From rperez at pgjtabasco.gob.mx Sat Aug 16 19:28:32 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Sat, 16 Aug 2014 14:28:32 -0500 (CDT) Subject: [Pki-users] Update CA name "CA Signing Certificate" to a more meaninful name In-Reply-To: <220741309.34520.1408216845626.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <1951008896.34541.1408217312655.JavaMail.root@pgjtabasco.gob.mx> Hi, I create a CA in Interactive way, with default values: pkispawn use this file: etc/pki/default.cfg This file contains the value: pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s Therefore, the CA is created with the default value: "CA Signing Certificate" I would change this to a more meaningful name, It?s possible update or change the name ?CA Signing Certificate? to a new value name? pkispawn use argument -u "update instance of specified subsystem", It's possible to update the value using this option? From msauton at redhat.com Sat Aug 16 21:22:03 2014 From: msauton at redhat.com (Marc Sauton) Date: Sat, 16 Aug 2014 14:22:03 -0700 Subject: [Pki-users] Update CA name "CA Signing Certificate" to a more meaninful name In-Reply-To: <1951008896.34541.1408217312655.JavaMail.root@pgjtabasco.gob.mx> References: <1951008896.34541.1408217312655.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <53EFCB7B.1050505@redhat.com> On 08/16/2014 12:28 PM, Ricardo Alexander Alexander Perez Ricardez wrote: > Hi, I create a CA in Interactive way, with default values: > > pkispawn use this file: etc/pki/default.cfg > > This file contains the value: pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s > > Therefore, the CA is created with the default value: "CA Signing Certificate" > > I would change this to a more meaningful name, It?s possible update or change the name ?CA Signing Certificate? to a new value name? > > pkispawn use argument -u "update instance of specified subsystem", It's possible to update the value using this option? > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users It is in fact highly recommended to customize all the subject names, and HTML pages if used. cp -p /usr/share/pki/ca/conf/CS.cfg /usr/share/pki/ca/conf/CS.cfg.orig vim /usr/share/pki/ca/conf/CS.cfg ... preop.cert.signing.userfriendlyname=testms CA Signing Certificate preop.cert.audit_signing.userfriendlyname=testms CA Audit Signing Certificate preop.cert.ocsp_signing.userfriendlyname=testms OCSP Signing Certificate preop.cert.sslserver.userfriendlyname=testms SSL Server Certificate preop.cert.subsystem.userfriendlyname=testms Subsystem Certificate ... The u option of pkispawn was removed. There is now a tool called pki-upgrade to update those config files or template when there is a package update or a manual change, so the existing instances can get the newer config files. But in this case, the certificates need to be re-issued, so it is more a change before creating a CA instance. Thanks, M. From alee at redhat.com Sun Aug 17 20:33:39 2014 From: alee at redhat.com (Ade Lee) Date: Sun, 17 Aug 2014 16:33:39 -0400 Subject: [Pki-users] Update CA name "CA Signing Certificate" to a more meaninful name In-Reply-To: <53EFCB7B.1050505@redhat.com> References: <1951008896.34541.1408217312655.JavaMail.root@pgjtabasco.gob.mx> <53EFCB7B.1050505@redhat.com> Message-ID: <1408307619.9161.10.camel@aleeredhat.laptop> pkispawn takes a config file which can be used to override any parameter in default.cfg. Any parameter in this file will be used instead of the value in default.cfg. Any value not specified will take the default in default.cfg. The option is "pkispawn -f myconfig.cfg" See man pkispawn and man pki_default.cfg for details and examples. An example file would look something like: [DEFAULT] pki_admin_password=password123 pki_client_pkcs12_password=password123 pki_ds_password=password123 [CA] pki_ca_signing_subject_dn=cn=,o=%(pki_security_domain_name)s On Sat, 2014-08-16 at 14:22 -0700, Marc Sauton wrote: > On 08/16/2014 12:28 PM, Ricardo Alexander Alexander Perez Ricardez wrote: > > Hi, I create a CA in Interactive way, with default values: > > > > pkispawn use this file: etc/pki/default.cfg > > > > This file contains the value: pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s > > > > Therefore, the CA is created with the default value: "CA Signing Certificate" > > > > I would change this to a more meaningful name, It?s possible update or change the name ?CA Signing Certificate? to a new value name? > > > > pkispawn use argument -u "update instance of specified subsystem", It's possible to update the value using this option? > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > It is in fact highly recommended to customize all the subject names, and > HTML pages if used. > > cp -p /usr/share/pki/ca/conf/CS.cfg /usr/share/pki/ca/conf/CS.cfg.orig > vim /usr/share/pki/ca/conf/CS.cfg > ... > preop.cert.signing.userfriendlyname=testms CA Signing Certificate > preop.cert.audit_signing.userfriendlyname=testms CA Audit Signing > Certificate > preop.cert.ocsp_signing.userfriendlyname=testms OCSP Signing Certificate > preop.cert.sslserver.userfriendlyname=testms SSL Server Certificate > preop.cert.subsystem.userfriendlyname=testms Subsystem Certificate > ... > > The u option of pkispawn was removed. > There is now a tool called pki-upgrade to update those config files or > template when there is a package update or a manual change, so the > existing instances can get the newer config files. > But in this case, the certificates need to be re-issued, so it is more a > change before creating a CA instance. > > Thanks, > M. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From rperez at pgjtabasco.gob.mx Wed Aug 27 00:57:48 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Tue, 26 Aug 2014 19:57:48 -0500 Subject: [Pki-users] (SOLVED) Error "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider" Message-ID: <000c01cfc191$eed32f30$cc798d90$@pgjtabasco.gob.mx> When I try to import a certificate, I get the following error: VBScript ?Error in InstallResponse. Error Number 800B0109 ocurred.CertEnroll::InstallResponse: Se proces? correctamente una cadena de certificados, pero termina en un certificado de ra?z no compatible con el proveedor de confianza. 0x800b0109 (-2146762487)? VBScript ?Error in InstallResponse. Error Number 800B0109 ocurred.CertEnroll::InstallResponse: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487)? SOLUTION: Make sure that the root certificate is installed in the trusted root store. You also might have to make sure any intermediate certificates are installed in the intermediate store. Some references: http://www.networksteve.com/forum/topic.php/A_certificate_chain_processed,_b ut_terminated_in_a_root_certific/?TopicId=14617&Posts=2 https://www.vandyke.com/products/vshell/docs/windows/Use_X.509_Certificates. htm http://technet.microsoft.com/es-ES/library/bb331963(v=exchg.141).aspx http://support.microsoft.com/kb/2078942 http://support.microsoft.com/default.aspx?scid=kb;EN-US;945121 https://ninite.com/help/errors/revocation.html -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: cert_import_error.png Type: image/png Size: 24220 bytes Desc: not available URL: