkLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3KwR0oL7P3MMG7tT e6mjSEO2FeE48zUJXtUUpyKK+5NNQUiBSpt6R4yj4oKO8vfQ6Qdt3l6YGH8Ro33x TlccgPB1nWOPcaCPE5dC+l5+bigOEFVj1CtHA9iARnMqb2f4E1kSik4ZcI5pM+Q4 mogs4jVP/IIF9Go8gUy9vSQbnS0CAwEAAaAqMBIGCSqGSIb3DQEJAjEFFgNTRFAw FAYJKoZIhvcNAQkHMQcTBTEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAAuRGYp7izMN cG9hPXjsKONLXNez05IVcvsgQLNkUXeuID88oXXW2CPHCLoA1mEf0A7I2zgAz4t3 FE7SOCFf3o5kkSrh4ZSsC//GJjmQfKYRRp9HC2o3hUDTTLnRp3ugiN6J6XfvSIyR OXeuevCypLnrbxnYdxUMLNCHiwbTCuf+ -----END CERTIFICATE REQUEST-----
requestor_name 	Requestor Name 	test
requestor_email 	Requestor Email 	test at philasd.net
requestor_phone 	Requestor Phone 	


I can't find any other reason for the rejection, is there a log file for it?


Thanks, 

Michelle Taggart 
x5166 

----- Original Message -----
From: "Christina Fu" <cfu at redhat.com>
To: pki-users at redhat.com
Sent: Monday, July 22, 2013 6:03:05 PM
Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR

On 07/22/2013 02:14 PM, Taggart, Michelle wrote:
> Hi Christina,
>
> I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;)
>
> I'm actually trying to generate a certificate that is also an intermediary CA.  Which Certificate Profile should best fit that need?
>

The "Manual Certificate Manager Signing Certificate Enrollment" 
(caCACert profile) is for a generic CA signing cert enrollment. People 
can customize it to fit their own site requirements.
For information on how to do that, you can check the documentation 
(Admin guide specifically):
https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/

Christina

>
> Thanks,
>
> Michelle Taggart
>
>
> ----- Original Message -----
> From: "Christina Fu"<cfu at redhat.com>
> To: pki-users at redhat.com
> Sent: Monday, July 22, 2013 4:56:16 PM
> Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
>
> Dogtag only supports CSR in the following formats:
> 1. CRMF
> 2. PKCS #10
> 3. CMC with either CRMF or PKCS #10
>
> I am not aware that a CSR can be represented in PKCS #7, but I always
> keep an open mind to learn new (or old) things, so I'd appreciate it if
> you can send us a reference link to the RFC that specifies such CSR
> representation using PKCS #7.  If it gives us enough good reasons to
> support it, we will gladly consider supporting that in the future.
>
> Christina
>
> On 07/22/2013 11:47 AM, Taggart, Michelle wrote:
>> Hi,
>>
>> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19.  The CSR is in PKCS#7 format.  I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA.  After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error.  Any ideas on what's causing this?
>>
>>
>>
>> Thanks,
>>
>> Michelle Taggart
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list