From cfu at redhat.com  Thu Oct  2 00:00:07 2014
From: cfu at redhat.com (Christina Fu)
Date: Wed, 01 Oct 2014 17:00:07 -0700
Subject: [Pki-users] SCEP Enrollment fails with Certificate not found .
In-Reply-To: <85C87A9995875247B2DD471950E0AE4D1B844DC5@M0182.s-mxs.net>
References: <85C87A9995875247B2DD471950E0AE4D1B844DC5@M0182.s-mxs.net>
Message-ID: <542C9587.6080107@redhat.com>

What's your scep config values, specifically:
ca.scep.nickname
ca.scep.tokenname

Christina

On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>
> Hello,
>
> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs 
> setup for SCEP enrollment. But, no matter whether we try the older 
> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a 
> successful SCEP request. The following exception occurs in the debug log:
>
> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>
> [29/Sep/2014:13:41:17][http-9180-1]: 
> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>
> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>
> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>
> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>
> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>
> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>
> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>
> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>
> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>
> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>
> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>
> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>
> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>
> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>
> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>
> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>
> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>
> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>
> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>
> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>
> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>
> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>
> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>
> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>
> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>
> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>
> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>
> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>
> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>
> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>
> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>
> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>
> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>
> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>
> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>
> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>
> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>
> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
> token name: osstest'
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>
> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
>         at 
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>
>         at 
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>
>         at 
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>
>         at 
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>
>         at java.lang.Thread.run(Thread.java:701)
>
> [29/Sep/2014:13:41:17][http-9180-1]: ServletException 
> javax.servlet.ServletException: Failed to process message in CEP 
> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> What stands out is the line with mNickname. After restarting the 
> service, with the first request, the HSM token name appears to be 
> listed twice in the *mNickname* string.  Interestingly, with each new 
> request, the number of token names increases by one in the string. 
> i.e. with the 2^nd attempt, the same exception occurs but the token 
> name appears three times:
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
> token name: osstest'
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>
> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
>         at 
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>
>         at 
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>
>         at 
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>
>         at 
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>
>         at java.lang.Thread.run(Thread.java:701)
>
> [29/Sep/2014:13:41:17][http-9180-1]: ServletException 
> javax.servlet.ServletException: Failed to process message in CEP 
> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> As mentioned, the exception occurs with both versions 4 and 5 of 
> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating 
> with SCEP enrollment.) With local tokens, (no HSMs) the error does not 
> occur.
>
> Any Ideas, how we can track this down? We definitely need to get this 
> running.
>
> Best regards!
>
> William Elliott
>
> s IT Solutions
>
> Open System Services
>
> s IT Solutions AT Spardat GmbH
>
> A-1110 Wien, Geiselbergstra?e 21 - 25
>
> Phone: +43 (0)5 0100 - 39376
>
> Fax: +43 (0)5 0100 9 - 39376
>
> Mobile: +43 (0)5 0100 6 - 39376
>
> _mailto:william.elliott at s-itsolutions.at 
> <mailto:william.elliott%20at%20s-itsolutions.at>_
>
> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>
> Head Office: Vienna Commercial Register No.: 152289f Commercial Court 
> of Vienna
>
> This message and any attached files are confidential and intended 
> solely for the addressee(s). Any publication, transmission or other 
> use of the information by a person or entity other than the intended 
> addressee is prohibited. If you receive this in error please contact 
> the sender and delete the material. The sender does not accept 
> liability for any errors or omissions as a result of the transmission.
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141001/7776c86c/attachment.htm>

From cfu at redhat.com  Thu Oct  2 00:14:52 2014
From: cfu at redhat.com (Christina Fu)
Date: Wed, 01 Oct 2014 17:14:52 -0700
Subject: [Pki-users] SCEP Enrollment fails with Certificate not found .
In-Reply-To: <542C9587.6080107@redhat.com>
References: <85C87A9995875247B2DD471950E0AE4D1B844DC5@M0182.s-mxs.net>
	<542C9587.6080107@redhat.com>
Message-ID: <542C98FC.3040209@redhat.com>

btw, I'm not suggesting that you need either or both config params.

three sets of config you can try:
1. don't specify either ca.scep.nickname or ca.scep.tokenname
(I think by default it takes the ca signing cert, if that's what you 
intend to use anyway)

2. specify nickname only ca.scep.nickname (without the token)
ca.scep.nickname=caSigningCert cert-pki-testca1
(I think by default, if the nickname you specified matches that of the 
ca, it will find the token for you)

3. specify both nickname and token:
ca.scep.nickname=caSigningCert cert-pki-testca1
ca.scep.tokenname=osstest
(last resort, because when you do this, it thinks it's not using the ca 
signing cert.. )

Let us know.
Christina

On 10/01/2014 05:00 PM, Christina Fu wrote:
> What's your scep config values, specifically:
> ca.scep.nickname
> ca.scep.tokenname
>
> Christina
>
> On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>>
>> Hello,
>>
>> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs 
>> setup for SCEP enrollment.  But, no matter whether we try the older 
>> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a 
>> successful SCEP request. The following exception occurs in the debug log:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: 
>> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>>
>> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>>
>> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>>
>> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>>
>> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>>
>> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>>
>> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>>
>> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>>
>> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>>
>> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>>
>> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>>
>> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>>
>> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>>
>> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>>
>> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>>
>> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>>
>> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>>
>> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>>
>> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>>
>> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>>
>> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>>
>> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>>
>> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>>
>> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>>
>> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>>
>> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>>
>> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>>
>> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>>
>> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>>
>> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>>
>> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>>
>> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>>
>> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>>
>> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>>
>> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>>
>> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>>
>> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>>
>> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>>         at 
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>>         at 
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>>         at 
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>>         at 
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>>         at 
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>>         at 
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>>         at 
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>>         at 
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>>         at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException 
>> javax.servlet.ServletException: Failed to process message in CEP 
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> What stands out is the line with mNickname. After restarting the 
>> service, with the first request, the HSM token name appears to be 
>> listed twice in the *mNickname* string.  Interestingly, with each new 
>> request, the number of token names increases by one in the string. 
>> i.e. with the 2^nd attempt, the same exception occurs but the token 
>> name appears three times:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>>         at 
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>>         at 
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>>         at 
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>>         at 
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>>         at 
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>>         at 
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>>         at 
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>>         at 
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>>         at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException 
>> javax.servlet.ServletException: Failed to process message in CEP 
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> As mentioned, the exception occurs with both versions 4 and 5 of 
>> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating 
>> with SCEP enrollment.) With local tokens, (no HSMs) the error does 
>> not occur.
>>
>> Any Ideas, how we can track this down? We definitely need to get this 
>> running.
>>
>> Best regards!
>>
>> William Elliott
>>
>> s IT Solutions
>>
>> Open System Services
>>
>> s IT Solutions AT Spardat GmbH
>>
>> A-1110 Wien, Geiselbergstra?e 21 - 25
>>
>> Phone: +43 (0)5 0100 - 39376
>>
>> Fax: +43 (0)5 0100 9 - 39376
>>
>> Mobile: +43 (0)5 0100 6 - 39376
>>
>> _mailto:william.elliott at s-itsolutions.at 
>> <mailto:william.elliott%20at%20s-itsolutions.at>_
>>
>> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>>
>> Head Office: Vienna Commercial Register No.: 152289f Commercial Court 
>> of Vienna
>>
>> This message and any attached files are confidential and intended 
>> solely for the addressee(s). Any publication, transmission or other 
>> use of the information by a person or entity other than the intended 
>> addressee is prohibited. If you receive this in error please contact 
>> the sender and delete the material. The sender does not accept 
>> liability for any errors or omissions as a result of the transmission.
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141001/4309f22e/attachment.htm>

From techpkiuser at gmail.com  Fri Oct 10 05:20:18 2014
From: techpkiuser at gmail.com (pki tech)
Date: Fri, 10 Oct 2014 10:50:18 +0530
Subject: [Pki-users] Renew expired OCSP system certificates
Message-ID: <CAA0gsCO9HCN2-cri+HUNhnrPfQ3e_xZrO0sak=1rxz4co-u21Q@mail.gmail.com>

Hi all,

Good day to you all.

What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.

I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.

Cheers.

Regards,
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141010/08d9d647/attachment.htm>

From kriteejhawar at gmail.com  Fri Oct 10 11:18:30 2014
From: kriteejhawar at gmail.com (kritee jhawar)
Date: Fri, 10 Oct 2014 16:48:30 +0530
Subject: [Pki-users] Fwd: [HELP NEEDED] External CA configuration for Dogtag
In-Reply-To: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
References: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
Message-ID: <CAGJVne3eKACPNoKDFNK7mHGNfKx9jSHHvHjQbvuLOP561N3GVQ@mail.gmail.com>

Hello,

I am an engineer from India and I have been struggling with this for the
past 2 weeks. Request you to help me out.

*USE-CASE: *

Dogtag is the private CA for multiple services in a cluster. Trust is
established by providing the root certificate of dogtag to all the
services. What happens if dogtag crashes? All the services will have to be
given the root certificate of the new dogatg.

How can we avoid this?

Can we bring up multiple instances dogtag with a static certificate every
time?

The only way I could find is by using the* external CA* option.

I am following the 2-step pkispawn process with 2 config files
(deployment-1.cfg and deployment-2.cfg)

In the first step the csr is generated. I take the csr and get a
certificate from the external CA and place it in the required location. The
root certificate of the CA has also been placed in the required location.
Step 2 of pkispawn goes through and the ca_admin cert is generated and
signed.

However, when i make a REST call to list the certificates, I get 2
different errors:

(Please note that I replicated the same steps with same files on 2 setups
and got 2 errors)

curl -k --request GET https://localhost:9443/ca/rest/certs

*ERROR 1*

<?xml version="1.0" encoding="UTF-8"
>
standalone="yes"?><PKIException><ClassName>com.netscape.certsrv.base.PKIException</ClassName><Code>500</Code><Message>Error
listing certs in
CertsResourceService.listCerts!</Message><Attributes/></PKIException>



*ERROR 2*

With the same steps i also get a NullPointerException as well (Attached
logs - null-pointer-error.txt)



 When i see the status of my pki-instance after pkispawn step-2, It says
the Instance is loaded and needs to be configured. (attched logs :
post-pkispawn-2.txt)
However it starts using systemctl without any errors



I suspect I am missing some part in the configuration.

Any help/pointers would be very helpful!

Thanks

Kritee

*Attached files : *

deployment-1.txt  - config file for pkispawn step 1

deployment-2.txt - config file for pkispawn step 2

pkispawn-1-log.txt - logs for pkisppawn step 1

pkispan-2-log.txt - logs for pkispawn step 2

dogtag-cert.txt - root certificate of dogtag generated by external CA

ca-admin-cert.txt - admin cert signed by dogtag

null-pointer-error.txt - null pointer exception while making a REST call to
list certs

