[Pki-users] Can OpensSSL be used as external CA ?
Christina Fu
cfu at redhat.com
Thu Nov 6 02:31:17 UTC 2014
Hi Kritee,
I think we could use a bit more info.
Could you try running pkispawn with script... something like the following:
script -c 'pkispawn -s CA -f config-step2.txt -vvv'
the resulting typescript file might give us some more clue.
Christina
On 10/31/2014 09:24 PM, kritee jhawar wrote:
> Thanks Christina
>
> I checked out the master branch and built it. Now i can see the added
> extensions in the CSR generated, however i am getting the same error
> as earlier.
> This time again, I tried the supply the certificate chain with and
> without the headers. The chain is in a valid pkcs7 format.
> Following is how the extensions look in the certificate signed by
> openssl for dogtag:
>
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Certificate Sign,
> CRL Sign
> 1.3.6.1.4.1.311.20.2:
> .
> .S.u.b.C.A
>
> The error i get in step 2 of pkispawn is as follows:
>
> pkispawn : INFO ....... BtoA
> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
> pkispawn : INFO ....... loading external CA signing certificate
> from file: '/home/kjhawar/dogtag/dg_ca.cert'
> pkispawn : INFO ....... loading external CA signing certificate
> chain from file: '/home/kjhawar/dogtag/dg_chain.cert'
> pkispawn : INFO ....... configuring PKI configuration data.
> pkispawn : INFO ....... AtoB
> /root/.dogtag/pki-tomcat/ca_admin.cert
> /root/.dogtag/pki-tomcat/ca_admin.cert.der
> pkispawn : INFO ....... certutil -A -d
> /root/.dogtag/pki-tomcat/ca/alias -n PKI Administrator -t u,u,u -i
> /root/.dogtag/pki-tomcat/ca_admin.cert.der -f
> /root/.dogtag/pki-tomcat/ca/password.conf
> Notice: Trust flag u is set automatically if the private key is present.
> pkispawn : INFO ....... pk12util -d
> /root/.dogtag/pki-tomcat/ca/alias -o
> /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -n PKI Administrator -w
> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf -k
> /root/.dogtag/pki-tomcat/ca/password.conf
> pkispawn : INFO ... finalizing
> 'pki.server.deployment.scriptlets.finalization'
> pkispawn : INFO ....... cp -p
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
> /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141101020655
> pkispawn : INFO ....... generating manifest file called
> '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
> pkispawn : INFO ....... cp -p
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
> /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141101020655
> pkispawn : INFO ....... executing 'systemctl daemon-reload'
> pkispawn : INFO ....... executing 'systemctl restart
> pki-tomcatd at pki-tomcat.service'
> Job for pki-tomcatd at pki-tomcat.service canceled.
> pkispawn : ERROR ....... subprocess.CalledProcessError: Command
> '['systemctl', 'restart', 'pki-tomcatd at pki-tomcat.service']' returned
> non-zero exit status 1!
>
> Installation failed.
>
> Kindly let me know if any specific configuration has to be done in my
> openssl CA. Attaching the config file i am using currently
>
> Thanks
> Kritee
>
> On Fri, Oct 31, 2014 at 10:36 PM, Christina Fu <cfu at redhat.com
> <mailto:cfu at redhat.com>> wrote:
>
> Kritee,
>
> At the minimum, you need the fixes I talked about. They were
> checked into the master but has not been built officially so yum
> is not going to get you the right rpm. However, you can check it
> out and build it yourself.
> Here is how you check out the master:
>
> git clone git://git.fedorahosted.org/git/pki.git <http://git.fedorahosted.org/git/pki.git>
>
> You can then use the build scripts to build.
>
> Finally, I apologize that we are not supposed to respond to
> private emails. Dogtag is a community where we share our
> knowledge. In the future please send requests to the mailing list.
> I took the exception this time to look at your CSR and certs and I
> could see that you need the fixes I talked about. I don't know if
> you have other issues though, but AFAIK you need those two fixes.
