From anmajumd at cisco.com Mon Mar 3 21:27:08 2014 From: anmajumd at cisco.com (Anamitra Dutta Majumdar (anmajumd)) Date: Mon, 3 Mar 2014 21:27:08 +0000 Subject: [Pki-users] Extending PKI scriptlet for pkispawan in 10.0 In-Reply-To: <53032D2E.8060603@adaptivemobile.com> Message-ID: We are trying to add some custom logic to pkispawn .For that we plan to write a pki scriptlet and assign the sequence number based on the order in which we want to execute it. Is such a customization supported in 10.0. If so , are the exact steps for adding the customization documented somewhere? Thanks, Anamitra From alee at redhat.com Wed Mar 5 15:26:10 2014 From: alee at redhat.com (Ade Lee) Date: Wed, 05 Mar 2014 10:26:10 -0500 Subject: [Pki-users] Extending PKI scriptlet for pkispawan in 10.0 In-Reply-To: References: Message-ID: <1394033170.2689.25.camel@aleeredhat.laptop> Anamitra, This type of customization is exactly what the scriptlet mechanism was designed for. The steps aren't documented yet, but they are pretty straightforward. In /etc/pki/default.cfg, there is a list of scriptlets (spawn_scriptlets) and (destroy_scriptlets) which lists the scriptlets that are invoked when pkispawn and pkidestroy are invoked. They are invoked in the order in which they are listed. You can override the definition of these variables in the DEFAULT section of your pkispawn custom config file. That *should* work, but if it doesn't, you can customize within the default.cfg file. Keep in mind though that this list sometimes (very infrequently) changes when updates are made and you will have to make sure that updates are incorporated in your scriptlet lists. Your scriptlet should be deployed to /usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/ and of course have a different name from any other scriptlets there. Try to make sure the name of your scriptlet is unique enough so as not to conflict with scriptlets that could be added in future updates. They should define a PkiScriptlet class: class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def spawn(self, deployer): pass def destroy(self, deployer): pass You've probably already done this - but see the current scriptlets in that directory as examples. Let us know how it goes, and if you run into any problems! Ade On Mon, 2014-03-03 at 21:27 +0000, Anamitra Dutta Majumdar (anmajumd) wrote: > We are trying to add some custom logic to pkispawn .For that we plan to > write a pki scriptlet and assign the sequence number based on the order in > which we want to execute it. > Is such a customization supported in 10.0. If so , are the exact steps > for adding the customization documented somewhere? > > > Thanks, > Anamitra > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From bj2917 at att.com Thu Mar 13 14:52:44 2014 From: bj2917 at att.com (JACKSON, BOYD R) Date: Thu, 13 Mar 2014 14:52:44 +0000 Subject: [Pki-users] Dogtag 10.1 User Documentation? Message-ID: <437DF6598A45C74A9B7144CAC99165D108FDF656@mokscy3msgusr9o.itservices.sbc.com> Greetings all, Does anyone on this mailing list know of any resources I could use that would show me the steps required to generate certificates using Dogtag 10.1? I have all of the Dogtag 10.1 components installed but looking for some insight on how to create, issue and manage client certificates that will be used for client authentication. The server that will be contacted has a Verisign issued certificate. Boyd Jackson AT&T Government Solutions Cell- 703-314-9173 Fax- 212-202-5261 -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Thu Mar 13 18:52:19 2014 From: alee at redhat.com (Ade Lee) Date: Thu, 13 Mar 2014 14:52:19 -0400 Subject: [Pki-users] Dogtag 10.1 User Documentation? In-Reply-To: <437DF6598A45C74A9B7144CAC99165D108FDF656@mokscy3msgusr9o.itservices.sbc.com> References: <437DF6598A45C74A9B7144CAC99165D108FDF656@mokscy3msgusr9o.itservices.sbc.com> Message-ID: <1394736739.4459.49.camel@localhost.localdomain> There are several resources available. First of all, the Red Hat Certificate System documentation (for all the old interfaces) still applies. Look at the EE and agent guides. https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/ For the new REST interfaces, some documentation is provided on the wiki. We're working to improve this documentation - but what have is here: http://pki.fedoraproject.org/wiki/CLI http://pki.fedoraproject.org/wiki/RESTEasy http://pki.fedoraproject.org/wiki/REST If you need help with REST, ask here or get onto #dogtag-pki on freenode. Ade On Thu, 2014-03-13 at 14:52 +0000, JACKSON, BOYD R wrote: > Greetings all, > > > > Does anyone on this mailing list know of any resources I could use > that would show me the steps required to generate certificates using > Dogtag 10.1? I have all of the Dogtag 10.1 components installed but > looking for some insight on how to create, issue and manage client > certificates that will be used for client authentication. The server > that will be contacted has a Verisign issued certificate. > > > > Boyd Jackson > > AT&T Government Solutions > > Cell- 703-314-9173 > > Fax- 212-202-5261 > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From anmajumd at cisco.com Thu Mar 20 21:27:45 2014 From: anmajumd at cisco.com (Anamitra Dutta Majumdar (anmajumd)) Date: Thu, 20 Mar 2014 21:27:45 +0000 Subject: [Pki-users] Scalability limits for certificate enrollment enrollment