[Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
Taggart, Michelle
mdemansana at philasd.org
Mon Jul 22 22:36:22 UTC 2013
That's quite helpful! I'll dig deep into that and see if there's any indication of the error.
What I'm actually not finding is the GUI version of the creation of the certificate profile. I don't have a desktop for my test Fedora, so I'm doing everything through SSH CLI or the GUI from the dogtag-pki-thene.
Thanks,
Michelle Taggart
x5166
----- Original Message -----
From: "John Magne" <jmagne at redhat.com>
To: "Michelle Taggart" <mdemansana at philasd.org>
Cc: "Christina Fu" <cfu at redhat.com>, pki-users at redhat.com
Sent: Monday, July 22, 2013 6:27:13 PM
Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
Try looking or even posting the /var/lib/pki-ca/logs/debug log file.
This is a finely grained debug log that could provide clues to the reason for the rejection.
----- Original Message -----
From: "Michelle Taggart" <mdemansana at philasd.org>
To: "Christina Fu" <cfu at redhat.com>
Cc: pki-users at redhat.com
Sent: Monday, July 22, 2013 3:17:14 PM
Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
I did see that. I tried to submit the CSR into the Manual Certificate Manager Signing Certificate Enrollment form but it keeps on failing, with the following message in the ee:
Certificate Profile
Sorry, your request has been rejected. The reason is "Request Rejected - {0}"
And here's the message/entry within the Agent page:
Request Information
Request ID: 35
Request Type: enrollment
Request Status: rejected
Requestor Host: null
Assigned To:
Creation Time: Mon Jul 22 18:12:09 EDT 2013
Modification Time: Mon Jul 22 18:12:09 EDT 2013
Certificate Profile Information
Certificate Profile Id: caCACert
Approved By: admin
Certificate Profile Name: Manual Certificate Manager Signing Certificate Enrollment
Certificate Profile Description: This certificate profile is for enrolling Certificate Authority certificates.
Additional Notes
Certificate Profile Inputs
Id Input Names Input Values
cert_request_type Certificate Request Type pkcs10
cert_request Certificate Request -----BEGIN CERTIFICATE REQUEST----- MIIB9DCCAV0CAQAwgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEOMAwGA1UE BxMFUGhpbGExDDAKBgNVBAoTA1NEUDELMAkGA1UECxMCVFMxITAfBgNVBAMTGHBy b3h5LmNhLm5vYy5waGlsYXNkLm5ldDEfMB0GCSqGSIb3DQEJARYQdGVzdEBwaGls YXNkLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3KwR0oL7P3MMG7tT e6mjSEO2FeE48zUJXtUUpyKK+5NNQUiBSpt6R4yj4oKO8vfQ6Qdt3l6YGH8Ro33x TlccgPB1nWOPcaCPE5dC+l5+bigOEFVj1CtHA9iARnMqb2f4E1kSik4ZcI5pM+Q4 mogs4jVP/IIF9Go8gUy9vSQbnS0CAwEAAaAqMBIGCSqGSIb3DQEJAjEFFgNTRFAw FAYJKoZIhvcNAQkHMQcTBTEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAAuRGYp7izMN cG9hPXjsKONLXNez05IVcvsgQLNkUXeuID88oXXW2CPHCLoA1mEf0A7I2zgAz4t3 FE7SOCFf3o5kkSrh4ZSsC//GJjmQfKYRRp9HC2o3hUDTTLnRp3ugiN6J6XfvSIyR OXeuevCypLnrbxnYdxUMLNCHiwbTCuf+ -----END CERTIFICATE REQUEST-----
requestor_name Requestor Name test
requestor_email Requestor Email test at philasd.net
requestor_phone Requestor Phone
I can't find any other reason for the rejection, is there a log file for it?
Thanks,
Michelle Taggart
x5166
----- Original Message -----
From: "Christina Fu" <cfu at redhat.com>
To: pki-users at redhat.com
Sent: Monday, July 22, 2013 6:03:05 PM
Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
On 07/22/2013 02:14 PM, Taggart, Michelle wrote:
> Hi Christina,
>
> I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;)
>
> I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need?
>
The "Manual Certificate Manager Signing Certificate Enrollment"
(caCACert profile) is for a generic CA signing cert enrollment. People
can customize it to fit their own site requirements.
For information on how to do that, you can check the documentation
(Admin guide specifically):
https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/
Christina
>
> Thanks,
>
> Michelle Taggart
>
>
> ----- Original Message -----
> From: "Christina Fu"<cfu at redhat.com>
> To: pki-users at redhat.com
> Sent: Monday, July 22, 2013 4:56:16 PM
> Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
>
> Dogtag only supports CSR in the following formats:
> 1. CRMF
> 2. PKCS #10
> 3. CMC with either CRMF or PKCS #10
>
> I am not aware that a CSR can be represented in PKCS #7, but I always
> keep an open mind to learn new (or old) things, so I'd appreciate it if
> you can send us a reference link to the RFC that specifies such CSR
> representation using PKCS #7. If it gives us enough good reasons to
> support it, we will gladly consider supporting that in the future.
>
> Christina
>
> On 07/22/2013 11:47 AM, Taggart, Michelle wrote:
>> Hi,
>>
>> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this?
>>
>>
>>
>> Thanks,
>>
>> Michelle Taggart
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list