post-pkispawn-2.txt - status of pki-instance after pkispawn step 2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141010/7fd789a5/attachment.htm>
-------------- next part --------------
[root at dogtag-ext1 fedora]# pkispawn -s CA -f deployment.cfg -v
Loading deployment configuration from deployment.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
pkispawn    : INFO     BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . .
pkispawn    : INFO     ... initializing 'pki.deployment.initialization'
pkispawn    : INFO     ....... adding GID 'pkiuser' for group '17' . . .
pkispawn    : INFO     ....... adding UID 'pkiuser' for user '17' . . .
pkispawn    : ERROR    ....... Selinux is disabled.  Not checking port contexts
pkispawn    : INFO     ... populating 'pki.deployment.infrastructure_layout'
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca
pkispawn    : INFO     ....... cp -p /etc/pki/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
pkispawn    : INFO     ....... mkdir -p /var/lib/pki
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/ca
pkispawn    : INFO     ....... ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/ca/registry
pkispawn    : INFO     ... populating 'pki.deployment.instance_layout'
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/conf /etc/pki/pki-tomcat
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/etc/pki/pki-tomcat'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/common
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/common/lib
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/lib
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-ja.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-ja.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-ant.jar /var/lib/pki/pki-tomcat/lib/catalina-ant.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-collections.jar /var/lib/pki/pki-tomcat/lib/commons-collections.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-tribes.jar /var/lib/pki/pki-tomcat/lib/catalina-tribes.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/annotations-api.jar /var/lib/pki/pki-tomcat/lib/annotations-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-el-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper.jar /var/lib/pki/pki-tomcat/lib/jasper.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-es.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-es.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-pool.jar /var/lib/pki/pki-tomcat/lib/commons-pool.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-juli.jar /var/lib/pki/pki-tomcat/lib/tomcat-juli.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-jdbc.jar /var/lib/pki/pki-tomcat/lib/tomcat-jdbc.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-coyote.jar /var/lib/pki/pki-tomcat/lib/tomcat-coyote.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-dbcp.jar /var/lib/pki/pki-tomcat/lib/commons-dbcp.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-fr.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-fr.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/log4j.jar /var/lib/pki/pki-tomcat/lib/log4j.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper-el.jar /var/lib/pki/pki-tomcat/lib/jasper-el.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-util.jar /var/lib/pki/pki-tomcat/lib/tomcat-util.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-ha.jar /var/lib/pki/pki-tomcat/lib/catalina-ha.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina.jar /var/lib/pki/pki-tomcat/lib/catalina.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper-jdt.jar /var/lib/pki/pki-tomcat/lib/jasper-jdt.jar
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/log4j.properties /var/lib/pki/pki-tomcat/lib/log4j.properties
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/temp
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/_
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin
pkispawn    : INFO     ....... ln -s /usr/sbin/tomcat-sysd /var/lib/pki/pki-tomcat/pki-tomcat
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-collections.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-collections.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-io.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-io.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-lang.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-lang.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-logging.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-logging.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/commons-codec.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-codec.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/httpcomponents/httpclient.jar /var/lib/pki/pki-tomcat/common/lib/httpclient.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/httpcomponents/httpcore.jar /var/lib/pki/pki-tomcat/common/lib/httpcore.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/javassist.jar /var/lib/pki/pki-tomcat/common/lib/javassist.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/jaxrs-api.jar /var/lib/pki/pki-tomcat/common/lib/jaxrs-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/jettison.jar /var/lib/pki/pki-tomcat/common/lib/jettison.jar
pkispawn    : INFO     ....... ln -s /usr/lib/java/jss4.jar /var/lib/pki/pki-tomcat/common/lib/jss4.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/ldapjdk.jar /var/lib/pki/pki-tomcat/common/lib/ldapjdk.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-tomcat.jar /var/lib/pki/pki-tomcat/common/lib/pki-tomcat.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-atom-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-atom-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jaxb-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxb-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jaxrs.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxrs.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jettison-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jettison-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/scannotation.jar /var/lib/pki/pki-tomcat/common/lib/scannotation.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/tomcatjss.jar /var/lib/pki/pki-tomcat/common/lib/tomcatjss.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/velocity.jar /var/lib/pki/pki-tomcat/common/lib/velocity.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xerces-j2.jar /var/lib/pki/pki-tomcat/common/lib/xerces-j2.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xml-commons-apis.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-apis.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xml-commons-resolver.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-resolver.jar
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat /var/lib/pki/pki-tomcat/conf
pkispawn    : INFO     ....... ln -s /var/log/pki/pki-tomcat /var/lib/pki/pki-tomcat/logs
pkispawn    : INFO     ... populating 'pki.deployment.subsystem_layout'
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca/archive
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca/signedAudit
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat/ca
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/emails /var/lib/pki/pki-tomcat/ca/emails
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/emails'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/profiles /var/lib/pki/pki-tomcat/ca/profiles
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/profiles'
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/flatfile.txt /etc/pki/pki-tomcat/ca/flatfile.txt
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caAuditSigningCert.profile /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/serverCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/subsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile
pkispawn    : INFO     ....... ln -s /var/lib/pki/pki-tomcat/webapps /var/lib/pki/pki-tomcat/ca/webapps
pkispawn    : INFO     ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf
pkispawn    : INFO     ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs
pkispawn    : INFO     ... selinux disabled. skipping labelling 'pki.deployment.selinux_setup'
pkispawn    : INFO     ... deploying 'pki.deployment.webapp_deployment'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ROOT
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/ROOT /var/lib/pki/pki-tomcat/webapps/ROOT
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ROOT'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/pki
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/js /var/lib/pki/pki-tomcat/webapps/pki/js
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/js'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/META-INF /var/lib/pki/pki-tomcat/webapps/pki/META-INF
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/META-INF'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/admin /var/lib/pki/pki-tomcat/webapps/ca/admin
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca/admin'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/webapps/ca /var/lib/pki/pki-tomcat/webapps/ca
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/classes
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-certsrv.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-certsrv.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmsbundle.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsbundle.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmscore.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmscore.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cms.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cms.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsutil.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-nsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-nsutil.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-ca.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-ca.jar
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca'
pkispawn    : INFO     ... assigning slots for 'pki.deployment.slot_substitution'
pkispawn    : INFO     ....... copying '/usr/share/pki/ca/conf/CS.cfg' --> '/etc/pki/pki-tomcat/ca/CS.cfg' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/catalina.properties' --> '/etc/pki/pki-tomcat/catalina.properties' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/serverCertNick.conf' --> '/etc/pki/pki-tomcat/serverCertNick.conf' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/server.xml' --> '/etc/pki/pki-tomcat/server.xml' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/context.xml' --> '/etc/pki/pki-tomcat/context.xml' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/sysconfig/pki-tomcat' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/pki/pki-tomcat/tomcat.conf' with slot substitution
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/velocity.properties'
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/web.xml'
pkispawn    : INFO     ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/ee/ca/ProfileSelect.template'
pkispawn    : INFO     ... generating 'pki.deployment.security_databases'
pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/password.conf'
pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/pfile'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/password.conf'
pkispawn    : INFO     ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/key3.db'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db'
pkispawn    : INFO     ....... generating noise file called '/etc/pki/pki-tomcat/ca/noise' and filling it with '1024' random bytes
pkispawn    : INFO     ....... executing 'certutil -S -d /etc/pki/pki-tomcat/alias -h 'internal' -n 'Server-Cert cert-pki-tomcat' -s 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -m 0 -v 12 -c 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -t 'CTu,CTu,CTu' -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x > /dev/null 2>&1'
pkispawn    : INFO     ....... rm -f /etc/pki/pki-tomcat/ca/noise
pkispawn    : INFO     ....... rm -f /etc/pki/pki-tomcat/pfile
pkispawn    : INFO     ... configuring 'pki.deployment.configuration'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... ln -s /lib/systemd/system/pki-tomcatd at .service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service'
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes
pkispawn    : INFO     ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']'
pkispawn    : INFO     ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc']
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : INFO     ....... request: -----BEGIN CERTIFICATE REQUEST-----
MIICmDCCAYACAQAwUzEPMA0GA1UEBxMGS3JpdGVlMQ0wCwYDVQQLEwRDSUJVMRYwFAYDVQQKEw1D
aXNjbyBTeXN0ZW1zMRkwFwYDVQQDExBkb2d0YWcuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmLgfNwidSyR47kwVAOGor/kHOiTJS5qc4fsCJM6gQDnsC7lXbC6XcdYK
tQHs9Y7/HbzQDiMZNGS/hHRRGh68qZdr/pCxSbONobMczM7thjUQ5crUgJCI1tG2XaMKBRQMtqNA
fJY/SBaVEBpRzp+0DJ51D+qGjyJaq2Pzzj+pCJLMQPv/rQ9BSFLr8Js+QErn7j5JQwZ7k4wkZCoK
wcAVgwDzQ3xCtKew+M5Xgj9OzmkQgZk1SViPBLXl58gy+ukuBHBHSXWAY+b34N9IQnW1rozz073e
fD8ZSgHQYWsjRxCdniOvgd37gviyDlMIaOh7+HapYj1k+VCzmKimU4ZrJQIDAQABoAAwDQYJKoZI
hvcNAQELBQADggEBAFI5HrchG9WxTzgtCf6v21V8PFsWHEPVBr1gM+ihgiSXSp7sSmvjBvEUN+Ik
mHbo4ssq+KpHWeQZmKc1tlmiF5IBoP6yiAvkHelphdqRM+DkrkMYnR8cabx4amFOEfmPBE38hLHA
+eaFiVxHSorbkoZsBnSrYDz1/+5xD+4/VJrMvQiP9eRp1hG0sXjH5sLoV70LoHhO94yga0w26Gpj
xkzxSrxFVFH7walY0J09rqvtGOfJ7y4Pg4hy24L0WLDux063uUjNVmRs8zmYHB5AgX2Ke1YI2XYP
AHPTL9m3+wdVUuPCYVrf6njZS7CFygcG5c4W6prdu5ZcJ7cqYdSgiho=
-----END CERTIFICATE REQUEST-----
pkispawn    : INFO     ....... saving CA Signing CSR to file: '/home/fedora/ca_signing.csr'
pkispawn    : INFO     ... finalizing 'pki.deployment.finalization'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092058
pkispawn    : INFO     ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092058
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service'
pkispawn    : INFO     ....... rm -rf /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     END spawning subsystem 'CA' of instance 'pki-tomcat'

    ==========================================================================
-----BEGIN CERTIFICATE REQUEST-----

[root at dogtag-ext1 fedora]# pkispawn -s CA -f dep.cfg -v
Loading deployment configuration from dep.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
pkispawn    : INFO     BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . .
pkispawn    : INFO     ... initializing 'pki.deployment.initialization'
pkispawn    : INFO     ....... adding GID 'pkiuser' for group '17' . . .
pkispawn    : INFO     ....... adding UID 'pkiuser' for user '17' . . .
pkispawn    : ERROR    ....... Selinux is disabled.  Not checking port contexts
pkispawn    : INFO     ... skip populating 'pki.deployment.infrastructure_layout'
pkispawn    : INFO     ... skip populating 'pki.deployment.instance_layout'
pkispawn    : INFO     ... skip populating 'pki.deployment.subsystem_layout'
pkispawn    : INFO     ... skip populating 'pki.deployment.selinux_setup'
pkispawn    : INFO     ... skip deploying 'pki.deployment.webapp_deployment'
pkispawn    : INFO     ... skip assigning slots for 'pki.deployment.slot_substitution'
pkispawn    : INFO     ... skip generating 'pki.deployment.security_databases'
pkispawn    : INFO     ... configuring 'pki.deployment.configuration'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service'
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes
pkispawn    : INFO     ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com Security Domain', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']'
pkispawn    : INFO     ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc']
loading external CA signing certificate from file: '/home/fedora/dogtag.cisco.com.cer'
loading external CA signing certificate chain from file: '/home/fedora/test-root-ca-2048.cer'
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : INFO     ....... ['AtoB', '/root/.dogtag/pki-tomcat/ca_admin.cert', '/root/.dogtag/pki-tomcat/ca_admin.cert.der']
pkispawn    : INFO     ....... ['certutil', '-A', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-n', 'PKI Administrator', '-t', 'u,u,u', '-i', '/root/.dogtag/pki-tomcat/ca_admin.cert.der', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf']
pkispawn    : INFO     ....... ['pk12util', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-o', '/root/.dogtag/pki-tomcat/ca_admin_cert.p12', '-n', 'PKI Administrator', '-w', '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf', '-k', '/root/.dogtag/pki-tomcat/ca/password.conf']
pkispawn    : INFO     ... finalizing 'pki.deployment.finalization'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092609
pkispawn    : INFO     ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092609
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service'
Job for pki-tomcatd at pki-tomcat.service canceled.
pkispawn    : INFO     ....... rm -rf /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     END spawning subsystem 'CA' of instance 'pki-tomcat'

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      To check the status of the subsystem: 
            systemctl status pki-tomcatd\@pki-tomcat.service
      To restart the subsystem: 
            systemctl restart pki-tomcatd\@pki-tomcat.service
      The URL for the subsystem is: 
            https://dogtag-ext1.novalocal:9443/ca

    ==========================================================================
-------------- next part --------------
[root at dogtag-ext1 fedora]#  systemctl status pki-tomcatd\@pki-tomcat.service
pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled)
   Active: inactive (dead) since Fri 2014-10-10 09:26:19 UTC; 41s ago
  Process: 24551 ExecStop=/usr/bin/pkidaemon stop tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 24361 (code=exited, status=143)
   CGroup: name=systemd:/system/pki-tomcatd at .service/pki-tomcatd at pki-tomcat.service

Oct 10 09:21:38 dogtag-ext1.novalocal systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Oct 10 09:21:39 dogtag-ext1.novalocal pkidaemon[24193]: 'pki-tomcat' must still be CONFIGURED!
Oct 10 09:21:39 dogtag-ext1.novalocal pkidaemon[24193]: (see /var/log/pki-tomcat-install.log)
Oct 10 09:21:39 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat.
Oct 10 09:26:09 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat.
Oct 10 09:26:18 dogtag-ext1.novalocal systemd[1]: Stopping PKI Tomcat Server pki-tomcat...
Oct 10 09:26:18 dogtag-ext1.novalocal systemd[1]: Stopping PKI Tomcat Server pki-tomcat...
Oct 10 09:26:19 dogtag-ext1.novalocal systemd[1]: Stopped PKI Tomcat Server pki-tomcat.

[root at dogtag-ext1 fedora]#  systemctl start pki-tomcatd\@pki-tomcat.service
[root at dogtag-ext1 fedora]#  systemctl status pki-tomcatd\@pki-tomcat.service
pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled)
   Active: active (running) since Fri 2014-10-10 09:28:18 UTC; 5s ago
  Process: 24551 ExecStop=/usr/bin/pkidaemon stop tomcat %i (code=exited, status=0/SUCCESS)
  Process: 24616 ExecStart=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 24784 (java)
   CGroup: name=systemd:/system/pki-tomcatd at .service/pki-tomcatd at pki-tomcat.service
           ??24784 /usr/lib/jvm/jre/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/...


Oct 10 09:28:15 dogtag-ext1.novalocal systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Oct 10 09:28:18 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat.
-------------- next part --------------
[root at dogtag-ext1 fedora]# openssl pkcs12 -info -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12
Enter Import Password:
MAC Iteration 2000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
    friendlyName: PKI Administrator
    localKeyID: 41 11 6B 4D 01 78 64 1E 77 7B 17 6F D9 B9 AC 5C F5 9B 88 3F 
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQItOgp54c/WGICAggA
MBQGCCqGSIb3DQMHBAjDFi6FqfuIjASCBMgvHxHvir3peQMZX7OQsbTOCHQreAIx
aIrkNZHAzLfKBOCsDmMINysCLW7bjOL8dokYtuCYlGDNYAQLLkPBbAgrqKcVDFTF
162m8qcxfiBJrlcRbnoVpFumuexayYC/WESfM8S1YpL3oY62t/h0acKeGW5GG3a/
M8od8ddnlEa2lSR/x/eiBqLDDVgpgaUVuDZtkyvRvbZzyoh8FK7obZbwjjGYqb2q
CbDLmqLkqkXVuQ0DC+u98PF0RPmQjOQ5QyyYvIKSzdqC5SXqtHZEOAOpHwGzcWoV
+a6Bn6sVtvQSVJN6tV90LUx3OE7r/WzsUAk8Juf6kU69vIg8bUbXe7cPPiKX1sMj
aO+5a/o/T6tkXMS7D1smW65TkMDEnI2XPBPPo4tmhofnng+CRdBMbzxqabZ2PYZD
rKFs3L9eK9XaPBHpIGa2RPq0vCyR8nfHtcVtgnLeFlmoRqVi6/CQCl0Yz7SMl+7R
TdVGoBYpR/EvlmfQd6PxpublMWHmrA5vq7kgz58FTwH058U4IXCgYz1qJjEZhslf
xoNd2u8pBPlSlidCX2KuS2MqF3BmlpkydT61MW/Re+h2Dn8ShNdjuFSXSDRH1W8t
XmuzmIRl1dPZTLPt3PKos3j4vrokoBJLJaX6XLD5OZ3uj0aOual540PsCZRZjeCY
4KjVVCUzwGibjfE5Wh6GJb2rP+FbOJS7hVxM0EA+MKlEZRtnxP05bl0griuUOHvL
6GDJnUO6cSecVXdLlRa0qoD3hqPNvQ02LrhuCskEZz2Ndf+tPgNIcNNlytz1sKx2
Sk/BXVjbqL3UwY9hVqp5Z9CZ7RIQLm8/YrFTaMVs796Z9GcvwElXMhC+TsfQ8QE0
86YCw8KaZchA3mvzKYWIe2mwEBF0TX1WT0/xPLdRfT6uDhbZvcu3iFOAxMwCRdXR
rFWenhCNp9oKYQJQZ/WhNYPC9Y38MNJ4CXIuGbT8B2IUqhN/26Y//8oU09HDSFxB
DB1xHKj/vi8lUiVZgZIpUcXtRwPuzAecqHUNsfcSIA6Xx1+s2GnVbTXELNMyS7jG
8ol6IPJh9JIjJ8zT7YXlDyT9AR6vBYBcEylYZqjq2IvcjvNLm3qrxMYWJMfNoxxi
B80nfNnZQkUNqlC6bFM3R9ip+7aAYZeRchpB4LcmjmeIhaXK3EMhKXsezTjfWOKE
qrSh6pFPwcMeDQwSeEk0LdCA+rq1Aazgse5RbAB/fAMh0OctE/D5UxB/VoI/NKTJ
vNc4aZp5GwADu7ydJbP3t3OTP5YkHegGkih8BUVNumDIoLWFUw/WRvfXXRdYTuPQ
z9lzl4qWES6/J/hZCLGSgFZpYxdB2At1lG20DYcdHtxdR5o10ZGIBJ2n6Eb4ol/7
kn+OVTBUbdDIixoE2c4UV5g+WvukscJ7gIW4xTgeIw48XsznHpwyt3E6J6OY1L4c
kbrBGhsJrlXfvx/BuLJUEU8hi8Rj4x20b+y2xmULilUN7/BPT6ug+9eMB8WuAa9s
RKgKBTGtBfbPLl1URG8RGD/ZmO0xYlFg80qzOQXE9ZUDiKawR3ZEAxAEJClaYSO1
KwBUUMC9XEG49SCjrmIzgoBWZlpgQkmAvlwnr7tWuIFOdzv9wScDtoK84On0Hfno
Lzo=
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Bag Attributes
    friendlyName: PKI Administrator
    localKeyID: 41 11 6B 4D 01 78 64 1E 77 7B 17 6F D9 B9 AC 5C F5 9B 88 3F 
subject=/O=cisco.com Security Domain/CN=PKI Administrator
issuer=/L=Kritee/OU=CIBU/O=Cisco Systems/CN=dogtag.cisco.com
-----BEGIN CERTIFICATE-----
MIIDqTCCApGgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBTMQ8wDQYDVQQHEwZLcml0
ZWUxDTALBgNVBAsTBENJQlUxFjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxGTAXBgNV
BAMTEGRvZ3RhZy5jaXNjby5jb20wHhcNMTQxMDEwMDkyNjE3WhcNMTYwOTI5MDky
NjE3WjBAMSIwIAYDVQQKExljaXNjby5jb20gU2VjdXJpdHkgRG9tYWluMRowGAYD
VQQDExFQS0kgQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALk6tHHrgmQSrOzTnGIWKZ/zMbry1EnoRaALSqn7Mwb38tFN+NgOqDOk
Np8DbFBfA4B7Myw0lxkRkCCnUIf4etTQ3tnZroN6hd5hKNl+GiIdtyHOI+xQ9H5e
+U48/RyLPLtaG+hQR3bNPJVJ+zGiKynwxSjrTMHoa/mJX3YkCYhKIImbkbNiBnN8
JgW3NGX9CxxdvHfcBN9jK0O+90bQuuWudZi34FQLxMLcI33cN0GfruErvyH/YgMZ
ZitwvTMUx1kOreTNv4IG4AIIs154eIg3hdugSVITg7lNiNXk8AUu2gB0QtrISjEv
nMEkey5wWypjdDmT8nwY3V7fWP7684ECAwEAAaOBmjCBlzAfBgNVHSMEGDAWgBQL
VyuTi45bmeGZ+tYuLVIktqlw+TBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGG
KWh0dHA6Ly9kb2d0YWctZXh0MS5ub3ZhbG9jYWw6OTA4MC9jYS9vY3NwMA4GA1Ud
DwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI
hvcNAQELBQADggEBAGxtujrjwKvyL7w4wi26uYi5+CiJUeoYt15GoVUL9KgYiT7l
l4RAvhYweClqtVl/oh9IBkYP8CpIZdQGTOm/WBz3a5HnzOkiQ5021mp57+2q4E71
BYxP2kziJ50CMD2SD27kI183NNSPxiFKaXbsww+wecOR+9eUi9RJwSwYs5YNhQbl
8+xUAmtI8umlyVxuVMg21tib71ESJSrZ7Pj40MOZLpkLf5EW6kuuQJCMCmJVUXT8
1pELwwG0q2ttzwxaKl4mN8q1Rhs0DxZ3Je/A9HyyoGpGP4dKKUlKyomQ5/JQ7yYB
zAqSGkubASTn0IErwIRkqf31ZcP8Xe62CuJECb8=
-----END CERTIFICATE-----
-------------- next part --------------
[DEFAULT]
pki_instance_name = <name>

pki_http_port = 9080
pki_https_port = 9443
pki_ajp_port = 9009
pki_tomcat_server_port = 9005

[CA]
pki_admin_uid = <name>
pki_admin_password = <passwd>
pki_backup_password = <passwd>
pki_client_database_password = <passwd>
pki_client_pkcs12_password = <passwd>
pki_import_admin_cert = False
pki_client_admin_cert = /<path-to-admin-cert>/ca_admin.cert
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator
pki_admin_subject_dn=cn=PKI Administrator,o=%(pki_security_domain_name)s

pki_ds_hostname = <localhost.localdomian>
pki_ds_ldap_port = <port>
pki_ds_bind_dn = cn=<name>
pki_ds_password = <passwd>
pki_ds_base_dn = o=<name>
pki_security_domain_name = <domain name>
pki_security_domain_password = <passwd>

pki_client_pin = <passwd>
pki_clone_pkcs12_password = <passwd>
pki_one_time_pin = <passwd>
pki_pin = <passwd>
pki_token_password = <passwd>
pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA256withRSA
pki_ca_signing_subject_dn=cn=<name>,o=<name>,ou=<name>,L=<name>
pki_ca_signing_token=Internal Key Storage Token
pki_external=True
pki_external_csr_path=/home/fedora/ca_signing.csr
-------------- next part --------------
[DEFAULT]
pki_instance_name = <name>

pki_http_port = 9080
pki_https_port = 9443
pki_ajp_port = 9009
pki_tomcat_server_port = 9005

[CA]
pki_admin_uid = <name>
pki_admin_password = <passwd>
pki_backup_password = <passwd>
pki_client_database_password = <passwd>
pki_client_pkcs12_password = <passwd>
pki_import_admin_cert = False
pki_client_admin_cert = /<path-to-admin-cert>/ca_admin.cert
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator
pki_admin_subject_dn=cn=PKI Administrator,o=%(pki_security_domain_name)s

pki_ds_hostname = <localhost.localdomian>
pki_ds_ldap_port = <port>
pki_ds_bind_dn = cn=<name>
pki_ds_password = <passwd>
pki_ds_base_dn = o=<name>
pki_security_domain_name = <domain name>
pki_security_domain_password = <passwd>

pki_client_pin = <passwd>
pki_clone_pkcs12_password = <passwd>
pki_one_time_pin = <passwd>
pki_pin = <passwd>
pki_token_password = <passwd>
pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA256withRSA
pki_ca_signing_subject_dn=cn=<name>,o=<name>,ou=<name>,L=<name>
pki_ca_signing_token=Internal Key Storage Token
pki_external=True
pki_external_ca_cert_chain_path=/home/fedora/test-root-ca-2048.cer
pki_external_ca_cert_path=/home/fedora/dogtag.cisco.com.cer
pki_external_step_two=True
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIEFDCCAvygAwIBAgIKUZIHHgADAAAOXjANBgkqhkiG9w0BAQUFADAuMRYwFAYD
VQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQDEwtURVNULVNTTC1DQTAeFw0xNDEw
MTAwOTEzMDNaFw0xNjEwMTAwOTIzMDNaMFMxDzANBgNVBAcTBktyaXRlZTEWMBQG
A1UEChMNQ2lzY28gU3lzdGVtczENMAsGA1UECxMEQ0lCVTEZMBcGA1UEAxMQZG9n
dGFnLmNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJi4
HzcInUskeO5MFQDhqK/5BzokyUuanOH7AiTOoEA57Au5V2wul3HWCrUB7PWO/x28
0A4jGTRkv4R0URoevKmXa/6QsUmzjaGzHMzO7YY1EOXK1ICQiNbRtl2jCgUUDLaj
QHyWP0gWlRAaUc6ftAyedQ/qho8iWqtj884/qQiSzED7/60PQUhS6/CbPkBK5+4+
SUMGe5OMJGQqCsHAFYMA80N8QrSnsPjOV4I/Ts5pEIGZNUlYjwS15efIMvrpLgRw
R0l1gGPm9+DfSEJ1ta6M89O93nw/GUoB0GFrI0cQnZ4jr4Hd+4L4sg5TCGjoe/h2
qWI9ZPlQs5ioplOGayUCAwEAAaOCAQ0wggEJMB0GA1UdDgQWBBQLVyuTi45bmeGZ
+tYuLVIktqlw+TAfBgNVHSMEGDAWgBSOyU4uaEbJcL9gdzJhERmzyilLEjBKBgNV
HR8EQzBBMD+gPaA7hjlodHRwOi8vdGVzdC1zc2wtY2EuY2lzY28uY29tL2NlcnRp
ZmljYXRlcy90ZXN0LXNzbC1jYS5jcmwwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQEA
MEMwQQYIKwYBBQUHAgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3Br
aS9wb2xpY2llcy9pbmRleC5odG1sMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAnaizhTLtuAWk24gQ1eCERmzdRcU4AQux
6LTUV9iSM8UYQGZohtL4YPSq2UUG70zBZrxiXNIsdDgF7HoRte3GmcjAekT4xSL6
27W9emMLIaQARwCMN80y/S81ksDdwRPYuy3t/7QOY5fUeoxJ4OtZyq8V5f+oqmxc
ngiYlnF7B6dhxDldZ7IR4ON0v2jTaXUPQmR/In7OsQiFKpiaSTfuOuEoeFvoieeh
l0H5f32ex0HJOFm66e/GSBKKqFExJaIbzLaZSgCjLojSuqJvUj0SfnqMZDiKsfUa
Wpuv0LrsD/AcOLeD+SDa2TCG7JHrbPT7frZ+Xomx8uKYd8FbK7+zHA==
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            51:92:07:1e:00:03:00:00:0e:5e
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Cisco Systems, CN=TEST-SSL-CA
        Validity
            Not Before: Oct 10 09:13:03 2014 GMT
            Not After : Oct 10 09:23:03 2016 GMT
        Subject: L=Kritee, O=Cisco Systems, OU=CIBU, CN=dogtag.cisco.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:98:b8:1f:37:08:9d:4b:24:78:ee:4c:15:00:e1:
                    a8:af:f9:07:3a:24:c9:4b:9a:9c:e1:fb:02:24:ce:
                    a0:40:39:ec:0b:b9:57:6c:2e:97:71:d6:0a:b5:01:
                    ec:f5:8e:ff:1d:bc:d0:0e:23:19:34:64:bf:84:74:
                    51:1a:1e:bc:a9:97:6b:fe:90:b1:49:b3:8d:a1:b3:
                    1c:cc:ce:ed:86:35:10:e5:ca:d4:80:90:88:d6:d1:
                    b6:5d:a3:0a:05:14:0c:b6:a3:40:7c:96:3f:48:16:
                    95:10:1a:51:ce:9f:b4:0c:9e:75:0f:ea:86:8f:22:
                    5a:ab:63:f3:ce:3f:a9:08:92:cc:40:fb:ff:ad:0f:
                    41:48:52:eb:f0:9b:3e:40:4a:e7:ee:3e:49:43:06:
                    7b:93:8c:24:64:2a:0a:c1:c0:15:83:00:f3:43:7c:
                    42:b4:a7:b0:f8:ce:57:82:3f:4e:ce:69:10:81:99:
                    35:49:58:8f:04:b5:e5:e7:c8:32:fa:e9:2e:04:70:
                    47:49:75:80:63:e6:f7:e0:df:48:42:75:b5:ae:8c:
                    f3:d3:bd:de:7c:3f:19:4a:01:d0:61:6b:23:47:10:
                    9d:9e:23:af:81:dd:fb:82:f8:b2:0e:53:08:68:e8:
                    7b:f8:76:a9:62:3d:64:f9:50:b3:98:a8:a6:53:86:
                    6b:25
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                0B:57:2B:93:8B:8E:5B:99:E1:99:FA:D6:2E:2D:52:24:B6:A9:70:F9
            X509v3 Authority Key Identifier: 
                keyid:8E:C9:4E:2E:68:46:C9:70:BF:60:77:32:61:11:19:B3:CA:29:4B:12

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://test-ssl-ca.cisco.com/certificates/test-ssl-ca.crl

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.9.21.1.1.0
                  CPS: http://www.cisco.com/security/pki/policies/index.html

