From WilliamC.Elliott at s-itsolutions.at Mon Mar 4 08:56:37 2013 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Mon, 4 Mar 2013 08:56:37 +0000 Subject: [Pki-users] SCEP Support In-Reply-To: <512F81A4.6040401@redhat.com> References: <85C87A9995875247B2DD471950E0AE4D1B3DBC0F@M0182.s-mxs.net> <512F81A4.6040401@redhat.com> Message-ID: <85C87A9995875247B2DD471950E0AE4D1B3E10B1@M0182.s-mxs.net> -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Nathan Kinder Sent: Donnerstag, 28. Februar 2013 17:11 To: pki-users at redhat.com Subject: Re: [Pki-users] SCEP Support [bayes][heur] On 02/27/2013 10:56 PM, Elliott William C OSS sIT wrote: > Hello, > > We currently use SCEP for Cisco Routers with a RedHat CS. > However as far as we can tell, "CA Key Rollover" is not implemented. Furthermore, we can't find any indication that it's implemented in in Dogtag 9 or 10. > > Could anyone confirm this? > Does anyone work around this problem? > > As far as we can see, few or no CA SW supports this, aside from the IOS CA from Cisco. The SCEP RFC says that the other two PKIX standards for certificate management are superior to SCEP, which has deficiencies, and is quasi-deprecated. Therefore my assumption is, that no one (other than cisco) plans to invest any effort in expanding SCEP support in Dogtag or any other opensource CA software. We are actually planning on going through our existing SCEP functionality to see what else from the Internet Draft should be implemented in Dogtag 10.1. In addition, we have a few smaller tickets related to SCEP in our Trac instance that we plan to look at (details at https://fedorahosted.org/pki/). We are not sure that we will be targeting "CA Key Rollover" specifically any time soon, as we want to see if there are more common SCEP use cases that should be targeted first. Is it specifically "CA Key Rollover" you are interested in using, or is there anything else from the SCEP Internet Draft that you have a use case for as well? [Elliott William OSS sIT] We use a relatively short-lived CA (because of the depth of our pki hierarchy) which requires CA certificate renewal after about 2-3 years. Furthermore, there are over a thousand clients. Therefore the automatic renewal of the CA Certificate on the clients is practically a must have for us (network managers want to ditch dogtag for IOS CA if they have to manually update all clients). As far as I can see, GetCACaps and GetNextCACert are the minimum that are needed for CA rollover - maybe more. Btw, the REST features look cool with v10.0. Best regards, Bill Elliott Thanks, -NGK > > Best regards, > William Elliott > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From Chris.Grijalva at soteradefense.com Wed Mar 27 22:39:03 2013 From: Chris.Grijalva at soteradefense.com (Chris Grijalva) Date: Wed, 27 Mar 2013 17:39:03 -0500 Subject: [Pki-users] pki=kra configuration hangs on Administration Message-ID: <688D8B269DCBDE44A466DC43D403624C07666AEBA8@pfi-mail> Hi all, new to the list. Installed the following packages on CentOS 6.4 [root at devops-cert tmp]# yum list | grep pki dogtag-pki-ca-theme.noarch 9.0.6-1.fc15 @/dogtag-pki-ca-theme-9.0.6-1.fc15.noarch dogtag-pki-common-theme.noarch 9.0.6-1.fc15 @/dogtag-pki-common-theme-9.0.6-1.fc15.noarch dogtag-pki-console-theme.noarch 9.0.6-1.fc15 @/dogtag-pki-console-theme-9.0.6-1.fc15.noarch dogtag-pki-kra-theme.noarch 9.0.6-1.fc15 @/dogtag-pki-kra-theme-9.0.6-1.fc15.noarch dogtag-pki-ocsp-theme.noarch 9.0.6-1.fc15 @/dogtag-pki-ocsp-theme-9.0.6-1.fc15.noarch pki-ca.noarch 9.0.3-30.el6 @base pki-common.noarch 9.0.3-30.el6 @base pki-common-javadoc.noarch 9.0.3-30.el6 @base pki-console.noarch 9.0.3-1.fc15 @/pki-console-9.0.3-1.fc15.noarch