[Pki-users] Can OpensSSL be used as external CA ?
Christina Fu
cfu at redhat.com
Tue Nov 11 02:44:18 UTC 2014
hi Kritee,
I'm sorry I can't find anything visually. Could you send the debug
log? should be somewhere in /var/lib/pki/pki-tomcat/ca/logs. While you
are at it, maybe send the system log and selftests.log as well.
Christina
On 11/07/2014 10:48 PM, Kritee Jhawar wrote:
> Hi Christina
>
> When using Dogtag as external CA I had provided only the self signed
> certificate as pkcs7 (the same way I did for OpenSSL) and it had worked.
>
> The idea behind this was we needed a constant trust anchor to be burnt
> into the devices(which will function as clients). Initially I tried to
> find a way to provide a static root certificate to dogtag so that even
> after the crash it will come up with the same certificate.
> Then I moved onto the l
>
> Sent from my iPhone
>
> On 07-Nov-2014, at 22:38, Christina Fu <cfu at redhat.com
> <mailto:cfu at redhat.com>> wrote:
>
>> Hi Kritee,
>>
>> I just looked closely. Your ca cert chain contains only one single
>> self-signed root cert. I think what you need is a chain down to the
>> dogtag CA cert that links up from the root, so in your case, you
>> should have both the root and the dogtag CA cert in the pkcs7.
>>
>> Hope that helps.
>> Christina
>>
>>
>> On 11/06/2014 01:25 AM, kritee jhawar wrote:
>>> Hi Christina
>>>
>>> Thanks for the response. PFA the typescript for pkispawn step1 and
>>> pkispawn step2.
>>>
>>> Thanks,
>>> Kritee
>>>
>>> On Thu, Nov 6, 2014 at 8:01 AM, Christina Fu <cfu at redhat.com
>>> <mailto:cfu at redhat.com>> wrote:
>>>
>>> Hi Kritee,
>>> I think we could use a bit more info.
>>> Could you try running pkispawn with script... something like the
>>> following:
>>> script -c 'pkispawn -s CA -f config-step2.txt -vvv'
>>>
>>> the resulting typescript file might give us some more clue.
>>> Christina
>>>
>>>
>>> On 10/31/2014 09:24 PM, kritee jhawar wrote:
>>>> Thanks Christina
>>>>
>>>> I checked out the master branch and built it. Now i can see the
>>>> added extensions in the CSR generated, however i am getting the
>>>> same error as earlier.
>>>> This time again, I tried the supply the certificate chain with
>>>> and without the headers. The chain is in a valid pkcs7 format.
>>>> Following is how the extensions look in the certificate signed
>>>> by openssl for dogtag:
>>>>
>>>> X509v3 extensions:
>>>> X509v3 Basic Constraints: critical
>>>> CA:TRUE
>>>> X509v3 Key Usage: critical
>>>> Digital Signature, Non Repudiation, Certificate
>>>> Sign, CRL Sign
>>>> 1.3.6.1.4.1.311.20.2:
>>>> .
>>>> .S.u.b.C.A
>>>>
>>>> The error i get in step 2 of pkispawn is as follows:
>>>>
>>>> pkispawn : INFO ....... BtoA
>>>> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
>>>> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
>>>> pkispawn : INFO ....... loading external CA signing
>>>> certificate from file: '/home/kjhawar/dogtag/dg_ca.cert'
>>>> pkispawn : INFO ....... loading external CA signing
>>>> certificate chain from file: '/home/kjhawar/dogtag/dg_chain.cert'
>>>> pkispawn : INFO ....... configuring PKI configuration data.
>>>> pkispawn : INFO ....... AtoB
>>>> /root/.dogtag/pki-tomcat/ca_admin.cert
>>>> /root/.dogtag/pki-tomcat/ca_admin.cert.der
>>>> pkispawn : INFO ....... certutil -A -d
>>>> /root/.dogtag/pki-tomcat/ca/alias -n PKI Administrator -t u,u,u
>>>> -i /root/.dogtag/pki-tomcat/ca_admin.cert.der -f
>>>> /root/.dogtag/pki-tomcat/ca/password.conf
>>>> Notice: Trust flag u is set automatically if the private key is
>>>> present.
>>>> pkispawn : INFO ....... pk12util -d
>>>> /root/.dogtag/pki-tomcat/ca/alias -o
>>>> /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -n PKI Administrator
>>>> -w /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf -k
>>>> /root/.dogtag/pki-tomcat/ca/password.conf
>>>> pkispawn : INFO ... finalizing
>>>> 'pki.server.deployment.scriptlets.finalization'
>>>> pkispawn : INFO ....... cp -p
>>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
>>>> /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141101020655
>>>> pkispawn : INFO ....... generating manifest file called
>>>> '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
>>>> pkispawn : INFO ....... cp -p
>>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
>>>> /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141101020655
>>>> pkispawn : INFO ....... executing 'systemctl daemon-reload'
>>>> pkispawn : INFO ....... executing 'systemctl restart
>>>> pki-tomcatd at pki-tomcat.service
>>>> <mailto:pki-tomcatd at pki-tomcat.service>'
>>>> Job for pki-tomcatd at pki-tomcat.service
>>>> <mailto:pki-tomcatd at pki-tomcat.service> canceled.
>>>> pkispawn : ERROR ....... subprocess.CalledProcessError:
>>>> Command '['systemctl', 'restart',
>>>> 'pki-tomcatd at pki-tomcat.service
>>>> <mailto:pki-tomcatd at pki-tomcat.service>']' returned non-zero
>>>> exit status 1!
>>>>
>>>> Installation failed.
>>>>
>>>> Kindly let me know if any specific configuration has to be done
>>>> in my openssl CA. Attaching the config file i am using currently
>>>>
>>>> Thanks
>>>> Kritee
>>>>
>>>> On Fri, Oct 31, 2014 at 10:36 PM, Christina Fu <cfu at redhat.com
>>>> <mailto:cfu at redhat.com>> wrote:
>>>>
>>>> Kritee,
>>>>
>>>> At the minimum, you need the fixes I talked about. They
>>>> were checked into the master but has not been built
>>>> officially so yum is not going to get you the right rpm.
>>>> However, you can check it out and build it yourself.
>>>> Here is how you check out the master:
>>>>
>>>> git clone git://git.fedorahosted.org/git/pki.git <http://git.fedorahosted.org/git/pki.git>
>>>>
>>>> You can then use the build scripts to build.
>>>>
>>>> Finally, I apologize that we are not supposed to respond to
>>>> private emails. Dogtag is a community where we share our
>>>> knowledge. In the future please send requests to the
>>>> mailing list.
>>>> I took the exception this time to look at your CSR and
>>>> certs and I could see that you need the fixes I talked
>>>> about. I don't know if you have other issues though, but
>>>> AFAIK you need those two fixes.
>>>>
>>>> Hope this helps.
>>>> Christina
>>>>
>>>>
>>>> On 10/29/2014 01:16 AM, kritee jhawar wrote:
>>>>> Hi Christina
>>>>>
>>>>> I have done the default configuration for 389ds and
>>>>> haven't specifically turned on ssl for it.
>>>>>
>>>>> Initially I tried using Microsoft and OpenSSL CA as
>>>>> external CAs. This is about a month back and I pull the
>>>>> Rpms using yum (so I assume they are the latest ones with
>>>>> the fix you mentioned).
>>>>> With this, my pki spawn went fine. Infect the admin cert
>>>>> got generated using the externally provided root cert as
>>>>> well. But dogtag couldn't connect to the ds. As mentioned
>>>>> earlier it gave me a PKIException error listing the certs
>>>>> with error code 500.
>>>>> Looking at the ds logs I found that the error was 'bad
>>>>> search filter'.
>>>>> However when I tried the same steps with dogtag as
>>>>> external CA the setup went through without a glitch. The
>>>>> chain I imported was directly from the GUI of dogtag. In
>>>>> fact I included the header and footer as well.
>>>>>
>>>>> When I tried to reverse engineer the chain, I took the
>>>>> root cert of external dogtag ca and used OpenSSL to
>>>>> convert it into pkcs7. This chain was not the same as
>>>>> provided from the GUI. Hence I thought that there is some
>>>>> particular format for the chain because of which the other
>>>>> CAs aren't working.
>>>>>
>>>>> Also, I updated the Rpms using yum and tried to generate
>>>>> the CSR with the extra attributes. My csr still doesn't
>>>>> reflect those added attributes.
>>>>>
>>>>> Is yum not the correct way to get the latest code ?
>>>>>
>>>>> I am very new to this, really appreciate your assistance
>>>>> and time.
>>>>>
>>>>> Regards
>>>>> Kritee
>>>>>
>>>>> On Wednesday, 29 October 2014, Christina Fu
>>>>> <cfu at redhat.com <mailto:cfu at redhat.com>> wrote:
>>>>>
>>>>> the cert chain you provide in the file specified under
>>>>> pki_external_ca_cert_chain_path
>>>>> should be just pkcs7 without header/footer.
>>>>>
>>>>> I don't know why it would not talk to the DS (did you
>>>>> turn on ssl for the ds?).
>>>>> Not sure if you build your Dogtag from the master, if
>>>>> you do, I'd suggest you get the most updated so you
>>>>> get fixes from the tickets I provided previously which
>>>>> would address at least two issues relating to external CA.
>>>>>
>>>>> Christina
>>>>>
>>>>> On 10/27/2014 07:55 PM, kritee jhawar wrote:
>>>>>> Hi Christina
>>>>>>
>>>>>> I was undertaking this activity last month where
>>>>>> Microsoft CA didn't work out but Dogtag as external
>>>>>> CA did.
>>>>>>
>>>>>> While using Microsoft CA or OpenSSL CA, pki spawn
>>>>>> goes through without any error but dogtag stops
>>>>>> communications to 389ds. Upon calling the rest Api
>>>>>> /ca/rest/certs I get a "PKIException error listing
>>>>>> the certs".
>>>>>>
>>>>>> Is there a particular format for the ca cert chain
>>>>>> that we need to provide ? I was trying to reverse
>>>>>> engineer the chain provided by dogtag.
>>>>>>
>>>>>> Thanks
>>>>>> Kritee
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Monday, 27 October 2014, Christina Fu
>>>>>> <cfu at redhat.com> wrote:
>>>>>>
>>>>>> If you meant the following two:
>>>>>> https://fedorahosted.org/pki/ticket/1190 CA:
>>>>>> issuer DN encoding not preserved at issuance with
>>>>>> signing cert signed by an external CA
>>>>>> https://fedorahosted.org/pki/ticket/1110 -
>>>>>> pkispawn (configuration) does not provide CA
>>>>>> extensions in subordinate certificate signing
>>>>>> requests (CSR)
>>>>>>
>>>>>> They have just recently been fixed upstream so I
>>>>>> imagine you could use Microsoft CA now.
>>>>>> Theoretically any other CA can be used as an
>>>>>> external CA, but if you run into issues, please
>>>>>> feel free to report.
>>>>>>
>>>>>> Christina
>>>>>>
>>>>>>
>>>>>> On 10/27/2014 12:15 AM, kritee jhawar wrote:
>>>>>>> Hi
>>>>>>>
>>>>>>> In my recent thread i read that there is a bug
>>>>>>> due to which Microsoft CA can't work as external
>>>>>>> CA for dogtag.
>>>>>>> Can OpenSSL be used ?
>>>>>>>
>>>>>>> Thanks
>>>>>>> Kritee
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Pki-users mailing list
>>>>>>> Pki-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>>>>
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141110/a0bace30/attachment.htm>
More information about the Pki-users
mailing list