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
    Signature Algorithm: sha1WithRSAEncryption
         9d:a8:b3:85:32:ed:b8:05:a4:db:88:10:d5:e0:84:46:6c:dd:
         45:c5:38:01:0b:b1:e8:b4:d4:57:d8:92:33:c5:18:40:66:68:
         86:d2:f8:60:f4:aa:d9:45:06:ef:4c:c1:66:bc:62:5c:d2:2c:
         74:38:05:ec:7a:11:b5:ed:c6:99:c8:c0:7a:44:f8:c5:22:fa:
         db:b5:bd:7a:63:0b:21:a4:00:47:00:8c:37:cd:32:fd:2f:35:
         92:c0:dd:c1:13:d8:bb:2d:ed:ff:b4:0e:63:97:d4:7a:8c:49:
         e0:eb:59:ca:af:15:e5:ff:a8:aa:6c:5c:9e:08:98:96:71:7b:
         07:a7:61:c4:39:5d:67:b2:11:e0:e3:74:bf:68:d3:69:75:0f:
         42:64:7f:22:7e:ce:b1:08:85:2a:98:9a:49:37:ee:3a:e1:28:
         78:5b:e8:89:e7:a1:97:41:f9:7f:7d:9e:c7:41:c9:38:59:ba:
         e9:ef:c6:48:12:8a:a8:51:31:25:a2:1b:cc:b6:99:4a:00:a3:
         2e:88:d2:ba:a2:6f:52:3d:12:7e:7a:8c:64:38:8a:b1:f5:1a:
         5a:9b:af:d0:ba:ec:0f:f0:1c:38:b7:83:f9:20:da:d9:30:86:
         ec:91:eb:6c:f4:fb:7e:b6:7e:5e:89:b1:f2:e2:98:77:c1:5b:
         2b:bf:b3:1c
-------------- next part --------------
[root at dogtag-ext1 fedora]# curl -k --request GET https://localhost:9443/ca/rest/certs
<html><head><title>Apache Tomcat/7.0.47 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerException</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerException</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
[root at dogtag-ext1 fedora]# hostname
dogtag-ext1.novalocal
[root at dogtag-ext1 fedora]# curl -k --request GET https://dogtag-ext1.novalocal:9443/ca/rest/certs
<html><head><title>Apache Tomcat/7.0.47 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerException</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerException</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
[DEFAULT]
[root at dogtag-ext1 fedora]# curl -k --request GET https://dogtag-ext1.novalocal:9443/ca/rest/certs
<html><head><title>Apache Tomcat/7.0.47 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerException</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerException</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
</pre></p><p><b>root cause</b> <pre>java.lang.NullPointerException
        com.netscape.cms.servlet.cert.CertService.&lt;init&gt;(CertService.java:92)
        sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:82)
        org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.createResource(POJOResourceFactory.java:43)
        org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:210)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.47 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.47</h3></body></html>
-------------- next part --------------
[root at dogtag-ext1 fedora]# pkispawn -s CA -f deployment.cfg -v
Loading deployment configuration from deployment.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
pkispawn    : INFO     BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . .
pkispawn    : INFO     ... initializing 'pki.deployment.initialization'
pkispawn    : INFO     ....... adding GID 'pkiuser' for group '17' . . .
pkispawn    : INFO     ....... adding UID 'pkiuser' for user '17' . . .
pkispawn    : ERROR    ....... Selinux is disabled.  Not checking port contexts
pkispawn    : INFO     ... populating 'pki.deployment.infrastructure_layout'
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca
pkispawn    : INFO     ....... cp -p /etc/pki/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
pkispawn    : INFO     ....... mkdir -p /var/lib/pki
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/ca
pkispawn    : INFO     ....... ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/ca/registry
pkispawn    : INFO     ... populating 'pki.deployment.instance_layout'
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/conf /etc/pki/pki-tomcat
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/etc/pki/pki-tomcat'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/common
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/common/lib
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/lib
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-ja.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-ja.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-ant.jar /var/lib/pki/pki-tomcat/lib/catalina-ant.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-collections.jar /var/lib/pki/pki-tomcat/lib/commons-collections.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-tribes.jar /var/lib/pki/pki-tomcat/lib/catalina-tribes.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/annotations-api.jar /var/lib/pki/pki-tomcat/lib/annotations-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-el-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper.jar /var/lib/pki/pki-tomcat/lib/jasper.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-es.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-es.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-pool.jar /var/lib/pki/pki-tomcat/lib/commons-pool.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-juli.jar /var/lib/pki/pki-tomcat/lib/tomcat-juli.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-jdbc.jar /var/lib/pki/pki-tomcat/lib/tomcat-jdbc.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-coyote.jar /var/lib/pki/pki-tomcat/lib/tomcat-coyote.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-dbcp.jar /var/lib/pki/pki-tomcat/lib/commons-dbcp.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-fr.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-fr.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/log4j.jar /var/lib/pki/pki-tomcat/lib/log4j.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper-el.jar /var/lib/pki/pki-tomcat/lib/jasper-el.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-util.jar /var/lib/pki/pki-tomcat/lib/tomcat-util.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-ha.jar /var/lib/pki/pki-tomcat/lib/catalina-ha.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina.jar /var/lib/pki/pki-tomcat/lib/catalina.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper-jdt.jar /var/lib/pki/pki-tomcat/lib/jasper-jdt.jar
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/log4j.properties /var/lib/pki/pki-tomcat/lib/log4j.properties
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/temp
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/_
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin
pkispawn    : INFO     ....... ln -s /usr/sbin/tomcat-sysd /var/lib/pki/pki-tomcat/pki-tomcat
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-collections.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-collections.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-io.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-io.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-lang.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-lang.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-logging.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-logging.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/commons-codec.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-codec.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/httpcomponents/httpclient.jar /var/lib/pki/pki-tomcat/common/lib/httpclient.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/httpcomponents/httpcore.jar /var/lib/pki/pki-tomcat/common/lib/httpcore.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/javassist.jar /var/lib/pki/pki-tomcat/common/lib/javassist.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/jaxrs-api.jar /var/lib/pki/pki-tomcat/common/lib/jaxrs-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/jettison.jar /var/lib/pki/pki-tomcat/common/lib/jettison.jar
pkispawn    : INFO     ....... ln -s /usr/lib/java/jss4.jar /var/lib/pki/pki-tomcat/common/lib/jss4.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/ldapjdk.jar /var/lib/pki/pki-tomcat/common/lib/ldapjdk.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-tomcat.jar /var/lib/pki/pki-tomcat/common/lib/pki-tomcat.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-atom-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-atom-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jaxb-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxb-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jaxrs.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxrs.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jettison-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jettison-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/scannotation.jar /var/lib/pki/pki-tomcat/common/lib/scannotation.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/tomcatjss.jar /var/lib/pki/pki-tomcat/common/lib/tomcatjss.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/velocity.jar /var/lib/pki/pki-tomcat/common/lib/velocity.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xerces-j2.jar /var/lib/pki/pki-tomcat/common/lib/xerces-j2.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xml-commons-apis.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-apis.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xml-commons-resolver.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-resolver.jar
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat /var/lib/pki/pki-tomcat/conf
pkispawn    : INFO     ....... ln -s /var/log/pki/pki-tomcat /var/lib/pki/pki-tomcat/logs
pkispawn    : INFO     ... populating 'pki.deployment.subsystem_layout'
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca/archive
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca/signedAudit
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat/ca
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/emails /var/lib/pki/pki-tomcat/ca/emails
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/emails'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/profiles /var/lib/pki/pki-tomcat/ca/profiles
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/profiles'
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/flatfile.txt /etc/pki/pki-tomcat/ca/flatfile.txt
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caAuditSigningCert.profile /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/serverCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/subsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile
pkispawn    : INFO     ....... ln -s /var/lib/pki/pki-tomcat/webapps /var/lib/pki/pki-tomcat/ca/webapps
pkispawn    : INFO     ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf
pkispawn    : INFO     ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs
pkispawn    : INFO     ... selinux disabled. skipping labelling 'pki.deployment.selinux_setup'
pkispawn    : INFO     ... deploying 'pki.deployment.webapp_deployment'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ROOT
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/ROOT /var/lib/pki/pki-tomcat/webapps/ROOT
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ROOT'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/pki
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/js /var/lib/pki/pki-tomcat/webapps/pki/js
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/js'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/META-INF /var/lib/pki/pki-tomcat/webapps/pki/META-INF
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/META-INF'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/admin /var/lib/pki/pki-tomcat/webapps/ca/admin
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca/admin'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/webapps/ca /var/lib/pki/pki-tomcat/webapps/ca
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/classes
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-certsrv.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-certsrv.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmsbundle.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsbundle.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmscore.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmscore.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cms.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cms.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsutil.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-nsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-nsutil.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-ca.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-ca.jar
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca'
pkispawn    : INFO     ... assigning slots for 'pki.deployment.slot_substitution'
pkispawn    : INFO     ....... copying '/usr/share/pki/ca/conf/CS.cfg' --> '/etc/pki/pki-tomcat/ca/CS.cfg' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/catalina.properties' --> '/etc/pki/pki-tomcat/catalina.properties' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/serverCertNick.conf' --> '/etc/pki/pki-tomcat/serverCertNick.conf' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/server.xml' --> '/etc/pki/pki-tomcat/server.xml' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/context.xml' --> '/etc/pki/pki-tomcat/context.xml' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/sysconfig/pki-tomcat' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/pki/pki-tomcat/tomcat.conf' with slot substitution
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/velocity.properties'
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/web.xml'
pkispawn    : INFO     ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/ee/ca/ProfileSelect.template'
pkispawn    : INFO     ... generating 'pki.deployment.security_databases'
pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/password.conf'
pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/pfile'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/password.conf'
pkispawn    : INFO     ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/key3.db'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db'
pkispawn    : INFO     ....... generating noise file called '/etc/pki/pki-tomcat/ca/noise' and filling it with '1024' random bytes
pkispawn    : INFO     ....... executing 'certutil -S -d /etc/pki/pki-tomcat/alias -h 'internal' -n 'Server-Cert cert-pki-tomcat' -s 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -m 0 -v 12 -c 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -t 'CTu,CTu,CTu' -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x > /dev/null 2>&1'
pkispawn    : INFO     ....... rm -f /etc/pki/pki-tomcat/ca/noise
pkispawn    : INFO     ....... rm -f /etc/pki/pki-tomcat/pfile
pkispawn    : INFO     ... configuring 'pki.deployment.configuration'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... ln -s /lib/systemd/system/pki-tomcatd at .service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service'
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes
pkispawn    : INFO     ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']'
pkispawn    : INFO     ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc']
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : INFO     ....... request: -----BEGIN CERTIFICATE REQUEST-----
MIICmDCCAYACAQAwUzEPMA0GA1UEBxMGS3JpdGVlMQ0wCwYDVQQLEwRDSUJVMRYwFAYDVQQKEw1D
aXNjbyBTeXN0ZW1zMRkwFwYDVQQDExBkb2d0YWcuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmLgfNwidSyR47kwVAOGor/kHOiTJS5qc4fsCJM6gQDnsC7lXbC6XcdYK
tQHs9Y7/HbzQDiMZNGS/hHRRGh68qZdr/pCxSbONobMczM7thjUQ5crUgJCI1tG2XaMKBRQMtqNA
fJY/SBaVEBpRzp+0DJ51D+qGjyJaq2Pzzj+pCJLMQPv/rQ9BSFLr8Js+QErn7j5JQwZ7k4wkZCoK
wcAVgwDzQ3xCtKew+M5Xgj9OzmkQgZk1SViPBLXl58gy+ukuBHBHSXWAY+b34N9IQnW1rozz073e
fD8ZSgHQYWsjRxCdniOvgd37gviyDlMIaOh7+HapYj1k+VCzmKimU4ZrJQIDAQABoAAwDQYJKoZI
hvcNAQELBQADggEBAFI5HrchG9WxTzgtCf6v21V8PFsWHEPVBr1gM+ihgiSXSp7sSmvjBvEUN+Ik
mHbo4ssq+KpHWeQZmKc1tlmiF5IBoP6yiAvkHelphdqRM+DkrkMYnR8cabx4amFOEfmPBE38hLHA
+eaFiVxHSorbkoZsBnSrYDz1/+5xD+4/VJrMvQiP9eRp1hG0sXjH5sLoV70LoHhO94yga0w26Gpj
xkzxSrxFVFH7walY0J09rqvtGOfJ7y4Pg4hy24L0WLDux063uUjNVmRs8zmYHB5AgX2Ke1YI2XYP
AHPTL9m3+wdVUuPCYVrf6njZS7CFygcG5c4W6prdu5ZcJ7cqYdSgiho=
-----END CERTIFICATE REQUEST-----
pkispawn    : INFO     ....... saving CA Signing CSR to file: '/home/fedora/ca_signing.csr'
pkispawn    : INFO     ... finalizing 'pki.deployment.finalization'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092058
pkispawn    : INFO     ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092058
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service'
pkispawn    : INFO     ....... rm -rf /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     END spawning subsystem 'CA' of instance 'pki-tomcat'

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin

      To check the status of the subsystem: 
            systemctl status pki-tomcatd\@pki-tomcat.service
      To restart the subsystem: 
            systemctl restart pki-tomcatd\@pki-tomcat.service
      The URL for the subsystem is: 
            https://dogtag-ext1.novalocal:9443/ca

    ==========================================================================

From gaiseric.vandal at gmail.com  Fri Oct 10 12:43:55 2014
From: gaiseric.vandal at gmail.com (Gaiseric Vandal)
Date: Fri, 10 Oct 2014 08:43:55 -0400
Subject: [Pki-users] Fwd: [HELP NEEDED] External CA configuration for
 Dogtag
In-Reply-To: <CAGJVne3eKACPNoKDFNK7mHGNfKx9jSHHvHjQbvuLOP561N3GVQ@mail.gmail.com>
References: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
	<CAGJVne3eKACPNoKDFNK7mHGNfKx9jSHHvHjQbvuLOP561N3GVQ@mail.gmail.com>
Message-ID: <5437D48B.8060907@gmail.com>

The CA needs to generate or sign certificates for other servers- e.g. a 
web server.  Clients of those servers should trust the CA's certificate 
as the CA certificate that signs the server certificates.  They don't 
need to communicate with the CA directly.      (The exception might be 
if the CA is also an online certificate revocation server -  but that is 
beyond my experience.)

You should assume that your CA will eventually crash-  or that you might 
make a configuration change or an update that you want to roll back.  As 
with any server, you should back up the critical files.  if this is a 
virtual machine, it makes backing up the entire machine much easier.


I wouldn't imagine that the entire CA configuration and database 
directories are very big.






On 10/10/14 07:18, kritee jhawar wrote:
>
> Hello,
>
> I am an engineer from India and I have been struggling with this for 
> the past 2 weeks. Request you to help me out.
>
> *USE-CASE: *
>
> Dogtag is the private CA for multiple services in a cluster. Trust is 
> established by providing the root certificate of dogtag to all the 
> services. What happens if dogtag crashes? All the services will have 
> to be given the root certificate of the new dogatg.
>
> How can we avoid this?
>
> Can we bring up multiple instances dogtag with a static certificate 
> every time?
>
> The only way I could find is by using the*external CA* option.
>
> I am following the 2-step pkispawn process with 2 config files 
> (deployment-1.cfg and deployment-2.cfg)
>
> In the first step the csr is generated. I take the csr and get a 
> certificate from the external CA and place it in the required 
> location. The root certificate of the CA has also been placed in the 
> required location. Step 2 of pkispawn goes through and the ca_admin 
> cert is generated and signed.
>
> However, when i make a REST call to list the certificates, I get 2 
> different errors:
>
> (Please note that I replicated the same steps with same files on 2 
> setups and got 2 errors)
>
> curl -k --request GET https://localhost:9443/ca/rest/certs
>
> *_ERROR 1_*
>
> <?xml version="1.0" encoding="UTF-8"
> > standalone="yes"?><PKIException><ClassName>com.netscape.certsrv.base.PKIException</ClassName><Code>500</Code><Message>Error listing certs in CertsResourceService.listCerts!</Message><Attributes/></PKIException>
>
> *_ERROR 2_*
>
> With the same steps i also get a NullPointerException as well 
> (Attached logs - null-pointer-error.txt)
>
>
>
> When i see the status of my pki-instance after pkispawn step-2, It 
> says the Instance is loaded and needs to be configured. (attched logs 
> : post-pkispawn-2.txt)
> However it starts using systemctl without any errors
>
> I suspect I am missing some part in the configuration.
>
> Any help/pointers would be very helpful!
>
> Thanks
>
> Kritee
>
> *Attached files : *
>
> deployment-1.txt - config file for pkispawn step 1
>
> deployment-2.txt - config file for pkispawn step 2
>
> pkispawn-1-log.txt - logs for pkisppawn step 1
>
> pkispan-2-log.txt - logs for pkispawn step 2
>
> dogtag-cert.txt - root certificate of dogtag generated by external CA
>
> ca-admin-cert.txt - admin cert signed by dogtag
>
> null-pointer-error.txt- null pointer exception while making a REST 
> call to list certs
>
> post-pkispawn-2.txt - status of pki-instance after pkispawn step 2
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141010/0be9df01/attachment.htm>

From kriteejhawar at gmail.com  Sat Oct 11 04:45:34 2014
From: kriteejhawar at gmail.com (kritee jhawar)
Date: Sat, 11 Oct 2014 10:15:34 +0530
Subject: [Pki-users] Fwd: [HELP NEEDED] External CA configuration for
	Dogtag
In-Reply-To: <5437D48B.8060907@gmail.com>
References: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
	<CAGJVne3eKACPNoKDFNK7mHGNfKx9jSHHvHjQbvuLOP561N3GVQ@mail.gmail.com>
	<5437D48B.8060907@gmail.com>
Message-ID: <CAGJVne3wgSfimkD4YG+FvXeapzPDgdFFL4=aWHfsU0M6Qky4eg@mail.gmail.com>

Hi

Thanks for the response.I am inline with what you said, that the clients
just need to trust the CA and need not communicate with it. However my
clients are physical devices which will need the trust store burnt into
them which is why i need to have a constant trust chain.
External CA seems like the best way to go. Please let me know if you could
figure out why my configuartion won't go through with the data I have
provided.

Regards
Kritee

On Fri, Oct 10, 2014 at 6:13 PM, Gaiseric Vandal <gaiseric.vandal at gmail.com>
wrote:

>  The CA needs to generate or sign  certificates for other servers- e.g. a
> web server.  Clients of those servers should trust the CA's certificate as
> the CA certificate that signs the server certificates.  They don't need to
> communicate with the CA directly.      (The exception might be if the CA is
> also an online certificate revocation server -  but that is beyond my
> experience.)
>
> You should assume that your CA will eventually crash-  or that you might
> make a configuration change or an update that you want to roll back.  As
> with any server, you should back up the critical files.  if this is a
> virtual machine, it makes backing up the entire machine much easier.
>
>
> I wouldn't imagine that the entire CA configuration and database
> directories are very big.
>
>
>
>
>
>
> On 10/10/14 07:18, kritee jhawar wrote:
>
>
>  Hello,
>
> I am an engineer from India and I have been struggling with this for the
> past 2 weeks. Request you to help me out.
>
> *USE-CASE: *
>
> Dogtag is the private CA for multiple services in a cluster. Trust is
> established by providing the root certificate of dogtag to all the
> services. What happens if dogtag crashes? All the services will have to be
> given the root certificate of the new dogatg.
>
> How can we avoid this?
>
> Can we bring up multiple instances dogtag with a static certificate every
> time?
>
> The only way I could find is by using the* external CA* option.
>
> I am following the 2-step pkispawn process with 2 config files
> (deployment-1.cfg and deployment-2.cfg)
>
> In the first step the csr is generated. I take the csr and get a
> certificate from the external CA and place it in the required location. The
> root certificate of the CA has also been placed in the required location.
> Step 2 of pkispawn goes through and the ca_admin cert is generated and
> signed.
>
> However, when i make a REST call to list the certificates, I get 2
> different errors:
>
> (Please note that I replicated the same steps with same files on 2 setups
> and got 2 errors)
>
> curl -k --request GET https://localhost:9443/ca/rest/certs
>
> *ERROR 1*
>
> <?xml version="1.0" encoding="UTF-8"
> >
> standalone="yes"?><PKIException><ClassName>com.netscape.certsrv.base.PKIException</ClassName><Code>500</Code><Message>Error
> listing certs in
> CertsResourceService.listCerts!</Message><Attributes/></PKIException>
>
>
>
> *ERROR 2*
>
> With the same steps i also get a NullPointerException as well (Attached
> logs - null-pointer-error.txt)
>
>
>
>  When i see the status of my pki-instance after pkispawn step-2, It says
> the Instance is loaded and needs to be configured. (attched logs :
> post-pkispawn-2.txt)
> However it starts using systemctl without any errors
>
>
>
> I suspect I am missing some part in the configuration.
>
> Any help/pointers would be very helpful!
>
> Thanks
>
> Kritee
>
> *Attached files : *
>
> deployment-1.txt  - config file for pkispawn step 1
>
> deployment-2.txt - config file for pkispawn step 2
>
> pkispawn-1-log.txt - logs for pkisppawn step 1
>
> pkispan-2-log.txt - logs for pkispawn step 2
>
> dogtag-cert.txt - root certificate of dogtag generated by external CA
>
> ca-admin-cert.txt - admin cert signed by dogtag
>
> null-pointer-error.txt - null pointer exception while making a REST call
> to list certs
>
> post-pkispawn-2.txt - status of pki-instance after pkispawn step 2
>
>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141011/66168407/attachment.htm>

From kriteejhawar at gmail.com  Mon Oct 13 17:38:27 2014
From: kriteejhawar at gmail.com (kritee jhawar)
Date: Mon, 13 Oct 2014 23:08:27 +0530
Subject: [Pki-users] Fwd: [HELP NEEDED] External CA configuration for
	Dogtag
In-Reply-To: <CAGJVne3wgSfimkD4YG+FvXeapzPDgdFFL4=aWHfsU0M6Qky4eg@mail.gmail.com>
References: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
	<CAGJVne3eKACPNoKDFNK7mHGNfKx9jSHHvHjQbvuLOP561N3GVQ@mail.gmail.com>
	<5437D48B.8060907@gmail.com>
	<CAGJVne3wgSfimkD4YG+FvXeapzPDgdFFL4=aWHfsU0M6Qky4eg@mail.gmail.com>
Message-ID: <CAGJVne1EWhrfHXyjeg27FtCoBBDi3hqLcMieKXsM1eXm8rQ6xg@mail.gmail.com>

Hi

After a little more debugging came to the conclusion that post external CA
configuration there seems to be some issue with the directory service

Upon making a rest call to list the certs, I get an LDAP exception with
 'Bad Search Filter' message.

Has anyone faced this?

Regards
Kritee

On Sat, Oct 11, 2014 at 10:15 AM, kritee jhawar <kriteejhawar at gmail.com>
wrote:

> Hi
>
> Thanks for the response.I am inline with what you said, that the clients
> just need to trust the CA and need not communicate with it. However my
> clients are physical devices which will need the trust store burnt into
> them which is why i need to have a constant trust chain.
> External CA seems like the best way to go. Please let me know if you could
> figure out why my configuartion won't go through with the data I have
> provided.
>
> Regards
> Kritee
>
> On Fri, Oct 10, 2014 at 6:13 PM, Gaiseric Vandal <
> gaiseric.vandal at gmail.com> wrote:
>
>>  The CA needs to generate or sign  certificates for other servers- e.g.
>> a web server.  Clients of those servers should trust the CA's certificate
>> as the CA certificate that signs the server certificates.  They don't need
>> to communicate with the CA directly.      (The exception might be if the CA
>> is also an online certificate revocation server -  but that is beyond my
>> experience.)
>>
>> You should assume that your CA will eventually crash-  or that you might
>> make a configuration change or an update that you want to roll back.  As
>> with any server, you should back up the critical files.  if this is a
>> virtual machine, it makes backing up the entire machine much easier.
>>
>>
>> I wouldn't imagine that the entire CA configuration and database
>> directories are very big.
>>
>>
>>
>>
>>
>>
>> On 10/10/14 07:18, kritee jhawar wrote:
>>
>>
>>  Hello,
>>
>> I am an engineer from India and I have been struggling with this for the
>> past 2 weeks. Request you to help me out.
>>
>> *USE-CASE: *
>>
>> Dogtag is the private CA for multiple services in a cluster. Trust is
>> established by providing the root certificate of dogtag to all the
>> services. What happens if dogtag crashes? All the services will have to be
>> given the root certificate of the new dogatg.
>>
>> How can we avoid this?
>>
>> Can we bring up multiple instances dogtag with a static certificate every
>> time?
>>
>> The only way I could find is by using the* external CA* option.
>>
>> I am following the 2-step pkispawn process with 2 config files
>> (deployment-1.cfg and deployment-2.cfg)
>>
>> In the first step the csr is generated. I take the csr and get a
>> certificate from the external CA and place it in the required location. The
>> root certificate of the CA has also been placed in the required location.
>> Step 2 of pkispawn goes through and the ca_admin cert is generated and
>> signed.
>>
>> However, when i make a REST call to list the certificates, I get 2
>> different errors:
>>
>> (Please note that I replicated the same steps with same files on 2 setups
>> and got 2 errors)
>>
>> curl -k --request GET https://localhost:9443/ca/rest/certs
>>
>> *ERROR 1*
>>
>> <?xml version="1.0" encoding="UTF-8"
>> >
>> standalone="yes"?><PKIException><ClassName>com.netscape.certsrv.base.PKIException</ClassName><Code>500</Code><Message>Error
>> listing certs in
>> CertsResourceService.listCerts!</Message><Attributes/></PKIException>
>>
>>
>>
>> *ERROR 2*
>>
>> With the same steps i also get a NullPointerException as well (Attached
>> logs - null-pointer-error.txt)
>>
>>
>>
>>  When i see the status of my pki-instance after pkispawn step-2, It says
>> the Instance is loaded and needs to be configured. (attched logs :
>> post-pkispawn-2.txt)
>> However it starts using systemctl without any errors
>>
>>
>>
>> I suspect I am missing some part in the configuration.
>>
>> Any help/pointers would be very helpful!
>>
>> Thanks
>>
>> Kritee
>>
>> *Attached files : *
>>
>> deployment-1.txt  - config file for pkispawn step 1
>>
>> deployment-2.txt - config file for pkispawn step 2
>>
>> pkispawn-1-log.txt - logs for pkisppawn step 1
>>
>> pkispan-2-log.txt - logs for pkispawn step 2
>>
>> dogtag-cert.txt - root certificate of dogtag generated by external CA
>>
>> ca-admin-cert.txt - admin cert signed by dogtag
>>
>> null-pointer-error.txt - null pointer exception while making a REST call
>> to list certs
>>
>> post-pkispawn-2.txt - status of pki-instance after pkispawn step 2
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141013/2523c89a/attachment.htm>

From tjaalton at ubuntu.com  Tue Oct 14 08:17:06 2014
From: tjaalton at ubuntu.com (Timo Aaltonen)
Date: Tue, 14 Oct 2014 11:17:06 +0300
Subject: [Pki-users] failure trying to install instances other than CA
Message-ID: <543CDC02.1010801@ubuntu.com>


	Hi

  While porting to Debian/Ubuntu I noticed this when installing a new
instance (KRA/TPS..):

<snip>
Security Domain:
  Hostname [sid.tyrell]:
  Secure HTTP port [8443]:
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html (This warning
will only appear once by default.)
  InsecureRequestWarning)
Traceback (most recent call last):
  File "/usr/sbin/pkispawn", line 586, in <module>
    main(sys.argv)
  File "/usr/sbin/pkispawn", line 268, in main
    info = parser.sd_get_info()
  File
"/usr/lib/python2.7/dist-packages/pki/server/deployment/pkiparser.py",
line 465, in sd_get_info
    config.pki_log.info(
AttributeError: 'NoneType' object has no attribute 'info'
</snip>

I'm no python expert, but looks like config.pki_log is still
uninitialized (pki_log = None in pkiconfig.py)? What am I missing?


-- 
t



From alee at redhat.com  Tue Oct 14 20:53:35 2014
From: alee at redhat.com (Ade Lee)
Date: Tue, 14 Oct 2014 16:53:35 -0400
Subject: [Pki-users] failure trying to install instances other than CA
In-Reply-To: <543CDC02.1010801@ubuntu.com>
References: <543CDC02.1010801@ubuntu.com>
Message-ID: <1413320015.11430.11.camel@aleeredhat.laptop>

On Tue, 2014-10-14 at 11:17 +0300, Timo Aaltonen wrote:
> 	Hi
> 
>   While porting to Debian/Ubuntu I noticed this when installing a new
> instance (KRA/TPS..):
> 
> <snip>
> Security Domain:
>   Hostname [sid.tyrell]:
>   Secure HTTP port [8443]:
> /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html (This warning
> will only appear once by default.)
>   InsecureRequestWarning)
> Traceback (most recent call last):
>   File "/usr/sbin/pkispawn", line 586, in <module>
>     main(sys.argv)
>   File "/usr/sbin/pkispawn", line 268, in main
>     info = parser.sd_get_info()
>   File
> "/usr/lib/python2.7/dist-packages/pki/server/deployment/pkiparser.py",
> line 465, in sd_get_info
>     config.pki_log.info(
> AttributeError: 'NoneType' object has no attribute 'info'
> </snip>
> 
> I'm no python expert, but looks like config.pki_log is still
> uninitialized (pki_log = None in pkiconfig.py)? What am I missing?
> 

What this means is that the KRA attempted to contact the security domain
CA at sid.tyrell port 8443, and received an error about an unverified
HTTPS request.  Is this where your security domain (CA) resides?

Are you installing the KRA in a separate instance from the CA?
Which version of dogtag are you using?

Ade
> 




From tjaalton at ubuntu.com  Wed Oct 15 10:55:57 2014
From: tjaalton at ubuntu.com (Timo Aaltonen)
Date: Wed, 15 Oct 2014 13:55:57 +0300
Subject: [Pki-users] failure trying to install instances other than CA
In-Reply-To: <1413320015.11430.11.camel@aleeredhat.laptop>
References: <543CDC02.1010801@ubuntu.com>
	<1413320015.11430.11.camel@aleeredhat.laptop>
Message-ID: <543E52BD.1060509@ubuntu.com>

On 14.10.2014 23:53, Ade Lee wrote:
> On Tue, 2014-10-14 at 11:17 +0300, Timo Aaltonen wrote:
>> 	Hi
>>
>>   While porting to Debian/Ubuntu I noticed this when installing a new
>> instance (KRA/TPS..):
>>
>> <snip>
>> Security Domain:
>>   Hostname [sid.tyrell]:
>>   Secure HTTP port [8443]:
>> /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
>> certificate verification is strongly advised. See:
>> https://urllib3.readthedocs.org/en/latest/security.html (This warning
>> will only appear once by default.)
>>   InsecureRequestWarning)
>> Traceback (most recent call last):
>>   File "/usr/sbin/pkispawn", line 586, in <module>
>>     main(sys.argv)
>>   File "/usr/sbin/pkispawn", line 268, in main
>>     info = parser.sd_get_info()
>>   File
>> "/usr/lib/python2.7/dist-packages/pki/server/deployment/pkiparser.py",
>> line 465, in sd_get_info
>>     config.pki_log.info(
>> AttributeError: 'NoneType' object has no attribute 'info'
>> </snip>
>>
>> I'm no python expert, but looks like config.pki_log is still
>> uninitialized (pki_log = None in pkiconfig.py)? What am I missing?
>>
> 
> What this means is that the KRA attempted to contact the security domain
> CA at sid.tyrell port 8443, and received an error about an unverified
> HTTPS request.  Is this where your security domain (CA) resides?

Yep. I can access the CA ui just fine with a browser though, so it
should be up and running..

> Are you installing the KRA in a separate instance from the CA?
> Which version of dogtag are you using?

10.2.


-- 
t



From kriteejhawar at gmail.com  Fri Oct 10 11:14:10 2014
From: kriteejhawar at gmail.com (kritee jhawar)
Date: Fri, 10 Oct 2014 16:44:10 +0530
Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag
Message-ID: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>

Hello,

I am an engineer from India and I have been struggling with this for the
past 2 weeks. Request you to help me out.

*USE-CASE: *

Dogtag is the private CA for multiple services in a cluster. Trust is
established by providing the root certificate of dogtag to all the
services. What happens if dogtag crashes? All the services will have to be
given the root certificate of the new dogatg.

How can we avoid this?

Can we bring up multiple instances dogtag with a static certificate every
time?

The only way I could find is by using the* external CA* option.

I am following the 2-step pkispawn process with 2 config files
(deployment-1.cfg and deployment-2.cfg)

In the first step the csr is generated. I take the csr and get a
certificate from the external CA and place it in the required location. The
root certificate of the CA has also been placed in the required location.
Step 2 of pkispawn goes through and the ca_admin cert is generated and
signed.

However, when i make a REST call to list the certificates, I get 2
different errors:

(Please note that I replicated the same steps with same files on 2 setups
and got 2 errors)

curl -k --request GET https://localhost:9443/ca/rest/certs

*ERROR 1*

<?xml version="1.0" encoding="UTF-8"
>
standalone="yes"?><PKIException><ClassName>com.netscape.certsrv.base.PKIException</ClassName><Code>500</Code><Message>Error
listing certs in
CertsResourceService.listCerts!</Message><Attributes/></PKIException>



*ERROR 2*

With the same steps i also get a NullPointerException as well (Attached
logs - null-pointer-error.txt)



 When i see the status of my pki-instance after pkispawn step-2, It says
the Instance is loaded and needs to be configured. (attched logs :
post-pkispawn-2.txt)
However it starts using systemctl without any errors



I suspect I am missing some part in the configuration.

Any help/pointers would be very helpful!

Thanks

Kritee

*Attached files : *

deployment-1.txt  - config file for pkispawn step 1

deployment-2.txt - config file for pkispawn step 2

pkispawn-1-log.txt - logs for pkisppawn step 1

pkispan-2-log.txt - logs for pkispawn step 2

dogtag-cert.txt - root certificate of dogtag generated by external CA

ca-admin-cert.txt - admin cert signed by dogtag

null-pointer-error.txt - null pointer exception while making a REST call to
list certs

post-pkispawn-2.txt - status of pki-instance after pkispawn step 2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141010/1ad3862b/attachment.htm>
-------------- next part --------------
[root at dogtag-ext1 fedora]# pkispawn -s CA -f deployment.cfg -v
Loading deployment configuration from deployment.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
pkispawn    : INFO     BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . .
pkispawn    : INFO     ... initializing 'pki.deployment.initialization'
pkispawn    : INFO     ....... adding GID 'pkiuser' for group '17' . . .
pkispawn    : INFO     ....... adding UID 'pkiuser' for user '17' . . .
pkispawn    : ERROR    ....... Selinux is disabled.  Not checking port contexts
pkispawn    : INFO     ... populating 'pki.deployment.infrastructure_layout'
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca
pkispawn    : INFO     ....... cp -p /etc/pki/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
pkispawn    : INFO     ....... mkdir -p /var/lib/pki
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/ca
pkispawn    : INFO     ....... ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/ca/registry
pkispawn    : INFO     ... populating 'pki.deployment.instance_layout'
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/conf /etc/pki/pki-tomcat
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/etc/pki/pki-tomcat'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/common
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/common/lib
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/lib
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-ja.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-ja.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-ant.jar /var/lib/pki/pki-tomcat/lib/catalina-ant.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-collections.jar /var/lib/pki/pki-tomcat/lib/commons-collections.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-tribes.jar /var/lib/pki/pki-tomcat/lib/catalina-tribes.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/annotations-api.jar /var/lib/pki/pki-tomcat/lib/annotations-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-el-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper.jar /var/lib/pki/pki-tomcat/lib/jasper.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-es.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-es.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-pool.jar /var/lib/pki/pki-tomcat/lib/commons-pool.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-juli.jar /var/lib/pki/pki-tomcat/lib/tomcat-juli.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-jdbc.jar /var/lib/pki/pki-tomcat/lib/tomcat-jdbc.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-coyote.jar /var/lib/pki/pki-tomcat/lib/tomcat-coyote.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-dbcp.jar /var/lib/pki/pki-tomcat/lib/commons-dbcp.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-fr.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-fr.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/log4j.jar /var/lib/pki/pki-tomcat/lib/log4j.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper-el.jar /var/lib/pki/pki-tomcat/lib/jasper-el.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-util.jar /var/lib/pki/pki-tomcat/lib/tomcat-util.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-ha.jar /var/lib/pki/pki-tomcat/lib/catalina-ha.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina.jar /var/lib/pki/pki-tomcat/lib/catalina.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper-jdt.jar /var/lib/pki/pki-tomcat/lib/jasper-jdt.jar
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/log4j.properties /var/lib/pki/pki-tomcat/lib/log4j.properties
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/temp
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/_
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin
pkispawn    : INFO     ....... ln -s /usr/sbin/tomcat-sysd /var/lib/pki/pki-tomcat/pki-tomcat
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-collections.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-collections.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-io.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-io.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-lang.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-lang.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-logging.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-logging.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/commons-codec.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-codec.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/httpcomponents/httpclient.jar /var/lib/pki/pki-tomcat/common/lib/httpclient.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/httpcomponents/httpcore.jar /var/lib/pki/pki-tomcat/common/lib/httpcore.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/javassist.jar /var/lib/pki/pki-tomcat/common/lib/javassist.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/jaxrs-api.jar /var/lib/pki/pki-tomcat/common/lib/jaxrs-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/jettison.jar /var/lib/pki/pki-tomcat/common/lib/jettison.jar
pkispawn    : INFO     ....... ln -s /usr/lib/java/jss4.jar /var/lib/pki/pki-tomcat/common/lib/jss4.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/ldapjdk.jar /var/lib/pki/pki-tomcat/common/lib/ldapjdk.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-tomcat.jar /var/lib/pki/pki-tomcat/common/lib/pki-tomcat.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-atom-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-atom-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jaxb-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxb-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jaxrs.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxrs.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jettison-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jettison-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/scannotation.jar /var/lib/pki/pki-tomcat/common/lib/scannotation.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/tomcatjss.jar /var/lib/pki/pki-tomcat/common/lib/tomcatjss.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/velocity.jar /var/lib/pki/pki-tomcat/common/lib/velocity.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xerces-j2.jar /var/lib/pki/pki-tomcat/common/lib/xerces-j2.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xml-commons-apis.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-apis.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xml-commons-resolver.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-resolver.jar
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat /var/lib/pki/pki-tomcat/conf
pkispawn    : INFO     ....... ln -s /var/log/pki/pki-tomcat /var/lib/pki/pki-tomcat/logs
pkispawn    : INFO     ... populating 'pki.deployment.subsystem_layout'
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca/archive
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca/signedAudit
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat/ca
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/emails /var/lib/pki/pki-tomcat/ca/emails
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/emails'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/profiles /var/lib/pki/pki-tomcat/ca/profiles
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/profiles'
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/flatfile.txt /etc/pki/pki-tomcat/ca/flatfile.txt
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caAuditSigningCert.profile /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/serverCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/subsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile
pkispawn    : INFO     ....... ln -s /var/lib/pki/pki-tomcat/webapps /var/lib/pki/pki-tomcat/ca/webapps
pkispawn    : INFO     ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf
pkispawn    : INFO     ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs
pkispawn    : INFO     ... selinux disabled. skipping labelling 'pki.deployment.selinux_setup'
pkispawn    : INFO     ... deploying 'pki.deployment.webapp_deployment'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ROOT
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/ROOT /var/lib/pki/pki-tomcat/webapps/ROOT
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ROOT'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/pki
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/js /var/lib/pki/pki-tomcat/webapps/pki/js
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/js'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/META-INF /var/lib/pki/pki-tomcat/webapps/pki/META-INF
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/META-INF'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/admin /var/lib/pki/pki-tomcat/webapps/ca/admin
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca/admin'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/webapps/ca /var/lib/pki/pki-tomcat/webapps/ca
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/classes
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-certsrv.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-certsrv.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmsbundle.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsbundle.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmscore.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmscore.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cms.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cms.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsutil.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-nsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-nsutil.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-ca.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-ca.jar
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca'
pkispawn    : INFO     ... assigning slots for 'pki.deployment.slot_substitution'
pkispawn    : INFO     ....... copying '/usr/share/pki/ca/conf/CS.cfg' --> '/etc/pki/pki-tomcat/ca/CS.cfg' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/catalina.properties' --> '/etc/pki/pki-tomcat/catalina.properties' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/serverCertNick.conf' --> '/etc/pki/pki-tomcat/serverCertNick.conf' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/server.xml' --> '/etc/pki/pki-tomcat/server.xml' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/context.xml' --> '/etc/pki/pki-tomcat/context.xml' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/sysconfig/pki-tomcat' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/pki/pki-tomcat/tomcat.conf' with slot substitution
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/velocity.properties'
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/web.xml'
pkispawn    : INFO     ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/ee/ca/ProfileSelect.template'
pkispawn    : INFO     ... generating 'pki.deployment.security_databases'
pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/password.conf'
pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/pfile'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/password.conf'
pkispawn    : INFO     ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/key3.db'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db'
pkispawn    : INFO     ....... generating noise file called '/etc/pki/pki-tomcat/ca/noise' and filling it with '1024' random bytes
pkispawn    : INFO     ....... executing 'certutil -S -d /etc/pki/pki-tomcat/alias -h 'internal' -n 'Server-Cert cert-pki-tomcat' -s 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -m 0 -v 12 -c 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -t 'CTu,CTu,CTu' -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x > /dev/null 2>&1'
pkispawn    : INFO     ....... rm -f /etc/pki/pki-tomcat/ca/noise
pkispawn    : INFO     ....... rm -f /etc/pki/pki-tomcat/pfile
pkispawn    : INFO     ... configuring 'pki.deployment.configuration'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... ln -s /lib/systemd/system/pki-tomcatd at .service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service'
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes
pkispawn    : INFO     ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']'
pkispawn    : INFO     ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc']
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : INFO     ....... request: -----BEGIN CERTIFICATE REQUEST-----
MIICmDCCAYACAQAwUzEPMA0GA1UEBxMGS3JpdGVlMQ0wCwYDVQQLEwRDSUJVMRYwFAYDVQQKEw1D
aXNjbyBTeXN0ZW1zMRkwFwYDVQQDExBkb2d0YWcuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmLgfNwidSyR47kwVAOGor/kHOiTJS5qc4fsCJM6gQDnsC7lXbC6XcdYK
tQHs9Y7/HbzQDiMZNGS/hHRRGh68qZdr/pCxSbONobMczM7thjUQ5crUgJCI1tG2XaMKBRQMtqNA
fJY/SBaVEBpRzp+0DJ51D+qGjyJaq2Pzzj+pCJLMQPv/rQ9BSFLr8Js+QErn7j5JQwZ7k4wkZCoK
wcAVgwDzQ3xCtKew+M5Xgj9OzmkQgZk1SViPBLXl58gy+ukuBHBHSXWAY+b34N9IQnW1rozz073e
fD8ZSgHQYWsjRxCdniOvgd37gviyDlMIaOh7+HapYj1k+VCzmKimU4ZrJQIDAQABoAAwDQYJKoZI
hvcNAQELBQADggEBAFI5HrchG9WxTzgtCf6v21V8PFsWHEPVBr1gM+ihgiSXSp7sSmvjBvEUN+Ik
mHbo4ssq+KpHWeQZmKc1tlmiF5IBoP6yiAvkHelphdqRM+DkrkMYnR8cabx4amFOEfmPBE38hLHA
+eaFiVxHSorbkoZsBnSrYDz1/+5xD+4/VJrMvQiP9eRp1hG0sXjH5sLoV70LoHhO94yga0w26Gpj
xkzxSrxFVFH7walY0J09rqvtGOfJ7y4Pg4hy24L0WLDux063uUjNVmRs8zmYHB5AgX2Ke1YI2XYP
AHPTL9m3+wdVUuPCYVrf6njZS7CFygcG5c4W6prdu5ZcJ7cqYdSgiho=
-----END CERTIFICATE REQUEST-----
pkispawn    : INFO     ....... saving CA Signing CSR to file: '/home/fedora/ca_signing.csr'
pkispawn    : INFO     ... finalizing 'pki.deployment.finalization'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092058
pkispawn    : INFO     ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092058
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service'
pkispawn    : INFO     ....... rm -rf /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     END spawning subsystem 'CA' of instance 'pki-tomcat'

    ==========================================================================
-----BEGIN CERTIFICATE REQUEST-----

[root at dogtag-ext1 fedora]# pkispawn -s CA -f dep.cfg -v
Loading deployment configuration from dep.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
pkispawn    : INFO     BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . .
pkispawn    : INFO     ... initializing 'pki.deployment.initialization'
pkispawn    : INFO     ....... adding GID 'pkiuser' for group '17' . . .
pkispawn    : INFO     ....... adding UID 'pkiuser' for user '17' . . .
pkispawn    : ERROR    ....... Selinux is disabled.  Not checking port contexts
pkispawn    : INFO     ... skip populating 'pki.deployment.infrastructure_layout'
pkispawn    : INFO     ... skip populating 'pki.deployment.instance_layout'
pkispawn    : INFO     ... skip populating 'pki.deployment.subsystem_layout'
pkispawn    : INFO     ... skip populating 'pki.deployment.selinux_setup'
pkispawn    : INFO     ... skip deploying 'pki.deployment.webapp_deployment'
pkispawn    : INFO     ... skip assigning slots for 'pki.deployment.slot_substitution'
pkispawn    : INFO     ... skip generating 'pki.deployment.security_databases'
pkispawn    : INFO     ... configuring 'pki.deployment.configuration'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service'
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes
pkispawn    : INFO     ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com Security Domain', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']'
pkispawn    : INFO     ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc']
loading external CA signing certificate from file: '/home/fedora/dogtag.cisco.com.cer'
loading external CA signing certificate chain from file: '/home/fedora/test-root-ca-2048.cer'
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : INFO     ....... ['AtoB', '/root/.dogtag/pki-tomcat/ca_admin.cert', '/root/.dogtag/pki-tomcat/ca_admin.cert.der']
pkispawn    : INFO     ....... ['certutil', '-A', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-n', 'PKI Administrator', '-t', 'u,u,u', '-i', '/root/.dogtag/pki-tomcat/ca_admin.cert.der', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf']
pkispawn    : INFO     ....... ['pk12util', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-o', '/root/.dogtag/pki-tomcat/ca_admin_cert.p12', '-n', 'PKI Administrator', '-w', '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf', '-k', '/root/.dogtag/pki-tomcat/ca/password.conf']
pkispawn    : INFO     ... finalizing 'pki.deployment.finalization'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092609
pkispawn    : INFO     ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092609
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service'
Job for pki-tomcatd at pki-tomcat.service canceled.
pkispawn    : INFO     ....... rm -rf /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     END spawning subsystem 'CA' of instance 'pki-tomcat'

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      To check the status of the subsystem: 
            systemctl status pki-tomcatd\@pki-tomcat.service
      To restart the subsystem: 
            systemctl restart pki-tomcatd\@pki-tomcat.service
      The URL for the subsystem is: 
            https://dogtag-ext1.novalocal:9443/ca

    ==========================================================================
-------------- next part --------------
[root at dogtag-ext1 fedora]#  systemctl status pki-tomcatd\@pki-tomcat.service
pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled)
   Active: inactive (dead) since Fri 2014-10-10 09:26:19 UTC; 41s ago
  Process: 24551 ExecStop=/usr/bin/pkidaemon stop tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 24361 (code=exited, status=143)
   CGroup: name=systemd:/system/pki-tomcatd at .service/pki-tomcatd at pki-tomcat.service

Oct 10 09:21:38 dogtag-ext1.novalocal systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Oct 10 09:21:39 dogtag-ext1.novalocal pkidaemon[24193]: 'pki-tomcat' must still be CONFIGURED!
Oct 10 09:21:39 dogtag-ext1.novalocal pkidaemon[24193]: (see /var/log/pki-tomcat-install.log)
Oct 10 09:21:39 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat.
Oct 10 09:26:09 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat.
Oct 10 09:26:18 dogtag-ext1.novalocal systemd[1]: Stopping PKI Tomcat Server pki-tomcat...
Oct 10 09:26:18 dogtag-ext1.novalocal systemd[1]: Stopping PKI Tomcat Server pki-tomcat...
Oct 10 09:26:19 dogtag-ext1.novalocal systemd[1]: Stopped PKI Tomcat Server pki-tomcat.

[root at dogtag-ext1 fedora]#  systemctl start pki-tomcatd\@pki-tomcat.service
[root at dogtag-ext1 fedora]#  systemctl status pki-tomcatd\@pki-tomcat.service
pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled)
   Active: active (running) since Fri 2014-10-10 09:28:18 UTC; 5s ago
  Process: 24551 ExecStop=/usr/bin/pkidaemon stop tomcat %i (code=exited, status=0/SUCCESS)
  Process: 24616 ExecStart=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 24784 (java)
   CGroup: name=systemd:/system/pki-tomcatd at .service/pki-tomcatd at pki-tomcat.service
           ??24784 /usr/lib/jvm/jre/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/...


Oct 10 09:28:15 dogtag-ext1.novalocal systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Oct 10 09:28:18 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat.
-------------- next part --------------
[root at dogtag-ext1 fedora]# openssl pkcs12 -info -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12
Enter Import Password:
MAC Iteration 2000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
    friendlyName: PKI Administrator
    localKeyID: 41 11 6B 4D 01 78 64 1E 77 7B 17 6F D9 B9 AC 5C F5 9B 88 3F 
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQItOgp54c/WGICAggA
MBQGCCqGSIb3DQMHBAjDFi6FqfuIjASCBMgvHxHvir3peQMZX7OQsbTOCHQreAIx
aIrkNZHAzLfKBOCsDmMINysCLW7bjOL8dokYtuCYlGDNYAQLLkPBbAgrqKcVDFTF
162m8qcxfiBJrlcRbnoVpFumuexayYC/WESfM8S1YpL3oY62t/h0acKeGW5GG3a/
M8od8ddnlEa2lSR/x/eiBqLDDVgpgaUVuDZtkyvRvbZzyoh8FK7obZbwjjGYqb2q
CbDLmqLkqkXVuQ0DC+u98PF0RPmQjOQ5QyyYvIKSzdqC5SXqtHZEOAOpHwGzcWoV
+a6Bn6sVtvQSVJN6tV90LUx3OE7r/WzsUAk8Juf6kU69vIg8bUbXe7cPPiKX1sMj
aO+5a/o/T6tkXMS7D1smW65TkMDEnI2XPBPPo4tmhofnng+CRdBMbzxqabZ2PYZD
rKFs3L9eK9XaPBHpIGa2RPq0vCyR8nfHtcVtgnLeFlmoRqVi6/CQCl0Yz7SMl+7R
TdVGoBYpR/EvlmfQd6PxpublMWHmrA5vq7kgz58FTwH058U4IXCgYz1qJjEZhslf
xoNd2u8pBPlSlidCX2KuS2MqF3BmlpkydT61MW/Re+h2Dn8ShNdjuFSXSDRH1W8t
XmuzmIRl1dPZTLPt3PKos3j4vrokoBJLJaX6XLD5OZ3uj0aOual540PsCZRZjeCY
4KjVVCUzwGibjfE5Wh6GJb2rP+FbOJS7hVxM0EA+MKlEZRtnxP05bl0griuUOHvL
6GDJnUO6cSecVXdLlRa0qoD3hqPNvQ02LrhuCskEZz2Ndf+tPgNIcNNlytz1sKx2
Sk/BXVjbqL3UwY9hVqp5Z9CZ7RIQLm8/YrFTaMVs796Z9GcvwElXMhC+TsfQ8QE0
86YCw8KaZchA3mvzKYWIe2mwEBF0TX1WT0/xPLdRfT6uDhbZvcu3iFOAxMwCRdXR
rFWenhCNp9oKYQJQZ/WhNYPC9Y38MNJ4CXIuGbT8B2IUqhN/26Y//8oU09HDSFxB
DB1xHKj/vi8lUiVZgZIpUcXtRwPuzAecqHUNsfcSIA6Xx1+s2GnVbTXELNMyS7jG
8ol6IPJh9JIjJ8zT7YXlDyT9AR6vBYBcEylYZqjq2IvcjvNLm3qrxMYWJMfNoxxi
B80nfNnZQkUNqlC6bFM3R9ip+7aAYZeRchpB4LcmjmeIhaXK3EMhKXsezTjfWOKE
qrSh6pFPwcMeDQwSeEk0LdCA+rq1Aazgse5RbAB/fAMh0OctE/D5UxB/VoI/NKTJ
vNc4aZp5GwADu7ydJbP3t3OTP5YkHegGkih8BUVNumDIoLWFUw/WRvfXXRdYTuPQ
z9lzl4qWES6/J/hZCLGSgFZpYxdB2At1lG20DYcdHtxdR5o10ZGIBJ2n6Eb4ol/7
kn+OVTBUbdDIixoE2c4UV5g+WvukscJ7gIW4xTgeIw48XsznHpwyt3E6J6OY1L4c
kbrBGhsJrlXfvx/BuLJUEU8hi8Rj4x20b+y2xmULilUN7/BPT6ug+9eMB8WuAa9s
RKgKBTGtBfbPLl1URG8RGD/ZmO0xYlFg80qzOQXE9ZUDiKawR3ZEAxAEJClaYSO1
KwBUUMC9XEG49SCjrmIzgoBWZlpgQkmAvlwnr7tWuIFOdzv9wScDtoK84On0Hfno
Lzo=
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Bag Attributes
    friendlyName: PKI Administrator
    localKeyID: 41 11 6B 4D 01 78 64 1E 77 7B 17 6F D9 B9 AC 5C F5 9B 88 3F 
subject=/O=cisco.com Security Domain/CN=PKI Administrator
issuer=/L=Kritee/OU=CIBU/O=Cisco Systems/CN=dogtag.cisco.com
-----BEGIN CERTIFICATE-----
MIIDqTCCApGgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBTMQ8wDQYDVQQHEwZLcml0
ZWUxDTALBgNVBAsTBENJQlUxFjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxGTAXBgNV
BAMTEGRvZ3RhZy5jaXNjby5jb20wHhcNMTQxMDEwMDkyNjE3WhcNMTYwOTI5MDky
NjE3WjBAMSIwIAYDVQQKExljaXNjby5jb20gU2VjdXJpdHkgRG9tYWluMRowGAYD
VQQDExFQS0kgQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALk6tHHrgmQSrOzTnGIWKZ/zMbry1EnoRaALSqn7Mwb38tFN+NgOqDOk
Np8DbFBfA4B7Myw0lxkRkCCnUIf4etTQ3tnZroN6hd5hKNl+GiIdtyHOI+xQ9H5e
+U48/RyLPLtaG+hQR3bNPJVJ+zGiKynwxSjrTMHoa/mJX3YkCYhKIImbkbNiBnN8
JgW3NGX9CxxdvHfcBN9jK0O+90bQuuWudZi34FQLxMLcI33cN0GfruErvyH/YgMZ
ZitwvTMUx1kOreTNv4IG4AIIs154eIg3hdugSVITg7lNiNXk8AUu2gB0QtrISjEv
nMEkey5wWypjdDmT8nwY3V7fWP7684ECAwEAAaOBmjCBlzAfBgNVHSMEGDAWgBQL
VyuTi45bmeGZ+tYuLVIktqlw+TBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGG
KWh0dHA6Ly9kb2d0YWctZXh0MS5ub3ZhbG9jYWw6OTA4MC9jYS9vY3NwMA4GA1Ud
DwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI
hvcNAQELBQADggEBAGxtujrjwKvyL7w4wi26uYi5+CiJUeoYt15GoVUL9KgYiT7l
l4RAvhYweClqtVl/oh9IBkYP8CpIZdQGTOm/WBz3a5HnzOkiQ5021mp57+2q4E71
BYxP2kziJ50CMD2SD27kI183NNSPxiFKaXbsww+wecOR+9eUi9RJwSwYs5YNhQbl
8+xUAmtI8umlyVxuVMg21tib71ESJSrZ7Pj40MOZLpkLf5EW6kuuQJCMCmJVUXT8
1pELwwG0q2ttzwxaKl4mN8q1Rhs0DxZ3Je/A9HyyoGpGP4dKKUlKyomQ5/JQ7yYB
zAqSGkubASTn0IErwIRkqf31ZcP8Xe62CuJECb8=
-----END CERTIFICATE-----
-------------- next part --------------
[DEFAULT]
pki_instance_name = <name>