In-Reply-To: <1394033170.2689.25.camel@aleeredhat.laptop> Message-ID: Is there a limit on the number of simultaneous enrollment requests that the dog tag CA can handle. The CA certificates are 2048 bits and the CSRs are also 2048 bits. Thanks, Anamitra > From bj2917 at att.com Fri Mar 28 15:36:52 2014 From: bj2917 at att.com (JACKSON, BOYD R) Date: Fri, 28 Mar 2014 15:36:52 +0000 Subject: [Pki-users] Dogtag 10.1 Question Message-ID: <437DF6598A45C74A9B7144CAC99165D1090023F8@mokscy3msgusr9o.itservices.sbc.com> Hello everyone, does anyone on the list know where we can get answer for the questions below? What?s the appropriate procedure(s) for generating SSL certificates on behalf of someone and/or only dogtag administrators generating the ssl certificate for users/clients? How or can we edit the Certificate Profiles; For example, if we generate a certificate with private key archival like the Manual User Signing and Encryption Certificates Enrollment, we can do that as a caAdmin, then retrieve the private keys, and then save out a pkcs12 file that we could give to a client for importation into their browser without ever having someone other than a caAdmin use the dogtag server. Unfortunately, that profile is only generating a certificate for email. We need SSL. Then, how do we enable either a custom profile, or another profile that has the capabilities we would prefer? Boyd Jackson AT&T Government Solutions Cell- 703-314-9173 Fax- 212-202-5261 -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Sun Mar 30 20:50:01 2014 From: cfu at redhat.com (Christina Fu) Date: Sun, 30 Mar 2014 13:50:01 -0700 Subject: [Pki-users] Dogtag 10.1 Question In-Reply-To: <437DF6598A45C74A9B7144CAC99165D1090023F8@mokscy3msgusr9o.itservices.sbc.com> References: <437DF6598A45C74A9B7144CAC99165D1090023F8@mokscy3msgusr9o.itservices.sbc.com> Message-ID: <53388379.2000502@redhat.com> The most common Certificate profiles are provided by default. The SSL server profile is one of the most common ones, which you can see under the "Certificate Profiles" tab at the ee port: https:/:/ca/ee/ca Once you click on the "Manual Server Certificate Enrollment" profile, you will see that this profile takes a PKCS$10 request, which many server application should have the capability to generate if you follow their installation procedure. In general, out of security concern, most server administrators don't want the CA's administrators to have access to their server private keys, as the CA usually belongs to another organization or under a different administration, that's why you will normally not see in practice the CA administrator acting on those servers' behalf. In your case, if you don't have such concern, the CA administrator could use tools such as certutil to generate the CSR in PKCS10, submit the request through the "Manual Server Certificate Enrollment" profile I mentioned above, import the cert into the db where the CSR was generated, and pkcs12 export to hand the keys/cert back to the server administrator. You mentioned the Manual enrollment where keys are generated in the browser. Such default profiles are provided for user certs. The certificate requests are generated in CRMF rather than PKCS#10. You can craft your own certificate profile by using the right input plugins and policysets. For example, if you look in the manual one you can see that input.i1.class_id=keyGenInputImpl profiles key generation, and if you look in the ssl server one you can see the serverCertSet for ssl server cert. Combine them then you can have key generation in the browser and cert with ssl capability once approved. You can learn about how to set up certificate profiles from the RHCS documentation: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Certificate_Profiles Please keep in mind that the profile editing I described above was at a very high level. If you are going this route you need to think about taking in a different nickname for each enrollment because you are having the administrator generate the keys in his/her own browser, so all CSRs are sharing the same nss db. You can write your own plugin to handle that or follow strict procedure to delete right after pkcs12 export. In my view, this is not something I'd offer as a standard interface. Christina On 03/28/2014 08:36 AM, JACKSON, BOYD R wrote: > > Hello everyone, does anyone on the list know where we can get answer > for the questions below? > > *What's the appropriate procedure(s) for generating SSL certificates > on behalf of someone and/or only dogtag administrators generating the > ssl certificate for users/clients?* > > ** > > *How or can we edit the Certificate Profiles; For example, if we > generate a certificate with private key archival like the Manual User > Signing and Encryption Certificates Enrollment, we can do that as a > caAdmin, then retrieve the private keys, and then save out a pkcs12 > file that we could give to a client for importation into their browser > without ever having someone other than a caAdmin use the dogtag > server. Unfortunately, that profile is only generating a certificate > for email. We need SSL. Then, how do we enable either a custom > profile, or another profile that has the capabilities we would prefer*? > > Boyd Jackson > > AT&T Government Solutions > > Cell- 703-314-9173 > > Fax- 212-202-5261 > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: