[Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR

Ade Lee alee at redhat.com
Tue Jul 23 02:11:12 UTC 2013 

You can install and run the console (pki-console) on your client
machine.  It will connect to your dogtag instance using the admin port.

Ade

On Mon, 2013-07-22 at 18:36 -0400, Taggart, Michelle wrote:
> That's quite helpful!  I'll dig deep into that and see if there's any indication of the error.
> 
> What I'm actually not finding is the GUI version of the creation of the certificate profile.  I don't have a desktop for my test Fedora, so I'm doing everything through SSH CLI or the GUI from the dogtag-pki-thene.
> 
> Thanks, 
> 
> Michelle Taggart 
> x5166 
> 
> ----- Original Message -----
> From: "John Magne" <jmagne at redhat.com>
> To: "Michelle Taggart" <mdemansana at philasd.org>
> Cc: "Christina Fu" <cfu at redhat.com>, pki-users at redhat.com
> Sent: Monday, July 22, 2013 6:27:13 PM
> Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
> 
> Try looking or even posting the /var/lib/pki-ca/logs/debug  log file.
> 
> This is a finely grained debug log that could provide clues to the reason for the rejection.
> 
> ----- Original Message -----
> From: "Michelle Taggart" <mdemansana at philasd.org>
> To: "Christina Fu" <cfu at redhat.com>
> Cc: pki-users at redhat.com
> Sent: Monday, July 22, 2013 3:17:14 PM
> Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
> 
> I did see that.  I tried to submit the CSR into the Manual Certificate Manager Signing Certificate Enrollment form but it keeps on failing, with the following message in the ee:
> 
> Certificate Profile
> Sorry, your request has been rejected. The reason is "Request Rejected - {0}"
> 
> 
> And here's the message/entry within the Agent page:
> 
> Request Information
> Request ID: 	35
> Request Type: 	enrollment
> Request Status: 	rejected
> Requestor Host: 	null
> Assigned To: 	
> Creation Time: 	Mon Jul 22 18:12:09 EDT 2013
> Modification Time: 	Mon Jul 22 18:12:09 EDT 2013
> 
> Certificate Profile Information
> Certificate Profile Id: 	caCACert
> Approved By: 	admin
> Certificate Profile Name: 	Manual Certificate Manager Signing Certificate Enrollment
> Certificate Profile Description: 	This certificate profile is for enrolling Certificate Authority certificates.
> 
> Additional Notes
> 
> Certificate Profile Inputs
> Id 	Input Names 	Input Values
> cert_request_type 	Certificate Request Type 	pkcs10
> cert_request 	Certificate Request 	-----BEGIN CERTIFICATE REQUEST----- MIIB9DCCAV0CAQAwgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEOMAwGA1UE BxMFUGhpbGExDDAKBgNVBAoTA1NEUDELMAkGA1UECxMCVFMxITAfBgNVBAMTGHBy b3h5LmNhLm5vYy5waGlsYXNkLm5ldDEfMB0GCSqGSIb3DQEJARYQdGVzdEBwaGls YXNkLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3KwR0oL7P3MMG7tT e6mjSEO2FeE48zUJXtUUpyKK+5NNQUiBSpt6R4yj4oKO8vfQ6Qdt3l6YGH8Ro33x TlccgPB1nWOPcaCPE5dC+l5+bigOEFVj1CtHA9iARnMqb2f4E1kSik4ZcI5pM+Q4 mogs4jVP/IIF9Go8gUy9vSQbnS0CAwEAAaAqMBIGCSqGSIb3DQEJAjEFFgNTRFAw FAYJKoZIhvcNAQkHMQcTBTEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAAuRGYp7izMN cG9hPXjsKONLXNez05IVcvsgQLNkUXeuID88oXXW2CPHCLoA1mEf0A7I2zgAz4t3 FE7SOCFf3o5kkSrh4ZSsC//GJjmQfKYRRp9HC2o3hUDTTLnRp3ugiN6J6XfvSIyR OXeuevCypLnrbxnYdxUMLNCHiwbTCuf+ -----END CERTIFICATE REQUEST-----
> requestor_name 	Requestor Name 	test
> requestor_email 	Requestor Email 	test at philasd.net
> requestor_phone 	Requestor Phone 	
> 
> 
> I can't find any other reason for the rejection, is there a log file for it?
> 
> 
> Thanks, 
> 
> Michelle Taggart 
> x5166 
> 
> ----- Original Message -----
> From: "Christina Fu" <cfu at redhat.com>
> To: pki-users at redhat.com
> Sent: Monday, July 22, 2013 6:03:05 PM
> Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
> 
> On 07/22/2013 02:14 PM, Taggart, Michelle wrote:
> > Hi Christina,
> >
> > I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;)
> >
> > I'm actually trying to generate a certificate that is also an intermediary CA.  Which Certificate Profile should best fit that need?
> >
> 
> The "Manual Certificate Manager Signing Certificate Enrollment" 
> (caCACert profile) is for a generic CA signing cert enrollment. People 
> can customize it to fit their own site requirements.
> For information on how to do that, you can check the documentation 
> (Admin guide specifically):
> https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/
> 
> Christina
> 
> >
> > Thanks,
> >
> > Michelle Taggart
> >
> >
> > ----- Original Message -----
> > From: "Christina Fu"<cfu at redhat.com>
> > To: pki-users at redhat.com
> > Sent: Monday, July 22, 2013 4:56:16 PM
> > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR
> >
> > Dogtag only supports CSR in the following formats:
> > 1. CRMF
> > 2. PKCS #10
> > 3. CMC with either CRMF or PKCS #10
> >
> > I am not aware that a CSR can be represented in PKCS #7, but I always
> > keep an open mind to learn new (or old) things, so I'd appreciate it if
> > you can send us a reference link to the RFC that specifies such CSR
> > representation using PKCS #7.  If it gives us enough good reasons to
> > support it, we will gladly consider supporting that in the future.
> >
> > Christina
> >
> > On 07/22/2013 11:47 AM, Taggart, Michelle wrote:
> >> Hi,
> >>
> >> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19.  The CSR is in PKCS#7 format.  I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA.  After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error.  Any ideas on what's causing this?
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Michelle Taggart
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-users
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list