[Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
Ade Lee
alee at redhat.com
Tue Jul 23 02:11:12 UTC 2013
You can install and run the console (pki-console) on your client
machine. It will connect to your dogtag instance using the admin port.
Ade
On Mon, 2013-07-22 at 18:36 -0400, Taggart, Michelle wrote:
> That's quite helpful! I'll dig deep into that and see if there's any indication of the error.
>
> What I'm actually not finding is the GUI version of the creation of the certificate profile. I don't have a desktop for my test Fedora, so I'm doing everything through SSH CLI or the GUI from the dogtag-pki-thene.
>
> Thanks,
>
> Michelle Taggart
> x5166
>
> ----- Original Message -----
> From: "John Magne" <jmagne at redhat.com>
> To: "Michelle Taggart" <mdemansana at philasd.org>
> Cc: "Christina Fu" <cfu at redhat.com>, pki-users at redhat.com
> Sent: Monday, July 22, 2013 6:27:13 PM
> Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
>
> Try looking or even posting the /var/lib/pki-ca/logs/debug log file.
>
> This is a finely grained debug log that could provide clues to the reason for the rejection.
>
> ----- Original Message -----
> From: "Michelle Taggart" <mdemansana at philasd.org>
> To: "Christina Fu" <cfu at redhat.com>
> Cc: pki-users at redhat.com
> Sent: Monday, July 22, 2013 3:17:14 PM
> Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
>
> I did see that. I tried to submit the CSR into the Manual Certificate Manager Signing Certificate Enrollment form but it keeps on failing, with the following message in the ee:
>
> Certificate Profile
> Sorry, your request has been rejected. The reason is "Request Rejected - {0}"
>
>
> And here's the message/entry within the Agent page:
>
> Request Information
> Request ID: 35
> Request Type: enrollment
> Request Status: rejected
> Requestor Host: null
> Assigned To:
> Creation Time: Mon Jul 22 18:12:09 EDT 2013
> Modification Time: Mon Jul 22 18:12:09 EDT 2013
>
> Certificate Profile Information
> Certificate Profile Id: caCACert
> Approved By: admin
> Certificate Profile Name: Manual Certificate Manager Signing Certificate Enrollment
> Certificate Profile Description: This certificate profile is for enrolling Certificate Authority certificates.
>
> Additional Notes
>
> Certificate Profile Inputs
> Id Input Names Input Values
> cert_request_type Certificate Request Type pkcs10
> cert_request Certificate Request -----BEGIN CERTIFICATE REQUEST----- MIIB9DCCAV0CAQAwgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEOMAwGA1UE BxMFUGhpbGExDDAKBgNVBAoTA1NEUDELMAkGA1UECxMCVFMxITAfBgNVBAMTGHBy b3h5LmNhLm5vYy5waGlsYXNkLm5ldDEfMB0GCSqGSIb3DQEJARYQdGVzdEBwaGls YXNkLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3KwR0oL7P3MMG7tT e6mjSEO2FeE48zUJXtUUpyKK+5NNQUiBSpt6R4yj4oKO8vfQ6Qdt3l6YGH8Ro33x TlccgPB1nWOPcaCPE5dC+l5+bigOEFVj1CtHA9iARnMqb2f4E1kSik4ZcI5pM+Q4 mogs4jVP/IIF9Go8gUy9vSQbnS0CAwEAAaAqMBIGCSqGSIb3DQEJAjEFFgNTRFAw FAYJKoZIhvcNAQkHMQcTBTEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAAuRGYp7izMN cG9hPXjsKONLXNez05IVcvsgQLNkUXeuID88oXXW2CPHCLoA1mEf0A7I2zgAz4t3 FE7SOCFf3o5kkSrh4ZSsC//GJjmQfKYRRp9HC2o3hUDTTLnRp3ugiN6J6XfvSIyR OXeuevCypLnrbxnYdxUMLNCHiwbTCuf+ -----END CERTIFICATE REQUEST-----
> requestor_name Requestor Name test
> requestor_email Requestor Email test at philasd.net
> requestor_phone Requestor Phone
>
>
> I can't find any other reason for the rejection, is there a log file for it?
>
>
> Thanks,
>
> Michelle Taggart
> x5166
>
> ----- Original Message -----
> From: "Christina Fu" <cfu at redhat.com>
> To: pki-users at redhat.com
> Sent: Monday, July 22, 2013 6:03:05 PM
> Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
>
> On 07/22/2013 02:14 PM, Taggart, Michelle wrote:
> > Hi Christina,
> >
> > I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;)
> >
> > I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need?
> >
>
> The "Manual Certificate Manager Signing Certificate Enrollment"
> (caCACert profile) is for a generic CA signing cert enrollment. People
> can customize it to fit their own site requirements.
> For information on how to do that, you can check the documentation
> (Admin guide specifically):
> https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/
>
> Christina
>
> >
> > Thanks,
> >
> > Michelle Taggart
> >
> >
> > ----- Original Message -----
> > From: "Christina Fu"<cfu at redhat.com>
> > To: pki-users at redhat.com
> > Sent: Monday, July 22, 2013 4:56:16 PM
> > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
> >
> > Dogtag only supports CSR in the following formats:
> > 1. CRMF
> > 2. PKCS #10
> > 3. CMC with either CRMF or PKCS #10
> >
> > I am not aware that a CSR can be represented in PKCS #7, but I always
> > keep an open mind to learn new (or old) things, so I'd appreciate it if
> > you can send us a reference link to the RFC that specifies such CSR
> > representation using PKCS #7. If it gives us enough good reasons to
> > support it, we will gladly consider supporting that in the future.
> >
> > Christina
> >
> > On 07/22/2013 11:47 AM, Taggart, Michelle wrote:
> >> Hi,
> >>
> >> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this?
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Michelle Taggart
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-users
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list