[Pki-users] Can OpensSSL be used as external CA ?
Christina Fu
cfu at redhat.com
Tue Nov 11 20:49:42 UTC 2014
Kritee,
I see the following error in the debug log:
[09/Nov/2014:06:03:44][http-bio-9443-exec-3]: handleCerts():
importCertChain: Exception:
java.security.cert.CertificateEncodingException: Security library failed
to decode certificate package: (-8183) security library: improperly
formatted DER-encoded message.
It doesn't like your pkcs7 cert chain.
Personally, I always use the whole chain from root down to and including
the CA signing cert of the leaf CA. Actually, I wrote that part of the
code, and that's how I remembered it too. I just don't remember why ;-(
because it's been a long time.
Maybe I didn't read your email closely enough and I am not sure what the
purpose of your exercise is. The external CA feature is to support a non
Dogtag CA as the issuer. Since we don't know what cert-chain
auto-retrieval mechanisms are out there for every and which CA
manufacturer, we just resolved to having people manually put the pkcs7
in the specified config file.
You can always manually manipulate what goes into the nss cert db by
using certutil (run certutil -H to see all options). You can add certs,
delete certs, add trust, etc.
Christina
On 11/10/2014 06:55 PM, kritee jhawar wrote:
> Hi Christina
>
> PFA the logs. As for my other question, this is the only mechanism
> with which we can control the root certificate of dogtag?Is there no
> other way where we can bring up Dogtag with an externally provided
> certificate?
> Because if I have to pass the root cert of OpenSSL along with the cert
> signed for dogtag as chain, it defeats my whole purpose of the exercise.
> Thanks again for helping out so actively.
>
> Regards
> Kritee
>
> On Tue, Nov 11, 2014 at 8:14 AM, Christina Fu <cfu at redhat.com
> <mailto:cfu at redhat.com>> wrote:
>
> hi Kritee,
> I'm sorry I can't find anything visually. Could you send the
> debug log? should be somewhere in
> /var/lib/pki/pki-tomcat/ca/logs. While you are at it, maybe send
> the system log and selftests.log as well.
>
> Christina
>
>
> On 11/07/2014 10:48 PM, Kritee Jhawar wrote:
>> Hi Christina
>>
>> When using Dogtag as external CA I had provided only the self
>> signed certificate as pkcs7 (the same way I did for OpenSSL) and
>> it had worked.
>>
>> The idea behind this was we needed a constant trust anchor to be
>> burnt into the devices(which will function as clients). Initially
>> I tried to find a way to provide a static root certificate to
>> dogtag so that even after the crash it will come up with the same
>> certificate.
>> Then I moved onto the l
>>
>> Sent from my iPhone
>>
>> On 07-Nov-2014, at 22:38, Christina Fu <cfu at redhat.com
>> <mailto:cfu at redhat.com>> wrote:
>>
>>> Hi Kritee,
>>>
>>> I just looked closely. Your ca cert chain contains only one
>>> single self-signed root cert. I think what you need is a chain
>>> down to the dogtag CA cert that links up from the root, so in
>>> your case, you should have both the root and the dogtag CA cert
>>> in the pkcs7.
>>>
>>> Hope that helps.
>>> Christina
>>>
>>>
>>> On 11/06/2014 01:25 AM, kritee jhawar wrote:
>>>> Hi Christina
>>>>
>>>> Thanks for the response. PFA the typescript for pkispawn step1
>>>> and pkispawn step2.
>>>>
>>>> Thanks,
>>>> Kritee
>>>>
>>>> On Thu, Nov 6, 2014 at 8:01 AM, Christina Fu <cfu at redhat.com
>>>> <mailto:cfu at redhat.com>> wrote:
>>>>
>>>> Hi Kritee,
>>>> I think we could use a bit more info.
>>>> Could you try running pkispawn with script... something
>>>> like the following:
>>>> script -c 'pkispawn -s CA -f config-step2.txt -vvv'
>>>>
>>>> the resulting typescript file might give us some more clue.
>>>> Christina
>>>>
>>>>
>>>> On 10/31/2014 09:24 PM, kritee jhawar wrote:
>>>>> Thanks Christina
>>>>>
>>>>> I checked out the master branch and built it. Now i can
>>>>> see the added extensions in the CSR generated, however i
>>>>> am getting the same error as earlier.
>>>>> This time again, I tried the supply the certificate chain
>>>>> with and without the headers. The chain is in a valid
>>>>> pkcs7 format.
>>>>> Following is how the extensions look in the certificate
>>>>> signed by openssl for dogtag:
>>>>>
>>>>> X509v3 extensions:
>>>>> X509v3 Basic Constraints: critical
>>>>> CA:TRUE
>>>>> X509v3 Key Usage: critical
>>>>> Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
>>>>> 1.3.6.1.4.1.311.20.2:
>>>>> .
