From rperez at pgjtabasco.gob.mx Sat May 3 01:11:02 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Fri, 2 May 2014 20:11:02 -0500 (CDT) Subject: [Pki-users] Translate DogTag Certificate System to Spanish In-Reply-To: <1615889221.83931.1399079289055.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <1623373408.83936.1399079462585.JavaMail.root@pgjtabasco.gob.mx> How to translate the web interface DogTag Certificate System? Or how I can contribute to the translations? DogTag Certificate System 1.3 From rperez at pgjtabasco.gob.mx Sat May 3 06:31:06 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Sat, 3 May 2014 01:31:06 -0500 (CDT) Subject: [Pki-users] Error signing documents In-Reply-To: <330541066.84066.1399098652771.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <1861243096.84067.1399098666702.JavaMail.root@pgjtabasco.gob.mx> When I try to sign a microsoft word document I get the message: "Certificate not reliable: can not check status of certificate revocation Check the connection to the network.." From ayoung at redhat.com Mon May 5 15:48:52 2014 From: ayoung at redhat.com (Adam Young) Date: Mon, 05 May 2014 11:48:52 -0400 Subject: [Pki-users] Error signing documents In-Reply-To: <1861243096.84067.1399098666702.JavaMail.root@pgjtabasco.gob.mx> References: <1861243096.84067.1399098666702.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <5367B2E4.6010207@redhat.com> On 05/03/2014 02:31 AM, Ricardo Alexander Alexander Perez Ricardez wrote: > When I try to sign a microsoft word document I get the message: > > "Certificate not reliable: can not check status of certificate revocation Check the connection to the network.." > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users Please include some more info: What tool you are using to sign the document (cmsutil or openssl cms?) The text version of the certificate you are using. I doubt it is the fact that it is an MS word document that is causing trouble. It sounds like the tool you are using is trying to check revcation status, and either can't find it in the cert or can't talk to the remote URL to fetch the revocation list. From rperez at pgjtabasco.gob.mx Tue May 6 04:04:03 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Mon, 5 May 2014 23:04:03 -0500 (CDT) Subject: [Pki-users] Cannot import a certificate In-Reply-To: <1402827949.84824.1399347392457.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <221627996.84922.1399349043107.JavaMail.root@pgjtabasco.gob.mx> Hello, I'm trying to import a certificate with mozilla firefox, I want to use this certificate to sign documents in PDF and Microsoft Word, but I get the following error: This certificate can not be verified and will not be imported. Maybe the issuer certificate is unknown or unreliable, perhaps the certificate expired or been revoked, or has not been approved. Here are the steps I perform to reproduce the error: On the client side: 1.- Enter the url "https://pki.mydomain.mx:9444/ca/ee/ca/" in the browser Mozilla Firefox 2.- Select Certificate Profile Name "Manual User Dual-Use Certificate Enrollment" 3.- Change Key Generation Request from 512 to 2048 RSA (Encryption and Signing) 4.- Enter the UID and the Common name and click submit On the server side: 5.- Enter the url "https://pki.pgjtabasco.gob.mx:9445/ca/services" and select Agent services 6.- Find new certificate request and click the new certificate request 7.- Review the details of the certificate request 8.- Choose approve request and click on submit Again On the client side: 9.- Check request status 10.- Choose Issued certificate 11.- Review Certificate contents Certificate: Data: Version: v3 Serial Number: 0x15 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Certificate Authority,OU=pki-ca,O=mydomain Domain Validity: Not Before: lunes 5 de mayo de 2014 22H49' CDT Mexico/General Not After: s?bado 1 de noviembre de 2014 21H49' CST Mexico/General Subject: UID=Alex prueba,CN=Alexander prueba Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (2048 bits) : C7:7F:A8:F4:1B:E7:63:61:8D:22:36:BF:2E:A1:78:98: 03:DC:2B:6D:8B:A0:5B:D9:09:CA:2A:85:E7:12:71:21: E3:33:04:6E:88:12:3C:A8:49:7B:6A:61:15:3C:D2:7C: 5E:C1:F9:A6:B9:3D:38:F7:66:90:34:5E:25:D1:B8:05: C4:C4:4D:DC:72:FC:DA:30:E6:D8:DE:2D:54:01:ED:95: 97:BE:AD:03:4D:44:F6:5D:D2:1A:FD:02:1A:07:85:5A: 34:EA:B4:A8:49:AD:E9:AD:28:DD:36:A6:E9:8D:72:A0: 5F:B4:EF:5F:F2:9E:A0:0B:00:52:F4:8F:65:6F:22:53: 80:C8:9A:E6:5F:B9:01:EC:69:27:CF:80:5D:56:3D:05: 27:CD:C4:FC:E8:A2:08:C7:55:47:FF:5A:76:29:0B:CF: 4E:00:F4:F8:7E:A6:AE:A1:E5:74:A5:E8:5B:57:C7:BA: 0B:D0:C2:6E:53:53:C7:F6:32:30:C5:CC:2F:DC:3A:8C: 01:36:07:16:81:BC:C1:4E:76:44:46:3A:1B:89:64:8C: 58:AA:C4:54:43:EC:DC:FC:43:8C:7B:23:DD:C4:75:DA: E4:8A:0E:BF:33:10:B8:CD:A7:B4:1E:A0:80:50:15:A8: 9F:3D:DA:C6:45:E6:F3:94:F2:E8:36:68:57:ED:20:E5 Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: DC:B3:54:E7:39:AD:59:DF:3D:F4:DB:C6:6F:9C:86:CE: 91:83:EB:4A Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://pki.mydomain.mx:9180/ca/ocsp Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key Encipherment Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.2 1.3.6.1.5.5.7.3.4 Signature: Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Signature: 19:90:D1:56:76:B7:69:F8:6B:2B:F8:56:F1:5C:DA:CC: F1:D2:AB:DE:9F:C5:EF:DC:37:50:71:55:CE:66:58:C8: 06:3F:E1:22:04:74:E8:2F:99:AE:EA:02:0C:58:05:63: C9:8B:DF:D8:2B:DC:5D:A5:34:D9:42:2C:B5:C2:24:AD: 73:48:E2:5B:D8:1B:02:3F:83:4B:59:00:7F:D2:1C:0D: 5E:10:B3:34:31:CF:4E:4E:38:3C:1E:47:6B:A7:1A:9D: D2:AF:3B:73:7C:1B:01:0E:E9:6B:81:63:D1:70:DF:B1: A0:36:C0:D5:AE:DB:6B:41:14:F6:25:C9:D2:69:CF:1A: 7F:CE:82:67:07:FA:CE:26:CE:78:71:31:47:2C:DF:64: 44:D9:1C:25:C0:F1:AE:E1:54:E2:F5:66:01:0F:62:5D: 5D:9B:23:83:44:6E:2A:4E:AA:9D:52:3F:34:F8:19:51: 61:96:CE:C2:03:3B:B2:F5:E3:C6:D7:62:F3:8A:8B:ED: 27:1F:4A:5F:56:4E:94:42:7A:CE:73:4D:EF:E6:85:FF: FA:31:CB:EC:C2:E7:C2:D6:EC:C3:22:FE:28:1C:D4:D7: 21:D9:8D:7B:02:38:54:56:7E:34:34:7B:D0:C7:ED:C7: B1:1A:EA:67:5A:B9:47:5D:2D:82:45:5E:D1:4F:1D:A7 FingerPrint MD2: 47:78:C3:CC:5B:76:A6:6F:CF:BC:E7:A4:9A:8B:C2:7F MD5: DD:42:A1:89:B7:0A:B1:0A:A9:84:2C:47:10:35:76:67 SHA1: 04:CF:4C:1E:5C:27:F2:B6:AF:BA:E0:64:32:FC:81:0F: D5:35:6D:BE SHA256: 18:98:CA:08:26:22:13:C1:37:3B:45:A5:29:B9:60:85: 55:55:A4:DC:27:C6:89:3E:8D:1A:40:D9:97:C9:3F:C4 SHA512: 36:51:19:47:D1:FB:67:7C:E7:B4:21:6B:50:1D:E1:74: 3E:6D:22:10:AA:CC:DD:4D:84:2E:5E:58:47:69:1D:C1: AC:35:A9:18:5E:16:DF:82:F8:3B:B9:DE:BF:EB:03:1E: 8B:E9:92:DE:9D:FE:DF:81:9A:B3:97:B5:50:56:A4:7F Installing this certificate in a server The following format can be used to install this certificate into a server. Base 64 encoded certificate -----BEGIN CERTIFICATE----- MIIDnjCCAoagAwIBAgIBFTANBgkqhkiG9w0BAQsFADBQMR0wGwYDVQQKExRQZ2p0 YWJhc2NvR29iIERvbWFpbjEPMA0GA1UECxMGcGtpLWNhMR4wHAYDVQQDExVDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTQwNTA2MDM0OTMzWhcNMTQxMTAyMDM0OTMz WjA4MRkwFwYDVQQDExBBbGV4YW5kZXIgcHJ1ZWJhMRswGQYKCZImiZPyLGQBARML QWxleCBwcnVlYmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHf6j0 G+djYY0iNr8uoXiYA9wrbYugW9kJyiqF5xJxIeMzBG6IEjyoSXtqYRU80nxewfmm uT0492aQNF4l0bgFxMRN3HL82jDm2N4tVAHtlZe+rQNNRPZd0hr9AhoHhVo06rSo Sa3prSjdNqbpjXKgX7TvX/KeoAsAUvSPZW8iU4DImuZfuQHsaSfPgF1WPQUnzcT8 6KIIx1VH/1p2KQvPTgD0+H6mrqHldKXoW1fHugvQwm5TU8f2MjDFzC/cOowBNgcW gbzBTnZERjobiWSMWKrEVEPs3PxDjHsj3cR12uSKDr8zELjNp7QeoIBQFaifPdrG RebzlPLoNmhX7SDlAgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU3LNU5zmtWd899NvG b5yGzpGD60owRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vcGtp LnBnanRhYmFzY28uZ29iLm14OjkxODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAw HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IB AQAZkNFWdrdp+Gsr+FbxXNrM8dKr3p/F79w3UHFVzmZYyAY/4SIEdOgvma7qAgxY BWPJi9/YK9xdpTTZQiy1wiStc0jiW9gbAj+DS1kAf9IcDV4QszQxz05OODweR2un Gp3SrztzfBsBDulrgWPRcN+xoDbA1a7ba0EU9iXJ0mnPGn/OgmcH+s4mznhxMUcs 32RE2RwlwPGu4VTi9WYBD2JdXZsjg0RuKk6qnVI/NPgZUWGWzsIDO7L148bXYvOK i+0nH0pfVk6UQnrOc03v5oX/+jHL7MLnwtbswyL+KBzU1yHZjXsCOFRWfjQ0e9DH 7cexGupnWrlHXS2CRV7RTx2n -----END CERTIFICATE----- Base 64 encoded certificate with CA certificate chain in pkcs7 format -----BEGIN CERTIFICATE----- MIIHnAYJKoZIhvcNAQcCoIIHjTCCB4kCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIH bTCCA54wggKGoAMCAQICARUwDQYJKoZIhvcNAQELBQAwUDEdMBsGA1UEChMUUGdq dGFiYXNjb0dvYiBEb21haW4xDzANBgNVBAsTBnBraS1jYTEeMBwGA1UEAxMVQ2Vy dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE0MDUwNjAzNDkzM1oXDTE0MTEwMjAzNDkz M1owODEZMBcGA1UEAxMQQWxleGFuZGVyIHBydWViYTEbMBkGCgmSJomT8ixkAQET C0FsZXggcHJ1ZWJhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3+o 9BvnY2GNIja/LqF4mAPcK22LoFvZCcoqhecScSHjMwRuiBI8qEl7amEVPNJ8XsH5 prk9OPdmkDReJdG4BcTETdxy/Now5tjeLVQB7ZWXvq0DTUT2XdIa/QIaB4VaNOq0 qEmt6a0o3Tam6Y1yoF+071/ynqALAFL0j2VvIlOAyJrmX7kB7Gknz4BdVj0FJ83E /OiiCMdVR/9adikLz04A9Ph+pq6h5XSl6FtXx7oL0MJuU1PH9jIwxcwv3DqMATYH FoG8wU52REY6G4lkjFiqxFRD7Nz8Q4x7I93Eddrkig6/MxC4zae0HqCAUBWonz3a xkXm85Ty6DZoV+0g5QIDAQABo4GaMIGXMB8GA1UdIwQYMBaAFNyzVOc5rVnfPfTb xm+chs6Rg+tKMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAYYpaHR0cDovL3Br aS5wZ2p0YWJhc2NvLmdvYi5teDo5MTgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXg MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOC AQEAGZDRVna3afhrK/hW8VzazPHSq96fxe/cN1BxVc5mWMgGP+EiBHToL5mu6gIM WAVjyYvf2CvcXaU02UIstcIkrXNI4lvYGwI/g0tZAH/SHA1eELM0Mc9OTjg8Hkdr pxqd0q87c3wbAQ7pa4Fj0XDfsaA2wNWu22tBFPYlydJpzxp/zoJnB/rOJs54cTFH LN9kRNkcJcDxruFU4vVmAQ9iXV2bI4NEbipOqp1SPzT4GVFhls7CAzuy9ePG12Lz iovtJx9KX1ZOlEJ6znNN7+aF//oxy+zC58LW7MMi/igc1Nch2Y17AjhUVn40NHvQ x+3HsRrqZ1q5R10tgkVe0U8dpzCCA8cwggKvoAMCAQICAQEwDQYJKoZIhvcNAQEL BQAwUDEdMBsGA1UEChMUUGdqdGFiYXNjb0dvYiBEb21haW4xDzANBgNVBAsTBnBr aS1jYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE0MDQzMDA1 MDkyNFoXDTIyMDQzMDA1MDkyNFowUDEdMBsGA1UEChMUUGdqdGFiYXNjb0dvYiBE b21haW4xDzANBgNVBAsTBnBraS1jYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0 aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv+TFt8NY+Llt qsOAswT0oCvc/7XECJ4ftQKCrP6Y/O168tW1TOBG5fm5NXY7u7QyXC8HWWuC24XS p5tgOhgtHnhAnyCj8isn4VvzxIdVFMPFlSjwJN3uKkGKq2jXojOZKPL7pK2Tzm4l w+v5G89uQ0JSxqAG9x9EUWQ2UFIXaGrby7V5GaRh6H7OLWqGn/ZpZHcMhZPFGTED lbLK7BNCP8TnOBfNYjkUGF41F+n559H2EblvjB3nnrRAcUZt0s5MGCcDp3wexWHF Exo2/DoKY3vYdRuaUVKeqXGZGrawuymD0rzS7/aS+WeEgljg8Dh2vqtWeF/2AzhL KvIm0y+2kwIDAQABo4GrMIGoMB8GA1UdIwQYMBaAFNyzVOc5rVnfPfTbxm+chs6R g+tKMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBTc s1TnOa1Z3z3028ZvnIbOkYPrSjBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGG KWh0dHA6Ly9wa2kucGdqdGFiYXNjby5nb2IubXg6OTE4MC9jYS9vY3NwMA0GCSqG SIb3DQEBCwUAA4IBAQAhjq/FFqF/Nlobc90zHZ2dWmkYZvWZMVk+zVVSAlFyClxi draCo3uwNlmYnHnN0m8SPoejjohr58lOOOFRp6uh+DTtX7wdxXZo49cN8SrRBGrV csrWAce2pMltEom4qcgbVaOKeUl2kQk7SKdkXuvdEQd9MutG8qrBRUMIdgP4YkOb JY87ckIixpX5fDMcJ1kMD57bhDjEIOcPZ3IEs2NZbYerBulsYg1gD8BjQObHbRrw VCZmtx9sJepkzK0VacCwwJWZ8MRsg25OLQKyV1dNiyW82wEIJJbpeGYs6ctaJwHt +UkabdvkB7nrBSMHhg+STIh+F2qpMLyY5yfxCxvvMQA= -----END CERTIFICATE----- 12.- Click import your certificate 13.- I get message: "This certificate can not be verified and will not be imported. Maybe the issuer certificate is unknown or unreliable, perhaps the certificate expired or been revoked, or has not been approved." Note: I added numbered images for more detail as well as the details of the certificate. -------------- next part -------------- A non-text attachment was scrubbed... Name: 01 cert_enroll.png Type: image/png Size: 103683 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 02 cert_request.png Type: image/png Size: 100287 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 03 cert_submit_request.png Type: image/png Size: 69349 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 04 cert_request_sucessfull.png Type: image/png Size: 61994 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 05 cert_status.png Type: image/png Size: 58898 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 06 cert_requeststatus.png Type: image/png Size: 54907 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 07 cert_resqueststatus2.png Type: image/png Size: 69341 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 08 cert_approve.png Type: image/png Size: 60618 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 09 cert_complete.png Type: image/png Size: 59860 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 10 cert_checkstatus.png Type: image/png Size: 61553 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 11 cert_new_status.png Type: image/png Size: 59430 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 12 cert_details.png Type: image/png Size: 86447 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 13 cert_option.png Type: image/png Size: 138482 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 14 cert_import1.png Type: image/png Size: 135933 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 15 cert_noimport.png Type: image/png Size: 141049 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: cert_request_ID20 Type: application/octet-stream Size: 6074 bytes Desc: not available URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: cert_text.txt URL: From alee at redhat.com Tue May 6 15:19:19 2014 From: alee at redhat.com (Ade Lee) Date: Tue, 06 May 2014 11:19:19 -0400 Subject: [Pki-users] Translate DogTag Certificate System to Spanish In-Reply-To: <1623373408.83936.1399079462585.JavaMail.root@pgjtabasco.gob.mx> References: <1623373408.83936.1399079462585.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <1399389559.9622.18.camel@aleeredhat.laptop> Ricardo, Thanks for the offer to help translate Dogtag! You mention Dogtag 1.3 -- thats a very old version! We are working on version 10.2. Unfortunately, Dogtag is not well set up right now for internationalization. There are plans to improve this, but they will likely fall in the 10.3 time frame. Still, there is a lot that can be done. 1. Server code: some attempt has been made to internationalize some of the server code. As a result, there are some properties files with string definitions: base/server/cmsbundle/src/UserMessages.properties base/server/cmsbundle/src/LogMessages.properties dogtag/console-ui/src/CMSAdminRS.properties There are probably other properties files in the console source code. Translated versions of those files would have extension .es_ES. 2. Dogtag 10 has many man pages that can be translated, especially for pkispawn, pkidestroy etc. 3. The Javascript in the UI is for the most part, not set up for translation. Externalizing the strings is what is planned for 10.3. If you want to get a jump on that though, the way to do it is pretty straightforward. See: ./base/ca/shared/webapps/ca/ee/ca/ProfileList.template You will notice that the strings have been externalized to a properties file: dogtag/common-ui/shared/ca/ee/ProfileList.properties Translating that UI page would simply be a matter of creating a translated properties file: dogtag/common-ui/shared/ca/ee/ProfileList.properties_es_ES Unfortunately, this is the only UI page for which this has been done so far. We need to do a similar string externalization (and adding the jquery bit on top) for all the template files. We've started a wiki page http://pki.fedoraproject.org/wiki/Internationalization to start tracking this effort. Let