pki_http_port = 9080
pki_https_port = 9443
pki_ajp_port = 9009
pki_tomcat_server_port = 9005

[CA]
pki_admin_uid = <name>
pki_admin_password = <passwd>
pki_backup_password = <passwd>
pki_client_database_password = <passwd>
pki_client_pkcs12_password = <passwd>
pki_import_admin_cert = False
pki_client_admin_cert = /<path-to-admin-cert>/ca_admin.cert
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator
pki_admin_subject_dn=cn=PKI Administrator,o=%(pki_security_domain_name)s

pki_ds_hostname = <localhost.localdomian>
pki_ds_ldap_port = <port>
pki_ds_bind_dn = cn=<name>
pki_ds_password = <passwd>
pki_ds_base_dn = o=<name>
pki_security_domain_name = <domain name>
pki_security_domain_password = <passwd>

pki_client_pin = <passwd>
pki_clone_pkcs12_password = <passwd>
pki_one_time_pin = <passwd>
pki_pin = <passwd>
pki_token_password = <passwd>
pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA256withRSA
pki_ca_signing_subject_dn=cn=<name>,o=<name>,ou=<name>,L=<name>
pki_ca_signing_token=Internal Key Storage Token
pki_external=True
pki_external_csr_path=/home/fedora/ca_signing.csr
-------------- next part --------------
[DEFAULT]
pki_instance_name = <name>

pki_http_port = 9080
pki_https_port = 9443
pki_ajp_port = 9009
pki_tomcat_server_port = 9005

[CA]
pki_admin_uid = <name>
pki_admin_password = <passwd>
pki_backup_password = <passwd>
pki_client_database_password = <passwd>
pki_client_pkcs12_password = <passwd>
pki_import_admin_cert = False
pki_client_admin_cert = /<path-to-admin-cert>/ca_admin.cert
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator
pki_admin_subject_dn=cn=PKI Administrator,o=%(pki_security_domain_name)s

pki_ds_hostname = <localhost.localdomian>
pki_ds_ldap_port = <port>
pki_ds_bind_dn = cn=<name>
pki_ds_password = <passwd>
pki_ds_base_dn = o=<name>
pki_security_domain_name = <domain name>
pki_security_domain_password = <passwd>

pki_client_pin = <passwd>
pki_clone_pkcs12_password = <passwd>
pki_one_time_pin = <passwd>
pki_pin = <passwd>
pki_token_password = <passwd>
pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA256withRSA
pki_ca_signing_subject_dn=cn=<name>,o=<name>,ou=<name>,L=<name>
pki_ca_signing_token=Internal Key Storage Token
pki_external=True
pki_external_ca_cert_chain_path=/home/fedora/test-root-ca-2048.cer
pki_external_ca_cert_path=/home/fedora/dogtag.cisco.com.cer
pki_external_step_two=True
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIEFDCCAvygAwIBAgIKUZIHHgADAAAOXjANBgkqhkiG9w0BAQUFADAuMRYwFAYD
VQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQDEwtURVNULVNTTC1DQTAeFw0xNDEw
MTAwOTEzMDNaFw0xNjEwMTAwOTIzMDNaMFMxDzANBgNVBAcTBktyaXRlZTEWMBQG
A1UEChMNQ2lzY28gU3lzdGVtczENMAsGA1UECxMEQ0lCVTEZMBcGA1UEAxMQZG9n
dGFnLmNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJi4
HzcInUskeO5MFQDhqK/5BzokyUuanOH7AiTOoEA57Au5V2wul3HWCrUB7PWO/x28
0A4jGTRkv4R0URoevKmXa/6QsUmzjaGzHMzO7YY1EOXK1ICQiNbRtl2jCgUUDLaj
QHyWP0gWlRAaUc6ftAyedQ/qho8iWqtj884/qQiSzED7/60PQUhS6/CbPkBK5+4+
SUMGe5OMJGQqCsHAFYMA80N8QrSnsPjOV4I/Ts5pEIGZNUlYjwS15efIMvrpLgRw
R0l1gGPm9+DfSEJ1ta6M89O93nw/GUoB0GFrI0cQnZ4jr4Hd+4L4sg5TCGjoe/h2
qWI9ZPlQs5ioplOGayUCAwEAAaOCAQ0wggEJMB0GA1UdDgQWBBQLVyuTi45bmeGZ
+tYuLVIktqlw+TAfBgNVHSMEGDAWgBSOyU4uaEbJcL9gdzJhERmzyilLEjBKBgNV
HR8EQzBBMD+gPaA7hjlodHRwOi8vdGVzdC1zc2wtY2EuY2lzY28uY29tL2NlcnRp
ZmljYXRlcy90ZXN0LXNzbC1jYS5jcmwwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQEA
MEMwQQYIKwYBBQUHAgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3Br
aS9wb2xpY2llcy9pbmRleC5odG1sMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAnaizhTLtuAWk24gQ1eCERmzdRcU4AQux
6LTUV9iSM8UYQGZohtL4YPSq2UUG70zBZrxiXNIsdDgF7HoRte3GmcjAekT4xSL6
27W9emMLIaQARwCMN80y/S81ksDdwRPYuy3t/7QOY5fUeoxJ4OtZyq8V5f+oqmxc
ngiYlnF7B6dhxDldZ7IR4ON0v2jTaXUPQmR/In7OsQiFKpiaSTfuOuEoeFvoieeh
l0H5f32ex0HJOFm66e/GSBKKqFExJaIbzLaZSgCjLojSuqJvUj0SfnqMZDiKsfUa
Wpuv0LrsD/AcOLeD+SDa2TCG7JHrbPT7frZ+Xomx8uKYd8FbK7+zHA==
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            51:92:07:1e:00:03:00:00:0e:5e
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Cisco Systems, CN=TEST-SSL-CA
        Validity
            Not Before: Oct 10 09:13:03 2014 GMT
            Not After : Oct 10 09:23:03 2016 GMT
        Subject: L=Kritee, O=Cisco Systems, OU=CIBU, CN=dogtag.cisco.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:98:b8:1f:37:08:9d:4b:24:78:ee:4c:15:00:e1:
                    a8:af:f9:07:3a:24:c9:4b:9a:9c:e1:fb:02:24:ce:
                    a0:40:39:ec:0b:b9:57:6c:2e:97:71:d6:0a:b5:01:
                    ec:f5:8e:ff:1d:bc:d0:0e:23:19:34:64:bf:84:74:
                    51:1a:1e:bc:a9:97:6b:fe:90:b1:49:b3:8d:a1:b3:
                    1c:cc:ce:ed:86:35:10:e5:ca:d4:80:90:88:d6:d1:
                    b6:5d:a3:0a:05:14:0c:b6:a3:40:7c:96:3f:48:16:
                    95:10:1a:51:ce:9f:b4:0c:9e:75:0f:ea:86:8f:22:
                    5a:ab:63:f3:ce:3f:a9:08:92:cc:40:fb:ff:ad:0f:
                    41:48:52:eb:f0:9b:3e:40:4a:e7:ee:3e:49:43:06:
                    7b:93:8c:24:64:2a:0a:c1:c0:15:83:00:f3:43:7c:
                    42:b4:a7:b0:f8:ce:57:82:3f:4e:ce:69:10:81:99:
                    35:49:58:8f:04:b5:e5:e7:c8:32:fa:e9:2e:04:70:
                    47:49:75:80:63:e6:f7:e0:df:48:42:75:b5:ae:8c:
                    f3:d3:bd:de:7c:3f:19:4a:01:d0:61:6b:23:47:10:
                    9d:9e:23:af:81:dd:fb:82:f8:b2:0e:53:08:68:e8:
                    7b:f8:76:a9:62:3d:64:f9:50:b3:98:a8:a6:53:86:
                    6b:25
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                0B:57:2B:93:8B:8E:5B:99:E1:99:FA:D6:2E:2D:52:24:B6:A9:70:F9
            X509v3 Authority Key Identifier: 
                keyid:8E:C9:4E:2E:68:46:C9:70:BF:60:77:32:61:11:19:B3:CA:29:4B:12

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://test-ssl-ca.cisco.com/certificates/test-ssl-ca.crl

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.9.21.1.1.0
                  CPS: http://www.cisco.com/security/pki/policies/index.html