>>>>> .S.u.b.C.A
>>>>>
>>>>> The error i get in step 2 of pkispawn is as follows:
>>>>>
>>>>> pkispawn : INFO ....... BtoA
>>>>> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
>>>>> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
>>>>> pkispawn : INFO ....... loading external CA signing
>>>>> certificate from file: '/home/kjhawar/dogtag/dg_ca.cert'
>>>>> pkispawn : INFO ....... loading external CA signing
>>>>> certificate chain from file:
>>>>> '/home/kjhawar/dogtag/dg_chain.cert'
>>>>> pkispawn : INFO ....... configuring PKI configuration data.
>>>>> pkispawn : INFO ....... AtoB
>>>>> /root/.dogtag/pki-tomcat/ca_admin.cert
>>>>> /root/.dogtag/pki-tomcat/ca_admin.cert.der
>>>>> pkispawn : INFO ....... certutil -A -d
>>>>> /root/.dogtag/pki-tomcat/ca/alias -n PKI Administrator -t
>>>>> u,u,u -i /root/.dogtag/pki-tomcat/ca_admin.cert.der -f
>>>>> /root/.dogtag/pki-tomcat/ca/password.conf
>>>>> Notice: Trust flag u is set automatically if the private
>>>>> key is present.
>>>>> pkispawn : INFO ....... pk12util -d
>>>>> /root/.dogtag/pki-tomcat/ca/alias -o
>>>>> /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -n PKI
>>>>> Administrator -w
>>>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf -k
>>>>> /root/.dogtag/pki-tomcat/ca/password.conf
>>>>> pkispawn : INFO ... finalizing
>>>>> 'pki.server.deployment.scriptlets.finalization'
>>>>> pkispawn : INFO ....... cp -p
>>>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
>>>>> /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141101020655
>>>>> pkispawn : INFO ....... generating manifest file called
>>>>> '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
>>>>> pkispawn : INFO ....... cp -p
>>>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
>>>>> /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141101020655
>>>>> pkispawn : INFO ....... executing 'systemctl daemon-reload'
>>>>> pkispawn : INFO ....... executing 'systemctl restart
>>>>> pki-tomcatd at pki-tomcat.service
>>>>> <mailto:pki-tomcatd at pki-tomcat.service>'
>>>>> Job for pki-tomcatd at pki-tomcat.service
>>>>> <mailto:pki-tomcatd at pki-tomcat.service> canceled.
>>>>> pkispawn : ERROR ....... subprocess.CalledProcessError:
>>>>> Command '['systemctl', 'restart',
>>>>> 'pki-tomcatd at pki-tomcat.service
>>>>> <mailto:pki-tomcatd at pki-tomcat.service>']' returned
>>>>> non-zero exit status 1!
>>>>>
>>>>> Installation failed.
>>>>>
>>>>> Kindly let me know if any specific configuration has to be
>>>>> done in my openssl CA. Attaching the config file i am
>>>>> using currently
>>>>>
>>>>> Thanks
>>>>> Kritee
>>>>>
>>>>> On Fri, Oct 31, 2014 at 10:36 PM, Christina Fu
>>>>> <cfu at redhat.com <mailto:cfu at redhat.com>> wrote:
>>>>>
>>>>> Kritee,
>>>>>
>>>>> At the minimum, you need the fixes I talked about.
>>>>> They were checked into the master but has not been
>>>>> built officially so yum is not going to get you the
>>>>> right rpm. However, you can check it out and build it
>>>>> yourself.
>>>>> Here is how you check out the master:
>>>>>
>>>>> git clone git://git.fedorahosted.org/git/pki.git <http://git.fedorahosted.org/git/pki.git>
>>>>>
>>>>> You can then use the build scripts to build.
>>>>>
>>>>> Finally, I apologize that we are not supposed to
>>>>> respond to private emails. Dogtag is a community
>>>>> where we share our knowledge. In the future please
>>>>> send requests to the mailing list.
>>>>> I took the exception this time to look at your CSR and
>>>>> certs and I could see that you need the fixes I talked
>>>>> about. I don't know if you have other issues though,
>>>>> but AFAIK you need those two fixes.
>>>>>
>>>>> Hope this helps.
>>>>> Christina
>>>>>
>>>>>
>>>>> On 10/29/2014 01:16 AM, kritee jhawar wrote:
>>>>>> Hi Christina
>>>>>>
>>>>>> I have done the default configuration for 389ds and
>>>>>> haven't specifically turned on ssl for it.