us know what you are interested in working on! Thanks! Ade On Fri, 2014-05-02 at 20:11 -0500, Ricardo Alexander Alexander Perez Ricardez wrote: > How to translate the web interface DogTag Certificate System? Or how I can contribute to the translations? > > > DogTag Certificate System 1.3 > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From ryan.millay at gdc4s.com Tue May 6 18:28:41 2014 From: ryan.millay at gdc4s.com (Millay, Ryan) Date: Tue, 6 May 2014 18:28:41 +0000 Subject: [Pki-users] Applet Memory Size Message-ID: Hello, We're working with the External Registration update for the Red Hat Certificate System and we're testing the max capacity of our tokens. I'm looking for a little clarification regarding the "channel.appletMemorySize" parameter on the TPS. How much of the memory specified by this parameter is actually available for certificate storage? Is there an upper limit that the applet can handle? Thanks! Ryan Millay Software Engineer General Dynamics C4 Systems Work: 781-455-3299 This message and/or attachments may include information subject to GDC4S S.P. 1.8.6 and GD Corporate Policy 07-105 and are intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5731 bytes Desc: not available URL: From rperez at pgjtabasco.gob.mx Wed May 7 16:04:01 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Wed, 7 May 2014 11:04:01 -0500 Subject: [Pki-users] Unable to check the revocation status of the certificate Message-ID: <000301cf6a0d$f897f0e0$e9c7d2a0$@pgjtabasco.gob.mx> Hi, I'm trying to sign a document in Microsoft Word 2010, by signing me send the message: "Untrusted certificate. Could not check the revocation status of the certificate, check the connection to the network" Deputy images with details -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error_certificate2.PNG Type: image/png Size: 22158 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error_certificate3.PNG Type: image/png Size: 26775 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error_certificate.PNG Type: image/png Size: 19055 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error_certificate5.PNG Type: image/png Size: 94569 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error_certificate4.PNG Type: image/png Size: 47703 bytes Desc: not available URL: From rperez at pgjtabasco.gob.mx Fri May 9 23:05:18 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Fri, 9 May 2014 18:05:18 -0500 (CDT) Subject: [Pki-users] =?utf-8?q?Can=C2=B4t_create_CSP_List_Object!?= In-Reply-To: <99370264.89263.1399676626197.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <252318119.89280.1399676718017.JavaMail.root@pgjtabasco.gob.mx> Hello, When trying to send a certificate request "Certificate Profile - Manual User Dual-Use Certificate Enrollment" I get the following message: Can not create Object List CSP! Error -2147467259: CertEnroll :: CX509EnrollmentWebClassFactory :: CreateObject: Unspecified error 0x80004005 (-2147467259) I use: DogTag Certificate System 10 Internet explorer 9 (On Client side) Attached picture with details -------------- next part -------------- A non-text attachment was scrubbed... Name: error_cert.png Type: image/png Size: 62723 bytes Desc: not available URL: From rperez at pgjtabasco.gob.mx Sat May 10 01:14:52 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Fri, 9 May 2014 20:14:52 -0500 Subject: [Pki-users] =?iso-8859-1?q?Can=B4t_create_CSP_List_Object!_=28SOL?= =?iso-8859-1?q?VED=29?= Message-ID: <000b01cf6bed$3f1dea20$bd59be60$@pgjtabasco.gob.mx> Solve this problem by installing this revision: http://support.microsoft.com/kb/2078942 The CertEnroll Control does not work in Internet Explorer on a computer running Windows That is 7 or Windows Server 2008 R2 ?This is not a problem DogTag Certificate System? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at pgjtabasco.gob.mx Sat May 10 01:22:34 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Fri, 9 May 2014 20:22:34 -0500 Subject: [Pki-users] Unable to check the revocation status of the certificate (SOLVED) Message-ID: <001001cf6bee$523d47d0$f6b7d770$@pgjtabasco.gob.mx> Solve this problem On the client side: 1 - Using Internet explorer 8, 9 2 - Import and install, CA Certificate Chain 3 - Import and install, Certificate Revocation List On the server side: After approve an application for registration certificate Update Certificate Revocation List (CRL) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at pgjtabasco.gob.mx Sat May 10 01:24:22 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Fri, 9 May 2014 20:24:22 -0500 Subject: [Pki-users] Cannot import a certificate (SOLVED) Message-ID: <001501cf6bee$92b3f750$b81be5f0$@pgjtabasco.gob.mx> Solve this problem On the client side: 1 - Using Internet explorer 8 2 - Import and install, CA Certificate Chain 3 - Import and install, Certificate Revocation List On the server side: After approve an application for registration certificate Update Certificate Revocation List (CRL) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at pgjtabasco.gob.mx Sat May 10 01:33:32 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Fri, 9 May 2014 20:33:32 -0500 Subject: [Pki-users] Error signing documents (SOLVED) Message-ID: <001f01cf6bef$da7ffb50$8f7ff1f0$@pgjtabasco.gob.mx> Solve this problem On the client side: 1 - Using Internet explorer 8 2 - Import and install, CA Certificate Chain 3 - Import and install, Certificate Revocation List On the server side: After approve an application for registration certificate Update Certificate Revocation List (CRL) After doing this, I could import my certificates and sign word documents and pdf without problems. He was using DogTag Certificate System 1.3, I have now installed the version 10. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at pgjtabasco.gob.mx Sun May 11 04:45:03 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Sat, 10 May 2014 23:45:03 -0500 (CDT) Subject: [Pki-users] HTTP 500 - CS server is not ready to serve (SOLVED) In-Reply-To: <949153305.89714.1399783184811.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <1967092128.89716.1399783503644.JavaMail.root@pgjtabasco.gob.mx> I recieve this error: Estado HTTP 500 - CS server is not ready to serve. -------------------------------------------------------------------------------- type Informe de Excepci?n mensaje CS server is not ready to serve. descripci?n El servidor encontr? un error interno que hizo que no pudiera rellenar este requerimiento. excepci?n java.io.IOException: CS server is not ready to serve. com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) javax.servlet.http.HttpServlet.service(HttpServlet.java:728) sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:606) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:536) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) nota La traza completa de la causa de este error se encuentra en los archivos de diario de Apache Tomcat/7.0.47. --------------------------------------------------------------------------------------------------------------------- Solution: Start LDAP 389 Directory Server systemctl start dirsrv.target From ftweedal at redhat.com Mon May 12 06:49:38 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 12 May 2014 16:49:38 +1000 Subject: [Pki-users] blog post: certificate profiles (part 1) Message-ID: <20140512064938.GJ13285@dhcp-40-8.bne.redhat.com> Hi all, I've been encouraged to blog my learnings/development of FreeIPA/Dogtag. Without further ado, I present my first post, which is on the topic of certificate profiles and the certificate request process. In