[Pki-users] Can OpensSSL be used as external CA ?
kritee jhawar
kriteejhawar at gmail.com
Sun Nov 9 10:23:00 UTC 2014
Sorry for the incomplete reply, the mail got sent by mistake.
Hi Christina
When using Dogtag as external CA I had provided only the self signed
certificate as pkcs7 (the same way I did for OpenSSL) and it had worked.
The idea behind this was we needed a constant trust anchor to be burnt into
the devices(which will function as clients). Initially I tried to find a
way to provide a static root certificate to dogtag so that even after the
crash it will come up with the same certificate. However i didnt find
anything.
Then I moved onto the external CA option.
Now when i tried with a chain of 2 certificates (self signed cert for
openssl + cert signed by openssl for dogtag) I get the same error as
before.
Thanks
Kritee
On Sat, Nov 8, 2014 at 12:18 PM, Kritee Jhawar <kriteejhawar at gmail.com>
wrote:
> Hi Christina
>
> When using Dogtag as external CA I had provided only the self signed
> certificate as pkcs7 (the same way I did for OpenSSL) and it had worked.
>
> The idea behind this was we needed a constant trust anchor to be burnt
> into the devices(which will function as clients). Initially I tried to find
> a way to provide a static root certificate to dogtag so that even after the
> crash it will come up with the same certificate.
> Then I moved onto the l
>
> Sent from my iPhone
>
> On 07-Nov-2014, at 22:38, Christina Fu <cfu at redhat.com> wrote:
>
> Hi Kritee,
>
> I just looked closely. Your ca cert chain contains only one single
> self-signed root cert. I think what you need is a chain down to the dogtag
> CA cert that links up from the root, so in your case, you should have both
> the root and the dogtag CA cert in the pkcs7.
>
> Hope that helps.
> Christina
>
>
> On 11/06/2014 01:25 AM, kritee jhawar wrote:
>
> Hi Christina
>
> Thanks for the response. PFA the typescript for pkispawn step1 and
> pkispawn step2.
>
> Thanks,
> Kritee
>
> On Thu, Nov 6, 2014 at 8:01 AM, Christina Fu <cfu at redhat.com> wrote:
>
>> Hi Kritee,
>> I think we could use a bit more info.
>> Could you try running pkispawn with script... something like the
>> following:
>> script -c 'pkispawn -s CA -f config-step2.txt -vvv'
>>
>> the resulting typescript file might give us some more clue.
>> Christina
>>
>>
>> On 10/31/2014 09:24 PM, kritee jhawar wrote:
>>
>> Thanks Christina
>>
>> I checked out the master branch and built it. Now i can see the added
>> extensions in the CSR generated, however i am getting the same error as
>> earlier.
>> This time again, I tried the supply the certificate chain with and
>> without the headers. The chain is in a valid pkcs7 format.
>> Following is how the extensions look in the certificate signed by
>> openssl for dogtag:
>>
>> X509v3 extensions:
>> X509v3 Basic Constraints: critical
>> CA:TRUE
>> X509v3 Key Usage: critical
>> Digital Signature, Non Repudiation, Certificate Sign, CRL
>> Sign
>> 1.3.6.1.4.1.311.20.2:
>> .
>> .S.u.b.C.A
>>
>> The error i get in step 2 of pkispawn is as follows:
>>
>> pkispawn : INFO ....... BtoA
>> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
>> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
>> pkispawn : INFO ....... loading external CA signing certificate
>> from file: '/home/kjhawar/dogtag/dg_ca.cert'
>> pkispawn : INFO ....... loading external CA signing certificate
>> chain from file: '/home/kjhawar/dogtag/dg_chain.cert'
>> pkispawn : INFO ....... configuring PKI configuration data.
>> pkispawn : INFO ....... AtoB
>> /root/.dogtag/pki-tomcat/ca_admin.cert
>> /root/.dogtag/pki-tomcat/ca_admin.cert.der
>> pkispawn : INFO ....... certutil -A -d
>> /root/.dogtag/pki-tomcat/ca/alias -n PKI Administrator -t u,u,u -i
>> /root/.dogtag/pki-tomcat/ca_admin.cert.der -f
>> /root/.dogtag/pki-tomcat/ca/password.conf
>> Notice: Trust flag u is set automatically if the private key is present.
>> pkispawn : INFO ....... pk12util -d
>> /root/.dogtag/pki-tomcat/ca/alias -o
>> /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -n PKI Administrator -w
>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf -k
>> /root/.dogtag/pki-tomcat/ca/password.conf
>> pkispawn : INFO ... finalizing
>> 'pki.server.deployment.scriptlets.finalization'
>> pkispawn : INFO ....... cp -p
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
>> /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141101020655
>> pkispawn : INFO ....... generating manifest file called
>> '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
>> pkispawn : INFO ....... cp -p
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
>> /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141101020655
>> pkispawn : INFO ....... executing 'systemctl daemon-reload'
>> pkispawn : INFO ....... executing 'systemctl restart
>> pki-tomcatd at pki-tomcat.service'
>> Job for pki-tomcatd at pki-tomcat.service canceled.
>> pkispawn : ERROR ....... subprocess.CalledProcessError: Command
>> '['systemctl', 'restart', 'pki-tomcatd at pki-tomcat.service']' returned
>> non-zero exit status 1!