>
> Hope this helps.
> Christina
>
>
> On 10/29/2014 01:16 AM, kritee jhawar wrote:
>> Hi Christina
>>
>> I have done the default configuration for 389ds and haven't
>> specifically turned on ssl for it.
>>
>> Initially I tried using Microsoft and OpenSSL CA as external CAs.
>> This is about a month back and I pull the Rpms using yum (so I
>> assume they are the latest ones with the fix you mentioned).
>> With this, my pki spawn went fine. Infect the admin cert got
>> generated using the externally provided root cert as well. But
>> dogtag couldn't connect to the ds. As mentioned earlier it gave
>> me a PKIException error listing the certs with error code 500.
>> Looking at the ds logs I found that the error was 'bad search
>> filter'.
>> However when I tried the same steps with dogtag as external CA
>> the setup went through without a glitch. The chain I imported was
>> directly from the GUI of dogtag. In fact I included the header
>> and footer as well.
>>
>> When I tried to reverse engineer the chain, I took the root cert
>> of external dogtag ca and used OpenSSL to convert it into pkcs7.
>> This chain was not the same as provided from the GUI. Hence I
>> thought that there is some particular format for the chain
>> because of which the other CAs aren't working.
>>
>> Also, I updated the Rpms using yum and tried to generate the CSR
>> with the extra attributes. My csr still doesn't reflect those
>> added attributes.
>>
>> Is yum not the correct way to get the latest code ?
>>
>> I am very new to this, really appreciate your assistance and time.
>>
>> Regards
>> Kritee
>>
>> On Wednesday, 29 October 2014, Christina Fu <cfu at redhat.com
>> <mailto:cfu at redhat.com>> wrote:
>>
>> the cert chain you provide in the file specified under
>> pki_external_ca_cert_chain_path
>> should be just pkcs7 without header/footer.
>>
>> I don't know why it would not talk to the DS (did you turn on
>> ssl for the ds?).
>> Not sure if you build your Dogtag from the master, if you do,
>> I'd suggest you get the most updated so you get fixes from
>> the tickets I provided previously which would address at
>> least two issues relating to external CA.
>>
>> Christina
>>
>> On 10/27/2014 07:55 PM, kritee jhawar wrote:
>>> Hi Christina
>>>
>>> I was undertaking this activity last month where Microsoft
>>> CA didn't work out but Dogtag as external CA did.
>>>
>>> While using Microsoft CA or OpenSSL CA, pki spawn goes
>>> through without any error but dogtag stops communications to
>>> 389ds. Upon calling the rest Api /ca/rest/certs I get a
>>> "PKIException error listing the certs".
>>>
>>> Is there a particular format for the ca cert chain that we
>>> need to provide ? I was trying to reverse engineer the chain
>>> provided by dogtag.
>>>
>>> Thanks
>>> Kritee
>>>
>>>
>>>
>>> On Monday, 27 October 2014, Christina Fu <cfu at redhat.com> wrote:
>>>
>>> If you meant the following two:
>>> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN
>>> encoding not preserved at issuance with signing cert
>>> signed by an external CA
>>> https://fedorahosted.org/pki/ticket/1110 - pkispawn
>>> (configuration) does not provide CA extensions in
>>> subordinate certificate signing requests (CSR)
>>>
>>> They have just recently been fixed upstream so I imagine
>>> you could use Microsoft CA now. Theoretically any other
>>> CA can be used as an external CA, but if you run into
>>> issues, please feel free to report.
>>>
>>> Christina
>>>
>>>
>>> On 10/27/2014 12:15 AM, kritee jhawar wrote:
>>>> Hi
>>>>
>>>> In my recent thread i read that there is a bug due to
>>>> which Microsoft CA can't work as external CA for dogtag.
>>>> Can OpenSSL be used ?
>>>>
>>>> Thanks
>>>> Kritee
>>>>
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141105/bfea4d14/attachment.htm>
More information about the Pki-users
mailing list