particular I examine the relationship between the PKCS #10 CSR format and the Dogtag Enrolment Request process, including what can cause summary rejection, and information in a CSR that are ignored by Dogtag. I'd appreciate a quick skim by those familiar with the profile system (to make sure I'm on the right track / not telling gigantic lies) as well as any general feedback. Link: http://blog-ftweedal.rhcloud.com/2014/05/dogtag-certificate-profiles-certificate-requests/ Cheers, Fraser P.S. Better CSS coming soon ^_^ From rperez at pgjtabasco.gob.mx Mon May 12 15:49:05 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Mon, 12 May 2014 10:49:05 -0500 Subject: [Pki-users] pkispawn Change default CA Name Message-ID: <002901cf6df9$b4a39f20$1deadd60$@pgjtabasco.gob.mx> Hi, pkispawn use this file: etc/pki/default.cfg This file contains the value: pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s It's possible change the name "CA Signing Certificate" for other? -------------- next part -------------- An HTML attachment was scrubbed... URL: From mniranja at redhat.com Mon May 12 17:34:11 2014 From: mniranja at redhat.com (Niranjan M.R) Date: Mon, 12 May 2014 23:04:11 +0530 Subject: [Pki-users] pkispawn Change default CA Name In-Reply-To: <002901cf6df9$b4a39f20$1deadd60$@pgjtabasco.gob.mx> References: <002901cf6df9$b4a39f20$1deadd60$@pgjtabasco.gob.mx> Message-ID: <53710613.8090409@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2014 09:19 PM, Ricardo Alexander Perez Ricardez wrote: > Hi, > > > > pkispawn use this file: *etc/pki/default.cfg* > > > > This file contains the value: > > > > pki_ca_signing_subject_dn=cn=CA Signing > Certificate,o=%(pki_security_domain_name)s > > > > It?s possible change the name ?CA Signing Certificate? for other? It should be possible, Though i don't have a working setup but i did try with below parameter in my inf file. pki_ca_signing_subject_dn = cn=SubCA-pki-example-2323,o=%(pki_security_domain_name)s" > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > - -- Regards Niranjan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNxBhMACgkQLu3FX2BHx8ezwgCgi63hbzl9v/nt7LiPnAu/ArUU fPIAn26RrYnNsUD6b2l7xrIFPKrdsHkZ =fgUD -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x6047C7C7.asc Type: application/pgp-keys Size: 1698 bytes Desc: not available URL: From WilliamC.Elliott at s-itsolutions.at Wed May 14 06:45:10 2014 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Wed, 14 May 2014 06:45:10 +0000 Subject: [Pki-users] Java Crypto Libraries and CMC Message-ID: <85C87A9995875247B2DD471950E0AE4D1B7CA150@M0182.s-mxs.net> Hello, Could someone recommend Java libraries for creating CMC Requests? I'm not a programmer, but it doesn't look as if JCE provides the necessary tools. The only one I found that might is Bouncy Castle - it does CMS, but I'm not sure if it's enough to form CMC requests. Can agent authenticated CMC enrollment in Dogtag support more than one certificate profile? Could the CMC servlet be "duplicated" and renamed in the web.xml and connected to a second certificate profile? Thanks in advance for any tips! best regards, William Elliott s IT Solutions Open System Services s IT Solutions AT Spardat GmbH mailto:william.elliott at s-itsolutions.at www.s-itsolutions.com Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna This message and any attached files are confidential and intended solely for the addressee(s). Any publication, transmission or other use of the information by a person or entity other than the intended addressee is prohibited. If you receive this in error please contact the sender and delete the material. The sender does not accept liability for any errors or omissions as a result of the transmission. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mniranja at redhat.com Wed May 14 07:17:17 2014 From: mniranja at redhat.com (Niranjan M.R) Date: Wed, 14 May 2014 12:47:17 +0530 Subject: [Pki-users] Java Crypto Libraries and CMC In-Reply-To: <85C87A9995875247B2DD471950E0AE4D1B7CA150@M0182.s-mxs.net> References: <85C87A9995875247B2DD471950E0AE4D1B7CA150@M0182.s-mxs.net> Message-ID: <5373187D.2080504@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/14/2014 12:15 PM, Elliott William C OSS sIT wrote: > Hello, > > > > Could someone recommend Java libraries for creating CMC Requests? I?m > not a programmer, but it doesn?t look as if JCE provides the necessary > tools. The only one I found that might is Bouncy Castle ? it does CMS, > but I?m not sure if it?s enough to form CMC requests. I am not aware of libraries, but have you tried CMCRequest which is part of pki-tools package. Documentation: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Command-Line_Tools_Guide/CMC_Request.html I have not tried this on Dogtag 10 yet, but last i tried for CS 8.1 it worked as below A. Create CRMF Request (using CRMFPopClient) B. Create a configuration file with parameters as mentioned in the above link. C. Run CMCRequest $ CMCRequest The CMCRequest will be saved in the output file mentioned in cfg file. > > > > Can agent authenticated CMC enrollment in Dogtag support more than one > certificate profile? Could the CMC servlet be ?duplicated? and renamed > in the web.xml and connected to a second certificate profile? > > > > Thanks in advance for any tips! > > > > best regards, > > > > William Elliott > > s IT Solutions > > Open System Services > > > > s IT Solutions AT Spardat GmbH > > > > mailto:william.elliott at s-itsolutions.at > > www.s-itsolutions.com > > > > Head Office: Vienna Commercial Register No.: 152289f Commercial Court of > Vienna > > > > This message and any attached files are confidential and intended solely > for the addressee(s). Any publication, transmission or other use of the > information by a person or entity other than the intended addressee is > prohibited. If you receive this in error please contact the sender and > delete the material. The sender does not accept liability for any errors > or omissions as a result of the transmission. > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > - -- Regards Niranjan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNzGH0ACgkQLu3FX2BHx8fgyACfUS117eKiDRtzLfbXo1LM2RbJ 1M4AnRBlIJvEouI2uVDpEM9kBtvyQDaI =HLMY -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x6047C7C7.asc Type: application/pgp-keys Size: 1698 bytes Desc: not available URL: From WilliamC.Elliott at s-itsolutions.at Wed May 14 08:42:38 2014 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Wed, 14 May 2014 08:42:38 +0000 Subject: [Pki-users] Java Crypto Libraries and CMC In-Reply-To: <5373187D.2080504@redhat.com> References: <85C87A9995875247B2DD471950E0AE4D1B7CA150@M0182.s-mxs.net> <5373187D.2080504@redhat.com> Message-ID: <85C87A9995875247B2DD471950E0AE4D1B7CA348@M0182.s-mxs.net> Hi, We use the Redhat tools already for batch processing (CMCEnroll,AtoB, etc.). That's fine on RHEL, but we to create requests from applications running on other operating systems (and not MS) and have these processed synchronously. The developers need to use Java. CMC has been around awhile, but support for it doesn't seem to be so widespread. (MS apparently can also) We also use SCEP, but that protocol seems to be a dead-end - even the rfc states that CMC is to be preferred. thanks, William Elliott -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Niranjan M.R Sent: Mittwoch, 14. Mai 2014 09:17 To: pki-users at redhat.com Subject: Re: [Pki-users] Java Crypto Libraries and CMC [heur] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/14/2014 12:15 PM, Elliott William C OSS sIT wrote: > Hello, > > > > Could