>>>>>>
>>>>>> Initially I tried using Microsoft and OpenSSL CA as
>>>>>> external CAs. This is about a month back and I pull
>>>>>> the Rpms using yum (so I assume they are the latest
>>>>>> ones with the fix you mentioned).
>>>>>> With this, my pki spawn went fine. Infect the admin
>>>>>> cert got generated using the externally provided root
>>>>>> cert as well. But dogtag couldn't connect to the ds.
>>>>>> As mentioned earlier it gave me a PKIException error
>>>>>> listing the certs with error code 500.
>>>>>> Looking at the ds logs I found that the error was
>>>>>> 'bad search filter'.
>>>>>> However when I tried the same steps with dogtag as
>>>>>> external CA the setup went through without a glitch.
>>>>>> The chain I imported was directly from the GUI of
>>>>>> dogtag. In fact I included the header and footer as
>>>>>> well.
>>>>>>
>>>>>> When I tried to reverse engineer the chain, I took
>>>>>> the root cert of external dogtag ca and used OpenSSL
>>>>>> to convert it into pkcs7. This chain was not the same
>>>>>> as provided from the GUI. Hence I thought that there
>>>>>> is some particular format for the chain because of
>>>>>> which the other CAs aren't working.
>>>>>>
>>>>>> Also, I updated the Rpms using yum and tried to
>>>>>> generate the CSR with the extra attributes. My csr
>>>>>> still doesn't reflect those added attributes.
>>>>>>
>>>>>> Is yum not the correct way to get the latest code ?
>>>>>>
>>>>>> I am very new to this, really appreciate your
>>>>>> assistance and time.
>>>>>>
>>>>>> Regards
>>>>>> Kritee
>>>>>>
>>>>>> On Wednesday, 29 October 2014, Christina Fu
>>>>>> <cfu at redhat.com <mailto:cfu at redhat.com>> wrote:
>>>>>>
>>>>>> the cert chain you provide in the file specified
>>>>>> under
>>>>>> pki_external_ca_cert_chain_path
>>>>>> should be just pkcs7 without header/footer.
>>>>>>
>>>>>> I don't know why it would not talk to the DS (did
>>>>>> you turn on ssl for the ds?).
>>>>>> Not sure if you build your Dogtag from the
>>>>>> master, if you do, I'd suggest you get the most
>>>>>> updated so you get fixes from the tickets I
>>>>>> provided previously which would address at least
>>>>>> two issues relating to external CA.
>>>>>>
>>>>>> Christina
>>>>>>
>>>>>> On 10/27/2014 07:55 PM, kritee jhawar wrote:
>>>>>>> Hi Christina
>>>>>>>
>>>>>>> I was undertaking this activity last month where
>>>>>>> Microsoft CA didn't work out but Dogtag as
>>>>>>> external CA did.
>>>>>>>
>>>>>>> While using Microsoft CA or OpenSSL CA, pki
>>>>>>> spawn goes through without any error but dogtag
>>>>>>> stops communications to 389ds. Upon calling the
>>>>>>> rest Api /ca/rest/certs I get a "PKIException
>>>>>>> error listing the certs".
>>>>>>>
>>>>>>> Is there a particular format for the ca cert
>>>>>>> chain that we need to provide ? I was trying to
>>>>>>> reverse engineer the chain provided by dogtag.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Kritee
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Monday, 27 October 2014, Christina Fu
>>>>>>> <cfu at redhat.com> wrote:
>>>>>>>
>>>>>>> If you meant the following two:
>>>>>>> https://fedorahosted.org/pki/ticket/1190 CA:
>>>>>>> issuer DN encoding not preserved at issuance
>>>>>>> with signing cert signed by an external CA
>>>>>>> https://fedorahosted.org/pki/ticket/1110 -
>>>>>>> pkispawn (configuration) does not provide CA
>>>>>>> extensions in subordinate certificate
>>>>>>> signing requests (CSR)
>>>>>>>
>>>>>>> They have just recently been fixed upstream
>>>>>>> so I imagine you could use Microsoft CA now.
>>>>>>> Theoretically any other CA can be used as an
>>>>>>> external CA, but if you run into issues,
>>>>>>> please feel free to report.
>>>>>>>
>>>>>>> Christina
>>>>>>>
>>>>>>>
>>>>>>> On 10/27/2014 12:15 AM, kritee jhawar wrote:
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> In my recent thread i read that there is a
>>>>>>>> bug due to which Microsoft CA can't work as
>>>>>>>> external CA for dogtag.
>>>>>>>> Can OpenSSL be used ?
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Kritee
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Pki-users mailing list
>>>>>>>> Pki-users at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Pki-users mailing list
>>>>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>
>>>>>
>>>>
>>>>
>>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141111/fda0639d/attachment.htm>
More information about the Pki-users
mailing list