pki-java-tools.noarch 9.0.3-30.el6 @base pki-java-tools-javadoc.noarch 9.0.3-30.el6 @base pki-kra.noarch 9.0.4-1.fc15 @/pki-kra-9.0.4-1.fc15.noarch pki-native-tools.x86_64 9.0.3-30.el6 @base pki-ocsp.noarch 9.0.3-1.fc15 @/pki-ocsp-9.0.3-1.fc15.noarch pki-selinux.noarch 9.0.3-30.el6 @base pki-setup.noarch 9.0.3-30.el6 @base pki-silent.noarch 9.0.3-30.el6 @base pki-symkey.x86_64 9.0.3-30.el6 @base pki-util.noarch 9.0.3-30.el6 @base pki-util-javadoc.noarch 9.0.3-30.el6 @base ipa-pki-ca-theme.noarch 9.0.3-7.el6 base ipa-pki-common-theme.noarch 9.0.3-7.el6 base krb5-pkinit-openssl.x86_64 1.10.3-10.el6_4.1 updates jss.x86_64 4.2.6-24.el6 @base tomcatjss.noarch 2.1.0-2.el6 @base osutil.x86_64 2.0.1-1.el6 @base Configured pki-ca cleanly and then proceeded to configure pki-kra, which hangs on the Administrator panel. Debug doesn't show errors, only logging status. [27/Mar/2013:12:59:49][http-10445-3]: AdminPanel: display [27/Mar/2013:12:59:49][http-10445-3]: panel no=13 [27/Mar/2013:12:59:49][http-10445-3]: panel name=adminpanel [27/Mar/2013:12:59:49][http-10445-3]: total number of panels=16 I've bounced pki-krad, used a new instance of Chrome as admin when running the pki-kra admin console config. Used the pki-ca Administrator cert listed below, as a template for pki-kra and still no joy. The Dogtag Certificate Manager shows 5 pki-kra DRM certificates, but no admin cert. pki-krad status shows it's running, but must still be CONFIGURED! JXplorer shows, 2;4;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA Subsystem Certificate,OU=pki-ca,O=Pfi Domain 2;10;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=DRM Subsystem Certificate,OU=pki-kra,O=Pfi Domain 2;14;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=OCSP Subsystem Certificate,OU=pki-ocsp,O=Pfi Domain 2;6;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA Administrator of Instance pki-ca,UID=admin,E=Chris.Grijalva at soteradefense.com,O=Pfi Domain Any idea what I'm doing wrong and why this configuration doesn't generate a pki-kra or pki-ocspd CA Administrator cert to complete the configuration? Cheers, Chris Grijalva -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Thu Mar 28 14:59:17 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 28 Mar 2013 10:59:17 -0400 Subject: [Pki-users] pki=kra configuration hangs on Administration In-Reply-To: <688D8B269DCBDE44A466DC43D403624C07666AEBA8@pfi-mail> References: <688D8B269DCBDE44A466DC43D403624C07666AEBA8@pfi-mail> Message-ID: <1364482757.2427.7.camel@localhost.localdomain> Can you try using Firefox to do the configuration of the KRA? Up to now, we have supported only firefox for the installation servlets. If that still does not work, we'd need to see some server logs - say everything under /var/log/pki-kra, as well as logs for the CA. The status says that it still needs to be configured because the configuration did not complete. As you say, it looks like its failing to generate an administrator cert. That may be a problem in the client (Chrome), in the KRA/OCSP, or on the CA (which would be receiving the cert request and issuing the cert). We'd need to look at logs to see where its failing. Ade On Wed, 2013-03-27 at 17:39 -0500, Chris Grijalva wrote: > Hi all, new to the list. > > > > Installed the following packages on CentOS 6.4 > > > > [root at devops-cert tmp]# yum list | grep pki > > dogtag-pki-ca-theme.noarch > 9.0.6-1.fc15 > @/dogtag-pki-ca-theme-9.0.6-1.fc15.noarch > > dogtag-pki-common-theme.noarch > 9.0.6-1.fc15 > @/dogtag-pki-common-theme-9.0.6-1.fc15.noarch > > dogtag-pki-console-theme.noarch > 9.0.6-1.fc15 > @/dogtag-pki-console-theme-9.0.6-1.fc15.noarch > > dogtag-pki-kra-theme.noarch > 9.0.6-1.fc15 > @/dogtag-pki-kra-theme-9.0.6-1.fc15.noarch > > dogtag-pki-ocsp-theme.noarch > 9.0.6-1.fc15 > @/dogtag-pki-ocsp-theme-9.0.6-1.fc15.noarch > > pki-ca.noarch > 9.0.3-30.el6 @base > > pki-common.noarch > 9.0.3-30.el6 @base > > pki-common-javadoc.noarch > 9.0.3-30.el6 @base > > pki-console.noarch > 9.0.3-1.fc15 @/pki-console-9.0.3-1.fc15.noarch > > pki-java-tools.noarch > 9.0.3-30.el6 @base > > pki-java-tools-javadoc.noarch > 9.0.3-30.el6 @base > > pki-kra.noarch > 9.0.4-1.fc15 @/pki-kra-9.0.4-1.fc15.noarch > > pki-native-tools.x86_64 > 9.0.3-30.el6 @base > > pki-ocsp.noarch > 9.0.3-1.fc15 @/pki-ocsp-9.0.3-1.fc15.noarch > > pki-selinux.noarch > 9.0.3-30.el6 @base > > pki-setup.noarch > 9.0.3-30.el6 @base > > pki-silent.noarch > 9.0.3-30.el6 @base > > pki-symkey.x86_64 > 9.0.3-30.el6 @base > > pki-util.noarch > 9.0.3-30.el6 @base > > pki-util-javadoc.noarch > 9.0.3-30.el6 @base > > ipa-pki-ca-theme.noarch 9.0.3-7.el6 > base > > ipa-pki-common-theme.noarch > 9.0.3-7.el6 base > > krb5-pkinit-openssl.x86_64 > 1.10.3-10.el6_4.1 updates > > > > jss.x86_64 > 4.2.6-24.el6 @base > > tomcatjss.noarch 2.1.0-2.el6 > @base > > osutil.x86_64 2.0.1-1.el6 > @base > > > > Configured pki-ca cleanly and then proceeded to configure pki-kra, > which hangs on the Administrator panel. > > Debug doesn't show errors, only logging status. > > > > [27/Mar/2013:12:59:49][http-10445-3]: AdminPanel: display > > [27/Mar/2013:12:59:49][http-10445-3]: panel no=13 > > [27/Mar/2013:12:59:49][http-10445-3]: panel name=adminpanel > > [27/Mar/2013:12:59:49][http-10445-3]: total number of panels=16 > > > > I?ve bounced pki-krad, used a new instance of Chrome as admin when > running the pki-kra admin console config. > > Used the pki-ca Administrator cert listed below, as a template for > pki-kra and still no joy. > > > > The Dogtag Certificate Manager shows 5 pki-kra DRM certificates, but > no admin cert. pki-krad status shows it's > > running, but must still be CONFIGURED! > > > > JXplorer shows, > > 2;4;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA Subsystem > Certificate,OU=pki-ca,O=Pfi Domain > > 2;10;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=DRM Subsystem > Certificate,OU=pki-kra,O=Pfi Domain > > 2;14;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=OCSP Subsystem > Certificate,OU=pki-ocsp,O=Pfi Domain > > > > 2;6;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA > Administrator of Instance > pki-ca,UID=admin,E=Chris.Grijalva at soteradefense.com,O=Pfi Domain > > > > Any idea what I?m doing wrong and why this configuration doesn?t > generate a pki-kra or pki-ocspd CA Administrator cert to complete the > configuration? > > > > > > Cheers, > > Chris Grijalva > > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From Chris.Grijalva at soteradefense.com Thu Mar 28 20:16:48 2013 From: Chris.Grijalva at soteradefense.com (Chris Grijalva) Date: Thu, 28 Mar 2013 15:16:48 -0500 Subject: [Pki-users] FW: pki=kra configuration hangs on Administration Message-ID: <688D8B269DCBDE44A466DC43D403624C07666AF260@pfi-mail> Ade, Thanks for the help. It turned out to be a cert issue. Resolution was to remove all PKI certs in Firefox and then remove and reinstall pki-ocsp, pki-kra and pki-ca. All 3 modules configured cleanly. -----Original Message----- From: Ade Lee [mailto:alee at redhat.com] Sent: Thursday, March 28, 2013 9:59 AM To: Chris Grijalva Cc: pki-users at redhat.com Subject: Re: [Pki-users] pki=kra configuration hangs on Administration Can you try using Firefox to do the configuration of the KRA? Up to now, we have supported only firefox for the installation servlets. If that still does not work, we'd need to see some server logs - say everything under /var/log/pki-kra, as well as logs for the CA. The status says that it still needs to be configured because the configuration did not complete. As you say, it looks like its failing to generate an administrator cert. That may be a problem in the client (Chrome), in the KRA/OCSP, or on the CA (which would be receiving the cert request and issuing the cert). We'd need to look at logs to see where its failing. Ade On Wed, 2013-03-27 at 17:39 -0500, Chris Grijalva wrote: > Hi all, new to the list. > > > > Installed the following packages on CentOS 6.4 > > > > [root at devops-cert tmp]# yum list | grep pki > > dogtag-pki-ca-theme.noarch > 9.0.6-1.fc15 > @/dogtag-pki-ca-theme-9.0.6-1.fc15.noarch > > dogtag-pki-common-theme.noarch > 9.0.6-1.fc15 > @/dogtag-pki-common-theme-9.0.6-1.fc15.noarch > > dogtag-pki-console-theme.noarch > 9.0.6-1.fc15 > @/dogtag-pki-console-theme-9.0.6-1.fc15.noarch > > dogtag-pki-kra-theme.noarch > 9.0.6-1.fc15 > @/dogtag-pki-kra-theme-9.0.6-1.fc15.noarch > > dogtag-pki-ocsp-theme.noarch > 9.0.6-1.fc15 > @/dogtag-pki-ocsp-theme-9.0.6-1.fc15.noarch > > pki-ca.noarch > 9.0.3-30.el6 @base > > pki-common.noarch > 9.0.3-30.el6 @base > > pki-common-javadoc.noarch > 9.0.3-30.el6 @base > > pki-console.noarch > 9.0.3-1.fc15 @/pki-console-9.0.3-1.fc15.noarch > > pki-java-tools.noarch > 9.0.3-30.el6 @base > > pki-java-tools-javadoc.noarch > 9.0.3-30.el6 @base > > pki-kra.noarch > 9.0.4-1.fc15 @/pki-kra-9.0.4-1.fc15.noarch > > pki-native-tools.x86_64 > 9.0.3-30.el6 @base > > pki-ocsp.noarch > 9.0.3-1.fc15 @/pki-ocsp-9.0.3-1.fc15.noarch > > pki-selinux.noarch > 9.0.3-30.el6 @base > > pki-setup.noarch > 9.0.3-30.el6 @base > > pki-silent.noarch > 9.0.3-30.el6 @base > > pki-symkey.x86_64 > 9.0.3-30.el6 @base > > pki-util.noarch > 9.0.3-30.el6 @base > > pki-util-javadoc.noarch > 9.0.3-30.el6 @base > > ipa-pki-ca-theme.noarch 9.0.3-7.el6 > base > > ipa-pki-common-theme.noarch > 9.0.3-7.el6 base > > krb5-pkinit-openssl.x86_64 > 1.10.3-10.el6_4.1 updates > > > > jss.x86_64 > 4.2.6-24.el6 @base > > tomcatjss.noarch 2.1.0-2.el6 > @base > > osutil.x86_64 2.0.1-1.el6 > @base > > > > Configured pki-ca cleanly and then proceeded to configure pki-kra, > which hangs on the Administrator panel. > > Debug doesn't show errors, only logging status. > > > > [27/Mar/2013:12:59:49][http-10445-3]: AdminPanel: display > > [27/Mar/2013:12:59:49][http-10445-3]: panel no=13 > > [27/Mar/2013:12:59:49][http-10445-3]: panel name=adminpanel > > [27/Mar/2013:12:59:49][http-10445-3]: total number of panels=16 > > > > I?ve bounced pki-krad, used a new instance of Chrome as admin when > running the pki-kra admin console config. > > Used the pki-ca Administrator cert listed below, as a template for > pki-kra and still no joy. > > > > The Dogtag Certificate Manager shows 5 pki-kra DRM certificates, but > no admin cert. pki-krad status shows it's > > running, but must still be CONFIGURED! > > > > JXplorer shows, > > 2;4;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA Subsystem > Certificate,OU=pki-ca,O=Pfi Domain > > 2;10;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=DRM Subsystem > Certificate,OU=pki-kra,O=Pfi Domain > > 2;14;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=OCSP Subsystem > Certificate,OU=pki-ocsp,O=Pfi Domain > > > > 2;6;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA > Administrator of Instance > pki-ca,UID=admin,E=Chris.Grijalva at soteradefense.com,O=Pfi Domain > > > > Any idea what I?m doing wrong and why this configuration doesn?t > generate a pki-kra or pki-ocspd CA Administrator cert to complete the > configuration? > > > > > > Cheers, > > Chris Grijalva > > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users