someone recommend Java libraries for creating CMC Requests? I'm > not a programmer, but it doesn't look as if JCE provides the necessary > tools. The only one I found that might is Bouncy Castle - it does CMS, > but I'm not sure if it's enough to form CMC requests. I am not aware of libraries, but have you tried CMCRequest which is part of pki-tools package. Documentation: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Command-Line_Tools_Guide/CMC_Request.html I have not tried this on Dogtag 10 yet, but last i tried for CS 8.1 it worked as below A. Create CRMF Request (using CRMFPopClient) B. Create a configuration file with parameters as mentioned in the above link. C. Run CMCRequest $ CMCRequest The CMCRequest will be saved in the output file mentioned in cfg file. > > > > Can agent authenticated CMC enrollment in Dogtag support more than one > certificate profile? Could the CMC servlet be "duplicated" and renamed > in the web.xml and connected to a second certificate profile? > > > > Thanks in advance for any tips! > > > > best regards, > > > > William Elliott > > s IT Solutions > > Open System Services > > > > s IT Solutions AT Spardat GmbH > > > > mailto:william.elliott at s-itsolutions.at > > www.s-itsolutions.com > > > > Head Office: Vienna Commercial Register No.: 152289f Commercial Court of > Vienna > > > > This message and any attached files are confidential and intended solely > for the addressee(s). Any publication, transmission or other use of the > information by a person or entity other than the intended addressee is > prohibited. If you receive this in error please contact the sender and > delete the material. The sender does not accept liability for any errors > or omissions as a result of the transmission. > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > - -- Regards Niranjan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNzGH0ACgkQLu3FX2BHx8fgyACfUS117eKiDRtzLfbXo1LM2RbJ 1M4AnRBlIJvEouI2uVDpEM9kBtvyQDaI =HLMY -----END PGP SIGNATURE----- _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From alee at redhat.com Wed May 14 13:52:45 2014 From: alee at redhat.com (Ade Lee) Date: Wed, 14 May 2014 09:52:45 -0400 Subject: [Pki-users] Java Crypto Libraries and CMC In-Reply-To: <85C87A9995875247B2DD471950E0AE4D1B7CA348@M0182.s-mxs.net> References: <85C87A9995875247B2DD471950E0AE4D1B7CA150@M0182.s-mxs.net> <5373187D.2080504@redhat.com> <85C87A9995875247B2DD471950E0AE4D1B7CA348@M0182.s-mxs.net> Message-ID: <1400075565.20827.1.camel@localhost.localdomain> Which operating systems are you considering? The Red Hat tools are all written in Java - so potentially they might be usable on those other OS. Ade On Wed, 2014-05-14 at 08:42 +0000, Elliott William C OSS sIT wrote: > Hi, > > We use the Redhat tools already for batch processing (CMCEnroll,AtoB, etc.). That's fine on RHEL, but we to create requests from applications running on other operating systems (and not MS) and have these processed synchronously. The developers need to use Java. CMC has been around awhile, but support for it doesn't seem to be so widespread. (MS apparently can also) We also use SCEP, but that protocol seems to be a dead-end - even the rfc states that CMC is to be preferred. > > > thanks, > William Elliott > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Niranjan M.R > Sent: Mittwoch, 14. Mai 2014 09:17 > To: pki-users at redhat.com > Subject: Re: [Pki-users] Java Crypto Libraries and CMC [heur] > > On 05/14/2014 12:15 PM, Elliott William C OSS sIT wrote: > > Hello, > > > > > > > > Could someone recommend Java libraries for creating CMC Requests? I'm > > not a programmer, but it doesn't look as if JCE provides the necessary > > tools. The only one I found that might is Bouncy Castle - it does CMS, > > but I'm not sure if it's enough to form CMC requests. > > I am not aware of libraries, but have you tried CMCRequest which is part > of pki-tools package. > > Documentation: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Command-Line_Tools_Guide/CMC_Request.html > > I have not tried this on Dogtag 10 yet, but last i tried for CS 8.1 > it worked as below > > A. Create CRMF Request (using CRMFPopClient) > > B. Create a configuration file with parameters as mentioned in the above > link. > > C. Run CMCRequest > $ CMCRequest > > The CMCRequest will be saved in the output file mentioned in cfg file. > > > > > > > > Can agent authenticated CMC enrollment in Dogtag support more than one > > certificate profile? Could the CMC servlet be "duplicated" and renamed > > in the web.xml and connected to a second certificate profile? > > > > > > > > Thanks in advance for any tips! > > > > > > > > best regards, > > > > > > > > William Elliott > > > > s IT Solutions > > > > Open System Services > > > > > > > > s IT Solutions AT Spardat GmbH > > > > > > > > mailto:william.elliott at s-itsolutions.at > > > > www.s-itsolutions.com > > > > > > > > Head Office: Vienna Commercial Register No.: 152289f Commercial Court of > > Vienna > > > > > > > > This message and any attached files are confidential and intended solely > > for the addressee(s). Any publication, transmission or other use of the > > information by a person or entity other than the intended addressee is > > prohibited. If you receive this in error please contact the sender and > > delete the material. The sender does not accept liability for any errors > > or omissions as a result of the transmission. > > > > > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From WilliamC.Elliott at s-itsolutions.at Wed May 14 16:48:27 2014 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Wed, 14 May 2014 16:48:27 +0000 Subject: [Pki-users] Java Crypto Libraries and CMC In-Reply-To: <1400075565.20827.1.camel@localhost.localdomain> References: <85C87A9995875247B2DD471950E0AE4D1B7CA150@M0182.s-mxs.net> <5373187D.2080504@redhat.com> <85C87A9995875247B2DD471950E0AE4D1B7CA348@M0182.s-mxs.net> <1400075565.20827.1.camel@localhost.localdomain> Message-ID: <85C87A9995875247B2DD471950E0AE4D1B7CE604@M0182.s-mxs.net> Solaris. I had assumed, since CMC was a standard, there would be some support for it on several platforms - and especially java. Bill -----Original Message----- From: Ade Lee [mailto:alee at redhat.com] Sent: Mittwoch, 14. Mai 2014 15:53 To: Elliott William C OSS sIT Cc: pki-users at redhat.com Subject: Re: [Pki-users] Java Crypto Libraries and CMC [bayes] Which operating systems are you considering? The Red Hat tools are all written in Java - so potentially they might be usable on those other OS. Ade On Wed, 2014-05-14 at 08:42 +0000, Elliott William C OSS sIT wrote: > Hi, > > We use the Redhat tools already for batch processing (CMCEnroll,AtoB, etc.). That's fine on RHEL, but we to create requests from applications running on other operating systems (and not MS) and have these processed synchronously. The developers need to use Java. CMC has been around awhile, but support for it doesn't seem to be so widespread. (MS apparently can also) We also use SCEP, but that protocol seems to be a dead-end - even the rfc states that CMC is to be preferred. > > > thanks, > William Elliott > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Niranjan M.R > Sent: Mittwoch, 14. Mai 2014 09:17 > To: pki-users at redhat.com > Subject: Re: [Pki-users] Java Crypto Libraries and CMC [heur] > > On 05/14/2014 12:15 PM, Elliott William C OSS sIT wrote: > > Hello, > > > > > > > > Could someone recommend Java libraries for creating CMC Requests? I'm > > not a programmer, but it doesn't look as if JCE provides the necessary > > tools. The only one I found