[Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR

Taggart, Michelle mdemansana at philasd.org
Mon Jul 22 22:36:22 UTC 2013 

That's quite helpful!  I'll dig deep into that and see if there's any indication of the error.

What I'm actually not finding is the GUI version of the creation of the certificate profile.  I don't have a desktop for my test Fedora, so I'm doing everything through SSH CLI or the GUI from the dogtag-pki-thene.

Thanks, 

Michelle Taggart 
x5166 

----- Original Message -----
From: "John Magne" <jmagne at redhat.com>
To: "Michelle Taggart" <mdemansana at philasd.org>
Cc: "Christina Fu" <cfu at redhat.com>, pki-users at redhat.com
Sent: Monday, July 22, 2013 6:27:13 PM
Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR

Try looking or even posting the /var/lib/pki-ca/logs/debug  log file.

This is a finely grained debug log that could provide clues to the reason for the rejection.

----- Original Message -----
From: "Michelle Taggart" <mdemansana at philasd.org>
To: "Christina Fu" <cfu at redhat.com>
Cc: pki-users at redhat.com
Sent: Monday, July 22, 2013 3:17:14 PM
Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR

I did see that.  I tried to submit the CSR into the Manual Certificate Manager Signing Certificate Enrollment form but it keeps on failing, with the following message in the ee:

Certificate Profile
Sorry, your request has been rejected. The reason is "Request Rejected - {0}"


And here's the message/entry within the Agent page:

Request Information
Request ID: 	35
Request Type: 	enrollment
Request Status: 	rejected
Requestor Host: 	null
Assigned To: 	
Creation Time: 	Mon Jul 22 18:12:09 EDT 2013
Modification Time: 	Mon Jul 22 18:12:09 EDT 2013

Certificate Profile Information
Certificate Profile Id: 	caCACert
Approved By: 	admin
Certificate Profile Name: 	Manual Certificate Manager Signing Certificate Enrollment
Certificate Profile Description: 	This certificate profile is for enrolling Certificate Authority certificates.

Additional Notes

Certificate Profile Inputs
Id 	Input Names 	Input Values
cert_request_type 	Certificate Request Type 	pkcs10
cert_request 	Certificate Request 	-----BEGIN CERTIFICATE REQUEST----- MIIB9DCCAV0CAQAwgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEOMAwGA1UE BxMFUGhpbGExDDAKBgNVBAoTA1NEUDELMAkGA1UECxMCVFMxITAfBgNVBAMTGHBy b3h5LmNhLm5vYy5waGlsYXNkLm5ldDEfMB0GCSqGSIb3DQEJARYQdGVzdEBwaGls YXNkLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3KwR0oL7P3MMG7tT e6mjSEO2FeE48zUJXtUUpyKK+5NNQUiBSpt6R4yj4oKO8vfQ6Qdt3l6YGH8Ro33x TlccgPB1nWOPcaCPE5dC+l5+bigOEFVj1CtHA9iARnMqb2f4E1kSik4ZcI5pM+Q4 mogs4jVP/IIF9Go8gUy9vSQbnS0CAwEAAaAqMBIGCSqGSIb3DQEJAjEFFgNTRFAw FAYJKoZIhvcNAQkHMQcTBTEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAAuRGYp7izMN cG9hPXjsKONLXNez05IVcvsgQLNkUXeuID88oXXW2CPHCLoA1mEf0A7I2zgAz4t3 FE7SOCFf3o5kkSrh4ZSsC//GJjmQfKYRRp9HC2o3hUDTTLnRp3ugiN6J6XfvSIyR OXeuevCypLnrbxnYdxUMLNCHiwbTCuf+ -----END CERTIFICATE REQUEST-----
requestor_name 	Requestor Name 	test
requestor_email 	Requestor Email 	test at philasd.net
requestor_phone 	Requestor Phone 	


I can't find any other reason for the rejection, is there a log file for it?


Thanks, 

Michelle Taggart 
x5166 

----- Original Message -----
From: "Christina Fu" <cfu at redhat.com>
To: pki-users at redhat.com
Sent: Monday, July 22, 2013 6:03:05 PM
Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR

On 07/22/2013 02:14 PM, Taggart, Michelle wrote:
> Hi Christina,
>
> I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;)
>
> I'm actually trying to generate a certificate that is also an intermediary CA.  Which Certificate Profile should best fit that need?
>

The "Manual Certificate Manager Signing Certificate Enrollment" 
(caCACert profile) is for a generic CA signing cert enrollment. People 
can customize it to fit their own site requirements.
For information on how to do that, you can check the documentation 
(Admin guide specifically):
https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/

Christina

>
> Thanks,
>
> Michelle Taggart
>
>
> ----- Original Message -----
> From: "Christina Fu"<cfu at redhat.com>
> To: pki-users at redhat.com
> Sent: Monday, July 22, 2013 4:56:16 PM
> Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
>
> Dogtag only supports CSR in the following formats:
> 1. CRMF
> 2. PKCS #10
> 3. CMC with either CRMF or PKCS #10
>
> I am not aware that a CSR can be represented in PKCS #7, but I always
> keep an open mind to learn new (or old) things, so I'd appreciate it if
> you can send us a reference link to the RFC that specifies such CSR
> representation using PKCS #7.  If it gives us enough good reasons to
> support it, we will gladly consider supporting that in the future.
>
> Christina
>
> On 07/22/2013 11:47 AM, Taggart, Michelle wrote:
>> Hi,
>>
>> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19.  The CSR is in PKCS#7 format.  I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA.  After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error.  Any ideas on what's causing this?
>>
>>
>>
>> Thanks,
>>
>> Michelle Taggart
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list