>>
>> Installation failed.
>>
>> Kindly let me know if any specific configuration has to be done in my
>> openssl CA. Attaching the config file i am using currently
>>
>> Thanks
>> Kritee
>>
>> On Fri, Oct 31, 2014 at 10:36 PM, Christina Fu <cfu at redhat.com> wrote:
>>
>>> Kritee,
>>>
>>> At the minimum, you need the fixes I talked about. They were checked
>>> into the master but has not been built officially so yum is not going to
>>> get you the right rpm. However, you can check it out and build it yourself.
>>> Here is how you check out the master:
>>>
>>> git clone git://git.fedorahosted.org/git/pki.git
>>>
>>> You can then use the build scripts to build.
>>>
>>> Finally, I apologize that we are not supposed to respond to private
>>> emails. Dogtag is a community where we share our knowledge. In the future
>>> please send requests to the mailing list.
>>> I took the exception this time to look at your CSR and certs and I could
>>> see that you need the fixes I talked about. I don't know if you have other
>>> issues though, but AFAIK you need those two fixes.
>>>
>>> Hope this helps.
>>> Christina
>>>
>>>
>>> On 10/29/2014 01:16 AM, kritee jhawar wrote:
>>>
>>> Hi Christina
>>>
>>> I have done the default configuration for 389ds and haven't
>>> specifically turned on ssl for it.
>>>
>>> Initially I tried using Microsoft and OpenSSL CA as external CAs. This
>>> is about a month back and I pull the Rpms using yum (so I assume they are
>>> the latest ones with the fix you mentioned).
>>> With this, my pki spawn went fine. Infect the admin cert got generated
>>> using the externally provided root cert as well. But dogtag couldn't
>>> connect to the ds. As mentioned earlier it gave me a PKIException error
>>> listing the certs with error code 500.
>>> Looking at the ds logs I found that the error was 'bad search filter'.
>>> However when I tried the same steps with dogtag as external CA the setup
>>> went through without a glitch. The chain I imported was directly from the
>>> GUI of dogtag. In fact I included the header and footer as well.
>>>
>>> When I tried to reverse engineer the chain, I took the root cert of
>>> external dogtag ca and used OpenSSL to convert it into pkcs7. This chain
>>> was not the same as provided from the GUI. Hence I thought that there is
>>> some particular format for the chain because of which the other CAs aren't
>>> working.
>>>
>>> Also, I updated the Rpms using yum and tried to generate the CSR with
>>> the extra attributes. My csr still doesn't reflect those added attributes.
>>>
>>> Is yum not the correct way to get the latest code ?
>>>
>>> I am very new to this, really appreciate your assistance and time.
>>>
>>> Regards
>>> Kritee
>>>
>>> On Wednesday, 29 October 2014, Christina Fu <cfu at redhat.com> wrote:
>>>
>>>> the cert chain you provide in the file specified under
>>>> pki_external_ca_cert_chain_path
>>>> should be just pkcs7 without header/footer.
>>>>
>>>> I don't know why it would not talk to the DS (did you turn on ssl for
>>>> the ds?).
>>>> Not sure if you build your Dogtag from the master, if you do, I'd
>>>> suggest you get the most updated so you get fixes from the tickets I
>>>> provided previously which would address at least two issues relating to
>>>> external CA.
>>>>
>>>> Christina
>>>>
>>>> On 10/27/2014 07:55 PM, kritee jhawar wrote:
>>>>
>>>> Hi Christina
>>>>
>>>> I was undertaking this activity last month where Microsoft CA didn't
>>>> work out but Dogtag as external CA did.
>>>>
>>>> While using Microsoft CA or OpenSSL CA, pki spawn goes through
>>>> without any error but dogtag stops communications to 389ds. Upon calling
>>>> the rest Api /ca/rest/certs I get a "PKIException error listing the certs".
>>>>
>>>> Is there a particular format for the ca cert chain that we need to
>>>> provide ? I was trying to reverse engineer the chain provided by dogtag.
>>>>
>>>> Thanks
>>>> Kritee
>>>>
>>>>
>>>>
>>>> On Monday, 27 October 2014, Christina Fu <cfu at redhat.com> wrote:
>>>>
>>>>> If you meant the following two:
>>>>> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not
>>>>> preserved at issuance with signing cert signed by an external CA
>>>>> https://fedorahosted.org/pki/ticket/1110 - pkispawn (configuration)
>>>>> does not provide CA extensions in subordinate certificate signing requests
>>>>> (CSR)
>>>>>
>>>>> They have just recently been fixed upstream so I imagine you could use
>>>>> Microsoft CA now. Theoretically any other CA can be used as an external
>>>>> CA, but if you run into issues, please feel free to report.
>>>>>
>>>>> Christina
>>>>>
>>>>>
>>>>> On 10/27/2014 12:15 AM, kritee jhawar wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> In my recent thread i read that there is a bug due to which
>>>>> Microsoft CA can't work as external CA for dogtag.
>>>>> Can OpenSSL be used ?
>>>>>
>>>>> Thanks
>>>>> Kritee
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141109/c66424d5/attachment.htm>
More information about the Pki-users
mailing list