that might is Bouncy Castle - it does CMS, > > but I'm not sure if it's enough to form CMC requests. > > I am not aware of libraries, but have you tried CMCRequest which is part > of pki-tools package. > > Documentation: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Command-Line_Tools_Guide/CMC_Request.html > > I have not tried this on Dogtag 10 yet, but last i tried for CS 8.1 > it worked as below > > A. Create CRMF Request (using CRMFPopClient) > > B. Create a configuration file with parameters as mentioned in the above > link. > > C. Run CMCRequest > $ CMCRequest > > The CMCRequest will be saved in the output file mentioned in cfg file. > > > > > > > > Can agent authenticated CMC enrollment in Dogtag support more than one > > certificate profile? Could the CMC servlet be "duplicated" and renamed > > in the web.xml and connected to a second certificate profile? > > > > > > > > Thanks in advance for any tips! > > > > > > > > best regards, > > > > > > > > William Elliott > > > > s IT Solutions > > > > Open System Services > > > > > > > > s IT Solutions AT Spardat GmbH > > > > > > > > mailto:william.elliott at s-itsolutions.at > > > > www.s-itsolutions.com > > > > > > > > Head Office: Vienna Commercial Register No.: 152289f Commercial Court of > > Vienna > > > > > > > > This message and any attached files are confidential and intended solely > > for the addressee(s). Any publication, transmission or other use of the > > information by a person or entity other than the intended addressee is > > prohibited. If you receive this in error please contact the sender and > > delete the material. The sender does not accept liability for any errors > > or omissions as a result of the transmission. > > > > > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From alee at redhat.com Mon May 19 13:51:51 2014 From: alee at redhat.com (Ade Lee) Date: Mon, 19 May 2014 09:51:51 -0400 Subject: [Pki-users] pkispawn Change default CA Name In-Reply-To: <53710613.8090409@redhat.com> References: <002901cf6df9$b4a39f20$1deadd60$@pgjtabasco.gob.mx> <53710613.8090409@redhat.com> Message-ID: <1400507511.7077.3.camel@aleeredhat.laptop> Yes, it is fully expected that that parameter would be customized in your config file. Remember, of course, that you should specify the new value in your own config file, rather than changing it in /etc/pki/default.cfg. Values in your own config file override any values defined in /etc/pki/default.cfg. Ade On Mon, 2014-05-12 at 23:04 +0530, Niranjan M.R wrote: > On 05/12/2014 09:19 PM, Ricardo Alexander Perez Ricardez wrote: > > Hi, > > > > > > > > pkispawn use this file: *etc/pki/default.cfg* > > > > > > > > This file contains the value: > > > > > > > > pki_ca_signing_subject_dn=cn=CA Signing > > Certificate,o=%(pki_security_domain_name)s > > > > > > > > It?s possible change the name ?CA Signing Certificate? for other? > > It should be possible, Though i don't have a working setup but i did try > with below parameter in my inf file. > > pki_ca_signing_subject_dn = > cn=SubCA-pki-example-2323,o=%(pki_security_domain_name)s" > > > > > > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From rperez at pgjtabasco.gob.mx Wed May 21 01:42:31 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Tue, 20 May 2014 20:42:31 -0500 Subject: [Pki-users] =?iso-8859-1?q?Sorry=2C_your_request_is_not_submitted?= =?iso-8859-1?q?=2E_The_reason_is_=22invalid_request=22=2E?= Message-ID: <003701cf7495$ee7492c0$cb5db840$@pgjtabasco.gob.mx> Hi, I try to create a certificate by following these steps: Some simple steps are listed here on how to proceed to enroll a server certificate for an apache webserver with Dogtag. * Generate a Key/CSR: o openssl genrsa -des3 -out www.mydomain.com.key 1024 o openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr ? Fill out all the prompts here including CountryName,State,Locality,Organization Name, Organizational Unit Name, Common Name. * Sample CSR from the above commands: -----BEGIN CERTIFICATE REQUEST----- MIIBqDCCARECAQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FTATBgNVBAcTDE1vdW50YWluVmlldzEPMA0GA1UEChMGUmVkSGF0MQwwCgYDVQQL EwNJRE0xDjAMBgNVBAMTBWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDMbwtFUZNzlfWRI19nuxKsbhJ1/5A/rrXQkH7+K1uqxmzytm6b57lkGK9YUC7B qSKpJ4zzOnVqwRZsE9oJ5CSv+eQUie1NTz4KEL9ZOsN4p2zn0JFaKqze/vxZ3Rux BKnAz34KxOKZxGTiychOTytWS6V4lDzKBvgTgf0EZfOcfwIDAQABoAAwDQYJKoZI hvcNAQEEBQADgYEAxRGViyX5MxedhfSOja3XmvCcTOZL+btT7u4zztGBz71qSGhz yLcFCHCOMngsfiHxySBUIjZdGAOjrwcwT04ig/C2TE8mTamDp7d8/zQ6k9De/9Dp Q+C7PZuTYQkDf417IxbalEWhhNQ2AE6pMxfWwWAhjP1jAFLdKQZtEVNG9AQ= -----END CERTIFICATE REQUEST----- * Submit this CSR to the "Server Certificate Enrollment" profile of the Dogtag CA and get it approved. * Download the Cert and the CA and get them installed in apache. >From this URL: http://pki.fedoraproject.org/wiki/Apache_Cert_Enrollment * The .key and .csr files correctly generated, when I get to this step: * * Submit this CSR to the "Server Certificate Enrollment" profile of the Dogtag CA and get it approved. * * I get the following error in the web administration console DogTag: * Sorry, your request is not submitted. The reason is ?invalid request?. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at pgjtabasco.gob.mx Wed May 21 14:57:24 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Wed, 21 May 2014 09:57:24 -0500 Subject: [Pki-users] Sorry, your request is not submitted. The reason is "invalid request" (SOLVED) Message-ID: <003c01cf7504$f972e810$ec58b830$@pgjtabasco.gob.mx> Solve this problem as follows: When generating the CSR, please do not enter an email address, challenge password, or an optional company name. For some reason when some of these data is entered, the server indicates that the CSR is invalid. -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Wed May 21 19:21:42 2014 From: msauton at redhat.com (Marc Sauton) Date: Wed, 21 May 2014 12:21:42 -0700 Subject: [Pki-users] Sorry, your request is not submitted. The reason is "invalid request". In-Reply-To: <003701cf7495$ee7492c0$cb5db840$@pgjtabasco.gob.mx> References: <003701cf7495$ee7492c0$cb5db840$@pgjtabasco.gob.mx> Message-ID: <537CFCC6.90905@redhat.com> On 05/20/2014 06:42 PM, Ricardo Alexander Perez Ricardez wrote: > > Hi, > > I try to create a certificate by following these steps: > > Some simple steps are listed here on how to proceed to enroll a server > certificate for an apache webserver with Dogtag. > > *Generate a Key/CSR: > > oopenssl genrsa -des3 -out www.mydomain.com.key 1024 > > oopenssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr > > ?Fill out all the prompts here including > CountryName,State,Locality,Organization Name, Organizational Unit > Name, Common Name. > > *Sample CSR from the above commands: > > -----BEGIN CERTIFICATE REQUEST----- > > MIIBqDCCARECAQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx > > FTATBgNVBAcTDE1vdW50YWluVmlldzEPMA0GA1UEChMGUmVkSGF0MQwwCgYDVQQL > > EwNJRE0xDjAMBgNVBAMTBWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB > > gQDMbwtFUZNzlfWRI19nuxKsbhJ1/5A/rrXQkH7+K1uqxmzytm6b57lkGK9YUC7B > > qSKpJ4zzOnVqwRZsE9oJ5CSv+eQUie1NTz4KEL9ZOsN4p2zn0JFaKqze/vxZ3Rux > > BKnAz34KxOKZxGTiychOTytWS6V4lDzKBvgTgf0EZfOcfwIDAQABoAAwDQYJKoZI > > hvcNAQEEBQADgYEAxRGViyX5MxedhfSOja3XmvCcTOZL+btT7u4zztGBz71qSGhz > > yLcFCHCOMngsfiHxySBUIjZdGAOjrwcwT04ig/C2TE8mTamDp7d8/zQ6k9De/9Dp > > Q+C7PZuTYQkDf417IxbalEWhhNQ2AE6pMxfWwWAhjP1jAFLdKQZtEVNG9AQ= > > -----END CERTIFICATE REQUEST----- > > *Submit this CSR to the "Server Certificate Enrollment" profile of the > Dogtag CA and get it approved. > > *Download the Cert and the CA and get them installed in apache. > > From this URL: http://pki.fedoraproject.org/wiki/Apache_Cert_Enrollment > > *The .key and .csr files correctly generated, when I get to this step: > > * > > *Submit this CSR to the "Server Certificate Enrollment" profile of the > Dogtag CA and get it approved. > > * > > *I get the following error in the web administration console DogTag: > > * > > *Sorry, your request is not submitted. The reason is "invalid request".* > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users The posted CSR seem to work ok for me, can read it from openssl, request and issue a certificate using RHCS 8.1. You may want to review the /var/log/pki-ca/debug file for any extra hint. Thanks, M. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Thu May 22 14:45:53 2014 From: alee at redhat.com (Ade Lee) Date: Thu, 22 May 2014 10:45:53 -0400 Subject: [Pki-users] Java Crypto Libraries and CMC In-Reply-To: <85C87A9995875247B2DD471950E0AE4D1B7CE604@M0182.s-mxs.net> References: <85C87A9995875247B2DD471950E0AE4D1B7CA150@M0182.s-mxs.net> <5373187D.2080504@redhat.com> <85C87A9995875247B2DD471950E0AE4D1B7CA348@M0182.s-mxs.net> <1400075565.20827.1.camel@localhost.localdomain> <85C87A9995875247B2DD471950E0AE4D1B7CE604@M0182.s-mxs.net> Message-ID: <1400769953.3631.6.camel@localhost.localdomain> I'm not sure what other tools are available on Solaris, but it should be possible to use the Red Hat tools on Solaris. Here is how I would do it: 1) Look at the contents of pki-tools, and copy those files over to your solaris machine. If I recall correctly, there are packages that allow you to install a rpm on solaris. You basically need the jars and scripts. 2) Each of the tools is started by a script. This script basically sets up a command line that invokes java with the right arguments and environment variables. You will likely need to modify the script to set the right paths for the jar files and java runtime. Ade On Wed, 2014-05-14 at 16:48 +0000, Elliott William C OSS sIT wrote: > Solaris. I had assumed, since CMC was a standard, there would be some support for it on several platforms - and especially java. > > Bill > > -----Original Message----- > From: Ade Lee [mailto:alee at redhat.com] > Sent: Mittwoch, 14. Mai 2014 15:53 > To: Elliott William C OSS sIT > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] Java Crypto Libraries and CMC [bayes] > > Which operating systems are you considering? The Red Hat tools are all > written in Java - so potentially they might be usable on those other OS. > > Ade > On Wed, 2014-05-14 at 08:42 +0000, Elliott William C OSS sIT wrote: > > Hi, > > > > We use the Redhat tools already for batch processing (CMCEnroll,AtoB, etc.). That's fine on RHEL, but we to create requests from applications running on other operating systems (and not MS) and have these processed synchronously. The developers need to use Java. CMC has been around awhile, but support for it doesn't seem to be so widespread. (MS apparently can also) We also use SCEP, but that protocol seems to be a dead-end - even the rfc states that CMC is to be preferred. > > > > > > thanks, > > William Elliott > > > > -----Original Message----- > > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Niranjan M.R > > Sent: Mittwoch, 14. Mai 2014 09:17 > > To: pki-users at redhat.com > > Subject: Re: [Pki-users] Java Crypto Libraries and CMC [heur] > > > > On 05/14/2014 12:15 PM, Elliott William C OSS sIT wrote: > > > Hello, > > > > > > > > > > > > Could someone recommend Java libraries for creating CMC Requests? I'm > > > not a programmer, but it doesn't look as if JCE provides the necessary > > > tools. The only one I found that might is Bouncy Castle - it does CMS, > > > but I'm not sure if it's enough to form CMC requests. > > > > I am not aware of libraries, but have you tried CMCRequest which is part > > of pki-tools package. > > > > Documentation: > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Command-Line_Tools_Guide/CMC_Request.html > > > > I have not tried this on Dogtag 10 yet, but last i tried for CS 8.1 > > it worked as below > > > > A. Create CRMF Request (using CRMFPopClient) > > > > B. Create a configuration file with parameters as mentioned in the above > > link. > > > > C. Run CMCRequest > > $ CMCRequest > > > > The CMCRequest will be saved in the output file mentioned in cfg file. > > > > > > > > > > > > Can agent authenticated CMC enrollment in Dogtag support more than one > > > certificate profile? Could the CMC servlet be "duplicated" and renamed > > > in the web.xml and connected to a second certificate profile? > > > > > > > > > > > > Thanks in advance for any tips! > > > > > > > > > > > > best regards, > > > > > > > > > > > > William Elliott > > > > > > s IT Solutions > > > > > > Open System Services > > > > > > > > > > > > s IT Solutions AT Spardat GmbH > > > > > > > > > > > > mailto:william.elliott at s-itsolutions.at > > > > > > www.s-itsolutions.com > > > > > > > > > > > > Head Office: Vienna Commercial Register No.: 152289f Commercial Court of > > > Vienna > > > > > > > > > > > > This message and any attached files are confidential and intended solely > > > for the addressee(s). Any publication, transmission or other use of the > > > information by a person or entity other than the intended addressee is > > > prohibited. If you receive this in error please contact the sender and > > > delete the material. The sender does not accept liability for any errors > > > or omissions as a result of the transmission. > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > From rperez at pgjtabasco.gob.mx Fri May 23 02:12:34 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Perez Ricardez) Date: Thu, 22 May 2014 21:12:34 -0500 Subject: [Pki-users] How to generate cert from command line... Message-ID: <004d01cf762c$75dd26e0$619774a0$@pgjtabasco.gob.mx> Hi, I'm trying to create a certificate to install in my apache server or Internet Information Service, I follow the steps in this direction URL: http://pki.fedoraproject.org/wiki/Apache_Cert_Enrollment Some simple steps are listed here on how to proceed to enroll a server certificate for an apache webserver with Dogtag. STEP ONE: Generate a Key/CSR: openssl genrsa -des3 -out www.mydomain.com.key 1024 openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr Fill out all the prompts here including CountryName,State,Locality,Organization Name, Organizational Unit Name, Common Name. Sample CSR from the above commands: -----BEGIN CERTIFICATE REQUEST----- MIIBqDCCARECAQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FTATBgNVBAcTDE1vdW50YWluVmlldzEPMA0GA1UEChMGUmVkSGF0MQwwCgYDVQQL EwNJRE0xDjAMBgNVBAMTBWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDMbwtFUZNzlfWRI19nuxKsbhJ1/5A/rrXQkH7+K1uqxmzytm6b57lkGK9YUC7B qSKpJ4zzOnVqwRZsE9oJ5CSv+eQUie1NTz4KEL9ZOsN4p2zn0JFaKqze/vxZ3Rux BKnAz34KxOKZxGTiychOTytWS6V4lDzKBvgTgf0EZfOcfwIDAQABoAAwDQYJKoZI hvcNAQEEBQADgYEAxRGViyX5MxedhfSOja3XmvCcTOZL+btT7u4zztGBz71qSGhz yLcFCHCOMngsfiHxySBUIjZdGAOjrwcwT04ig/C2TE8mTamDp7d8/zQ6k9De/9Dp Q+C7PZuTYQkDf417IxbalEWhhNQ2AE6pMxfWwWAhjP1jAFLdKQZtEVNG9AQ= -----END CERTIFICATE REQUEST----- STEP TWO: Submit this CSR to the "Server Certificate Enrollment" profile of the Dogtag CA and get it approved. STEP THREE: Download the Cert and the CA and get them installed in apache. I have problems in step three, when I click on the option "Import Your Certificate" from the web console Dogtag Certificate Manager, I receive the following message: "This certificate cannot staff be installed Because you do not own the Corresponding private key" Searching in google I found this: When I try to download my issued certificate, I get an ?Accept in PKCS7? error message. If you are getting the ?Error in accept PKCS7? message that means that the Microsoft OS/Internet Explorer cannot find the private key(s) for those certificates. (Please note that this does not necessarily mean that the private key(s) are not there, just that the MS system cannot find them.) This happens because: - the request was done under a different log-in profile (you are logged on under a different username/password) than when the request was made - or the request was made with a different browser (for example, Firefox) - or the request was made on a different computer than the one you are trying to import it on - or something was done to the machine (like an update to the operating system - a Windows update, profile change, computer re-imaged, etc.) You will only be able to import the issued certificate onto the same computer, same log-in profile, and using the same web browser as when you made the on-line request. (i.e. as when you got the ?Print this form? web page). Well now!, I have the certificate in Base 64 format, Dogtag console shows me the following information: Installing this certificate in a server The Following format can be used to install this certificate into a server. Base 64 encoded certificate In this picture I deleted some lines deliberately, but my certificate is complete. Base 64 encoded certificate with CA certificate chain in pkcs7 format In this picture I deleted some lines deliberately, but my certificate is complete. Well now!, what I do with this information?, How I generated my certificate with this plane format? Since in my web browser from the console does not allow me to import the certificate. How I can generate my certificate from the command line? How I can generate my certificates in .cer, .crt, .pfx, .p12? What format should I use? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 78638 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 53357 bytes Desc: not available URL: From ayoung at redhat.com Fri May 23 02:23:54 2014 From: ayoung at redhat.com (Adam Young) Date: Thu, 22 May 2014 22:23:54 -0400 Subject: [Pki-users] How to generate cert from command line... In-Reply-To: <004d01cf762c$75dd26e0$619774a0$@pgjtabasco.gob.mx> References: <004d01cf762c$75dd26e0$619774a0$@pgjtabasco.gob.mx> Message-ID: <537EB13A.3090709@redhat.com> On 05/22/2014 10:12 PM, Ricardo Alexander Perez Ricardez wrote: > > Hi, > > I'm trying to create a certificate to install in my apache server or > Internet Information Service, I follow the steps in this direction > URL: http://pki.fedoraproject.org/wiki/Apache_Cert_Enrollment > > Some simple steps are listed here on how to proceed to enroll a server > certificate for an apache webserver with Dogtag. > > *STEP ONE:*Generate a Key/CSR: > > openssl genrsa -des3 -out www.mydomain.com.key 1024 > > openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr > > Fill out all the prompts here including > CountryName,State,Locality,Organization Name, Organizational Unit > Name, Common Name. > > Sample CSR from the above commands: > > -----BEGIN CERTIFICATE REQUEST----- > > MIIBqDCCARECAQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx > > FTATBgNVBAcTDE1vdW50YWluVmlldzEPMA0GA1UEChMGUmVkSGF0MQwwCgYDVQQL > > EwNJRE0xDjAMBgNVBAMTBWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB > > gQDMbwtFUZNzlfWRI19nuxKsbhJ1/5A/rrXQkH7+K1uqxmzytm6b57lkGK9YUC7B > > qSKpJ4zzOnVqwRZsE9oJ5CSv+eQUie1NTz4KEL9ZOsN4p2zn0JFaKqze/vxZ3Rux > > BKnAz34KxOKZxGTiychOTytWS6V4lDzKBvgTgf0EZfOcfwIDAQABoAAwDQYJKoZI > > hvcNAQEEBQADgYEAxRGViyX5MxedhfSOja3XmvCcTOZL+btT7u4zztGBz71qSGhz > > yLcFCHCOMngsfiHxySBUIjZdGAOjrwcwT04ig/C2TE8mTamDp7d8/zQ6k9De/9Dp > > Q+C7PZuTYQkDf417IxbalEWhhNQ2AE6pMxfWwWAhjP1jAFLdKQZtEVNG9AQ= > > -----END CERTIFICATE REQUEST----- > > *STEP TWO:*Submit this CSR to the "Server Certificate Enrollment" > profile of the Dogtag CA and get it approved. > > *STEP THREE:*Download the Cert and the CA and get them installed in > apache. > > I have problems in *step three*, when I click on the option "Import > Your Certificate" from the web console Dogtag Certificate Manager, I > receive the following message: > > "This certificate cannot staff be installed Because you do not own the > Corresponding private key" > > Searching in google I found this: > > When I try to download my issued certificate, I get an ?Accept in > PKCS7? error message. > > If you are getting the ?Error in accept PKCS7? message that means that > the Microsoft OS/Internet Explorer cannot find the private key(s) for > those certificates. (Please note that this does not necessarily mean > that the private key(s) are not there, just that the MS system cannot > find them.) > > This happens because: > > -the request was done under a different log-in profile (you are logged > on under a different username/password) than when the request was made > > -or the request was made with a different browser (for example, Firefox) > > -or the request was made on a different computer than the one you are > trying to import it on > > -or something was done to the machine (like an update to the operating > system -- a Windows update, profile change, computer re-imaged, etc.) > > You will only be able to import the issued certificate onto the same > computer, same log-in profile, and using the same web browser as when > you made the on-line request. (i.e. as when you got the ?Print this > form? web page). > > Well now!, I have the certificate in Base 64 format, Dogtag console > shows me the following information: > > Installing this certificate in a server > > The Following format can be used to install this certificate into a > server. > > Base 64 encoded certificate > > In this picture I deleted some lines deliberately, but my certificate > is complete. > > Base 64 encoded certificate with CA certificate chain in pkcs7 format > > In this picture I deleted some lines deliberately, but my certificate > is complete. > > Well now!, what I do with this information?, How I generated my > certificate with this plane format? Since in my web browser from the > console does not allow me to import the certificate. > > How I can generate my certificate from the command line? > > How I can generate my certificates in .cer, .crt, .pfx, .p12? > > What format should I use? > Use Certmonger and make things easy on yourself: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/getting-started.txt http://rpm.pbone.net/index.php3/stat/45/idpl/25503325/numer/8/nazwa/certmonger-dogtag-ipa-renew-agent-submit -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 53357 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 78638 bytes Desc: not available URL: From jnimeh at gmail.com Thu May 29 00:57:16 2014 From: jnimeh at gmail.com (Jamil Nimeh) Date: Wed, 28 May 2014 17:57:16 -0700 Subject: [Pki-users] Enable next update with CA built-in responder? Message-ID: <538685EC.9090606@gmail.com> Hello all, I have a Dogtag 9.0.20 system where I've been playing around with the built-in OCSP responder and have been unable to find the right setting in CS.cfg to enable the nextUpdate field in OCSP responses. I see docs that cover how to do it via console and CS.cfg for the stand-alone OCSP responder, but similar settings (or variants on it) in the CA's CS.cfg don't seem to have any effect. Does the CA's built-in responder have tunables similar to the stand-alone responder - in particular something like the ocsp.store.defStore.inclueNextUpdate parameter? Thank you, Jamil Nimeh