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
    Signature Algorithm: sha1WithRSAEncryption
         9d:a8:b3:85:32:ed:b8:05:a4:db:88:10:d5:e0:84:46:6c:dd:
         45:c5:38:01:0b:b1:e8:b4:d4:57:d8:92:33:c5:18:40:66:68:
         86:d2:f8:60:f4:aa:d9:45:06:ef:4c:c1:66:bc:62:5c:d2:2c:
         74:38:05:ec:7a:11:b5:ed:c6:99:c8:c0:7a:44:f8:c5:22:fa:
         db:b5:bd:7a:63:0b:21:a4:00:47:00:8c:37:cd:32:fd:2f:35:
         92:c0:dd:c1:13:d8:bb:2d:ed:ff:b4:0e:63:97:d4:7a:8c:49:
         e0:eb:59:ca:af:15:e5:ff:a8:aa:6c:5c:9e:08:98:96:71:7b:
         07:a7:61:c4:39:5d:67:b2:11:e0:e3:74:bf:68:d3:69:75:0f:
         42:64:7f:22:7e:ce:b1:08:85:2a:98:9a:49:37:ee:3a:e1:28:
         78:5b:e8:89:e7:a1:97:41:f9:7f:7d:9e:c7:41:c9:38:59:ba:
         e9:ef:c6:48:12:8a:a8:51:31:25:a2:1b:cc:b6:99:4a:00:a3:
         2e:88:d2:ba:a2:6f:52:3d:12:7e:7a:8c:64:38:8a:b1:f5:1a:
         5a:9b:af:d0:ba:ec:0f:f0:1c:38:b7:83:f9:20:da:d9:30:86:
         ec:91:eb:6c:f4:fb:7e:b6:7e:5e:89:b1:f2:e2:98:77:c1:5b:
         2b:bf:b3:1c
-------------- next part --------------
[root at dogtag-ext1 fedora]# curl -k --request GET https://localhost:9443/ca/rest/certs
<html><head><title>Apache Tomcat/7.0.47 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerException</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerException</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
[root at dogtag-ext1 fedora]# hostname
dogtag-ext1.novalocal
[root at dogtag-ext1 fedora]# curl -k --request GET https://dogtag-ext1.novalocal:9443/ca/rest/certs
<html><head><title>Apache Tomcat/7.0.47 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerException</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerException</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
[DEFAULT]
[root at dogtag-ext1 fedora]# curl -k --request GET https://dogtag-ext1.novalocal:9443/ca/rest/certs
<html><head><title>Apache Tomcat/7.0.47 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerException</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerException</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
</pre></p><p><b>root cause</b> <pre>java.lang.NullPointerException
        com.netscape.cms.servlet.cert.CertService.&lt;init&gt;(CertService.java:92)
        sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:82)
        org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.createResource(POJOResourceFactory.java:43)
        org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:210)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.47 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.47</h3></body></html>
-------------- next part --------------
[root at dogtag-ext1 fedora]# pkispawn -s CA -f deployment.cfg -v
Loading deployment configuration from deployment.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
pkispawn    : INFO     BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . .
pkispawn    : INFO     ... initializing 'pki.deployment.initialization'
pkispawn    : INFO     ....... adding GID 'pkiuser' for group '17' . . .
pkispawn    : INFO     ....... adding UID 'pkiuser' for user '17' . . .
pkispawn    : ERROR    ....... Selinux is disabled.  Not checking port contexts
pkispawn    : INFO     ... populating 'pki.deployment.infrastructure_layout'
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca
pkispawn    : INFO     ....... cp -p /etc/pki/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
pkispawn    : INFO     ....... mkdir -p /var/lib/pki
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/ca
pkispawn    : INFO     ....... ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/ca/registry
pkispawn    : INFO     ... populating 'pki.deployment.instance_layout'
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/conf /etc/pki/pki-tomcat
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/etc/pki/pki-tomcat'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/common
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/common/lib
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/lib
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-ja.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-ja.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-ant.jar /var/lib/pki/pki-tomcat/lib/catalina-ant.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-collections.jar /var/lib/pki/pki-tomcat/lib/commons-collections.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-tribes.jar /var/lib/pki/pki-tomcat/lib/catalina-tribes.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/annotations-api.jar /var/lib/pki/pki-tomcat/lib/annotations-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-el-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper.jar /var/lib/pki/pki-tomcat/lib/jasper.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-es.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-es.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-pool.jar /var/lib/pki/pki-tomcat/lib/commons-pool.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-juli.jar /var/lib/pki/pki-tomcat/lib/tomcat-juli.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-jdbc.jar /var/lib/pki/pki-tomcat/lib/tomcat-jdbc.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-coyote.jar /var/lib/pki/pki-tomcat/lib/tomcat-coyote.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-dbcp.jar /var/lib/pki/pki-tomcat/lib/commons-dbcp.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-fr.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-fr.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/log4j.jar /var/lib/pki/pki-tomcat/lib/log4j.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper-el.jar /var/lib/pki/pki-tomcat/lib/jasper-el.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-util.jar /var/lib/pki/pki-tomcat/lib/tomcat-util.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-ha.jar /var/lib/pki/pki-tomcat/lib/catalina-ha.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina.jar /var/lib/pki/pki-tomcat/lib/catalina.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper-jdt.jar /var/lib/pki/pki-tomcat/lib/jasper-jdt.jar
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/log4j.properties /var/lib/pki/pki-tomcat/lib/log4j.properties
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/temp
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/_
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin
pkispawn    : INFO     ....... ln -s /usr/sbin/tomcat-sysd /var/lib/pki/pki-tomcat/pki-tomcat
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-collections.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-collections.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-io.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-io.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-lang.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-lang.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-logging.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-logging.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/commons-codec.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-codec.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/httpcomponents/httpclient.jar /var/lib/pki/pki-tomcat/common/lib/httpclient.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/httpcomponents/httpcore.jar /var/lib/pki/pki-tomcat/common/lib/httpcore.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/javassist.jar /var/lib/pki/pki-tomcat/common/lib/javassist.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/jaxrs-api.jar /var/lib/pki/pki-tomcat/common/lib/jaxrs-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/jettison.jar /var/lib/pki/pki-tomcat/common/lib/jettison.jar
pkispawn    : INFO     ....... ln -s /usr/lib/java/jss4.jar /var/lib/pki/pki-tomcat/common/lib/jss4.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/ldapjdk.jar /var/lib/pki/pki-tomcat/common/lib/ldapjdk.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-tomcat.jar /var/lib/pki/pki-tomcat/common/lib/pki-tomcat.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-atom-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-atom-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jaxb-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxb-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jaxrs.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxrs.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jettison-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jettison-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/scannotation.jar /var/lib/pki/pki-tomcat/common/lib/scannotation.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/tomcatjss.jar /var/lib/pki/pki-tomcat/common/lib/tomcatjss.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/velocity.jar /var/lib/pki/pki-tomcat/common/lib/velocity.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xerces-j2.jar /var/lib/pki/pki-tomcat/common/lib/xerces-j2.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xml-commons-apis.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-apis.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xml-commons-resolver.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-resolver.jar
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat /var/lib/pki/pki-tomcat/conf
pkispawn    : INFO     ....... ln -s /var/log/pki/pki-tomcat /var/lib/pki/pki-tomcat/logs
pkispawn    : INFO     ... populating 'pki.deployment.subsystem_layout'
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca/archive
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca/signedAudit
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat/ca
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/emails /var/lib/pki/pki-tomcat/ca/emails
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/emails'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/profiles /var/lib/pki/pki-tomcat/ca/profiles
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/profiles'
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/flatfile.txt /etc/pki/pki-tomcat/ca/flatfile.txt
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caAuditSigningCert.profile /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/serverCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/subsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile
pkispawn    : INFO     ....... ln -s /var/lib/pki/pki-tomcat/webapps /var/lib/pki/pki-tomcat/ca/webapps
pkispawn    : INFO     ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf
pkispawn    : INFO     ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs
pkispawn    : INFO     ... selinux disabled. skipping labelling 'pki.deployment.selinux_setup'
pkispawn    : INFO     ... deploying 'pki.deployment.webapp_deployment'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ROOT
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/ROOT /var/lib/pki/pki-tomcat/webapps/ROOT
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ROOT'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/pki
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/js /var/lib/pki/pki-tomcat/webapps/pki/js
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/js'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/META-INF /var/lib/pki/pki-tomcat/webapps/pki/META-INF
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/META-INF'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/admin /var/lib/pki/pki-tomcat/webapps/ca/admin
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca/admin'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/webapps/ca /var/lib/pki/pki-tomcat/webapps/ca
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/classes
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-certsrv.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-certsrv.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmsbundle.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsbundle.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmscore.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmscore.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cms.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cms.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsutil.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-nsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-nsutil.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-ca.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-ca.jar
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca'
pkispawn    : INFO     ... assigning slots for 'pki.deployment.slot_substitution'
pkispawn    : INFO     ....... copying '/usr/share/pki/ca/conf/CS.cfg' --> '/etc/pki/pki-tomcat/ca/CS.cfg' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/catalina.properties' --> '/etc/pki/pki-tomcat/catalina.properties' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/serverCertNick.conf' --> '/etc/pki/pki-tomcat/serverCertNick.conf' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/server.xml' --> '/etc/pki/pki-tomcat/server.xml' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/context.xml' --> '/etc/pki/pki-tomcat/context.xml' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/sysconfig/pki-tomcat' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/pki/pki-tomcat/tomcat.conf' with slot substitution
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/velocity.properties'
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/web.xml'
pkispawn    : INFO     ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/ee/ca/ProfileSelect.template'
pkispawn    : INFO     ... generating 'pki.deployment.security_databases'
pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/password.conf'
pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/pfile'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/password.conf'
pkispawn    : INFO     ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/key3.db'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db'
pkispawn    : INFO     ....... generating noise file called '/etc/pki/pki-tomcat/ca/noise' and filling it with '1024' random bytes
pkispawn    : INFO     ....... executing 'certutil -S -d /etc/pki/pki-tomcat/alias -h 'internal' -n 'Server-Cert cert-pki-tomcat' -s 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -m 0 -v 12 -c 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -t 'CTu,CTu,CTu' -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x > /dev/null 2>&1'
pkispawn    : INFO     ....... rm -f /etc/pki/pki-tomcat/ca/noise
pkispawn    : INFO     ....... rm -f /etc/pki/pki-tomcat/pfile
pkispawn    : INFO     ... configuring 'pki.deployment.configuration'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... ln -s /lib/systemd/system/pki-tomcatd at .service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service'
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes
pkispawn    : INFO     ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']'
pkispawn    : INFO     ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc']
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : INFO     ....... request: -----BEGIN CERTIFICATE REQUEST-----
MIICmDCCAYACAQAwUzEPMA0GA1UEBxMGS3JpdGVlMQ0wCwYDVQQLEwRDSUJVMRYwFAYDVQQKEw1D
aXNjbyBTeXN0ZW1zMRkwFwYDVQQDExBkb2d0YWcuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmLgfNwidSyR47kwVAOGor/kHOiTJS5qc4fsCJM6gQDnsC7lXbC6XcdYK
tQHs9Y7/HbzQDiMZNGS/hHRRGh68qZdr/pCxSbONobMczM7thjUQ5crUgJCI1tG2XaMKBRQMtqNA
fJY/SBaVEBpRzp+0DJ51D+qGjyJaq2Pzzj+pCJLMQPv/rQ9BSFLr8Js+QErn7j5JQwZ7k4wkZCoK
wcAVgwDzQ3xCtKew+M5Xgj9OzmkQgZk1SViPBLXl58gy+ukuBHBHSXWAY+b34N9IQnW1rozz073e
fD8ZSgHQYWsjRxCdniOvgd37gviyDlMIaOh7+HapYj1k+VCzmKimU4ZrJQIDAQABoAAwDQYJKoZI
hvcNAQELBQADggEBAFI5HrchG9WxTzgtCf6v21V8PFsWHEPVBr1gM+ihgiSXSp7sSmvjBvEUN+Ik
mHbo4ssq+KpHWeQZmKc1tlmiF5IBoP6yiAvkHelphdqRM+DkrkMYnR8cabx4amFOEfmPBE38hLHA
+eaFiVxHSorbkoZsBnSrYDz1/+5xD+4/VJrMvQiP9eRp1hG0sXjH5sLoV70LoHhO94yga0w26Gpj
xkzxSrxFVFH7walY0J09rqvtGOfJ7y4Pg4hy24L0WLDux063uUjNVmRs8zmYHB5AgX2Ke1YI2XYP
AHPTL9m3+wdVUuPCYVrf6njZS7CFygcG5c4W6prdu5ZcJ7cqYdSgiho=
-----END CERTIFICATE REQUEST-----
pkispawn    : INFO     ....... saving CA Signing CSR to file: '/home/fedora/ca_signing.csr'
pkispawn    : INFO     ... finalizing 'pki.deployment.finalization'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092058
pkispawn    : INFO     ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092058
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service'
pkispawn    : INFO     ....... rm -rf /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     END spawning subsystem 'CA' of instance 'pki-tomcat'

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin

      To check the status of the subsystem: 
            systemctl status pki-tomcatd\@pki-tomcat.service
      To restart the subsystem: 
            systemctl restart pki-tomcatd\@pki-tomcat.service
      The URL for the subsystem is: 
            https://dogtag-ext1.novalocal:9443/ca

    ==========================================================================

From jdennis at redhat.com  Wed Oct 15 19:14:56 2014
From: jdennis at redhat.com (John Dennis)
Date: Wed, 15 Oct 2014 15:14:56 -0400
Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag
In-Reply-To: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
References: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
Message-ID: <543EC7B0.40806@redhat.com>

On 10/10/2014 07:14 AM, kritee jhawar wrote:
> Dogtag is the private CA for multiple services in a cluster. Trust is
> established by providing the root certificate of dogtag to all the
> services. What happens if dogtag crashes? All the services will have to
> be given the root certificate of the new dogatg.
> 
> How can we avoid this?

Why do you need to re-provision the services with a new root certificate
if Dogtag crashes? Why not just restart the Dogtag instance with the
existing certs? It sounds like you're throwing away the old instance and
creating a new Dogtag instance needlessly.

Also, I don't understand why your services won't run if Dogtag isn't
currently running (unless you're using OCSP). Dogtag provisions certs, a
service using a cert issued by Dogtag doesn't need to communicate with
Dogtag unless you're using OCSP). As long as your services have been
provisioned with the certs issued by Dogtag they should run fine (or are
you issuing very short duration certs that need constant refreshing?)

FWIW, what you describe, re-provisioning of a new CA cert is exactly
identical to handling an expired CA cert. There was documentation
written up recently on how to handle expiring CA certs but I don't have
a pointer to it, sorry. But as I mentioned above I don't you need to
replace the certs, you just need to restart the service.

If the instance is crashing then that's a bug that needs fixing. Please
file a bug report so the problem can get fixed.

Ade can comment on the specific errors you reported.

-- 
John



From kriteejhawar at gmail.com  Thu Oct 16 01:51:37 2014
From: kriteejhawar at gmail.com (Kritee Jhawar)
Date: Thu, 16 Oct 2014 07:21:37 +0530
Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag
In-Reply-To: <543EC7B0.40806@redhat.com>
References: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
	<543EC7B0.40806@redhat.com>
Message-ID: <4A6FC86F-341F-4319-BF6F-D5237ABB8EDB@gmail.com>

Thanks for the response 

I got the setup to work with external CA just yesterday. This time I used a dogtag as the external CA rather than OpenSSL and Microsoft. 

I'll have multiple instances of dogtag in my deployment. Ideally I want all of them to come up with these root certificate. Is there some location I can place a public private key pair wich dogtag uses to come up ? 

Also what I meant by services not coming up was not other components like KRA and DRM. 
I just have the CA subsystem and even though it was getting spawned wo were unable to use it.

Thanks 
Kritee

Sent from my iPhone

> On 16-Oct-2014, at 00:44, John Dennis <jdennis at redhat.com> wrote:
> 
>> On 10/10/2014 07:14 AM, kritee jhawar wrote:
>> Dogtag is the private CA for multiple services in a cluster. Trust is
>> established by providing the root certificate of dogtag to all the
>> services. What happens if dogtag crashes? All the services will have to
>> be given the root certificate of the new dogatg.
>> 
>> How can we avoid this?
> 
> Why do you need to re-provision the services with a new root certificate
> if Dogtag crashes? Why not just restart the Dogtag instance with the
> existing certs? It sounds like you're throwing away the old instance and
> creating a new Dogtag instance needlessly.
> 
> Also, I don't understand why your services won't run if Dogtag isn't
> currently running (unless you're using OCSP). Dogtag provisions certs, a
> service using a cert issued by Dogtag doesn't need to communicate with
> Dogtag unless you're using OCSP). As long as your services have been
> provisioned with the certs issued by Dogtag they should run fine (or are
> you issuing very short duration certs that need constant refreshing?)
> 
> FWIW, what you describe, re-provisioning of a new CA cert is exactly
> identical to handling an expired CA cert. There was documentation
> written up recently on how to handle expiring CA certs but I don't have
> a pointer to it, sorry. But as I mentioned above I don't you need to
> replace the certs, you just need to restart the service.
> 
> If the instance is crashing then that's a bug that needs fixing. Please
> file a bug report so the problem can get fixed.
> 
> Ade can comment on the specific errors you reported.
> 
> -- 
> John



From alee at redhat.com  Thu Oct 16 14:05:02 2014
From: alee at redhat.com (Ade Lee)
Date: Thu, 16 Oct 2014 10:05:02 -0400
Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag
In-Reply-To: <4A6FC86F-341F-4319-BF6F-D5237ABB8EDB@gmail.com>
References: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
	<543EC7B0.40806@redhat.com>
	<4A6FC86F-341F-4319-BF6F-D5237ABB8EDB@gmail.com>
Message-ID: <1413468302.9052.6.camel@aleeredhat.laptop>

On Thu, 2014-10-16 at 07:21 +0530, Kritee Jhawar wrote:
> Thanks for the response 
> 
> I got the setup to work with external CA just yesterday. This time I used a dogtag as the external CA rather than OpenSSL and Microsoft. 
> 
OK, I suspected that the cert being used as the external CA cert was the
problem.  As I recall, there is a current bug being fixed to address
issues with Microsoft issued CA certs.  If you can use a dogtag cert as
your external CA, then you'll avoid any issues.

> I'll have multiple instances of dogtag in my deployment. Ideally I want all of them to come up with these root certificate. Is there some location I can place a public private key pair wich dogtag uses to come up ? 
> 
I don't understand what you are trying to do here.  You have created
several dogtag CA's that are subordinate to the external CA.  They are
CA's in their own right, with their own signing certificates.  Why do
they need access to the root CA?

If you want several CA's with exactly the same signing cert, then you
want clones.
 
> Also what I meant by services not coming up was not other components like KRA and DRM. 
> I just have the CA subsystem and even though it was getting spawned wo were unable to use it.
> 
> Thanks 
> Kritee
> 
> Sent from my iPhone
> 
> > On 16-Oct-2014, at 00:44, John Dennis <jdennis at redhat.com> wrote:
> > 
> >> On 10/10/2014 07:14 AM, kritee jhawar wrote:
> >> Dogtag is the private CA for multiple services in a cluster. Trust is
> >> established by providing the root certificate of dogtag to all the
> >> services. What happens if dogtag crashes? All the services will have to
> >> be given the root certificate of the new dogatg.
> >> 
> >> How can we avoid this?
> > 
> > Why do you need to re-provision the services with a new root certificate
> > if Dogtag crashes? Why not just restart the Dogtag instance with the
> > existing certs? It sounds like you're throwing away the old instance and
> > creating a new Dogtag instance needlessly.
> > 
> > Also, I don't understand why your services won't run if Dogtag isn't
> > currently running (unless you're using OCSP). Dogtag provisions certs, a
> > service using a cert issued by Dogtag doesn't need to communicate with
> > Dogtag unless you're using OCSP). As long as your services have been
> > provisioned with the certs issued by Dogtag they should run fine (or are
> > you issuing very short duration certs that need constant refreshing?)
> > 
> > FWIW, what you describe, re-provisioning of a new CA cert is exactly
> > identical to handling an expired CA cert. There was documentation
> > written up recently on how to handle expiring CA certs but I don't have
> > a pointer to it, sorry. But as I mentioned above I don't you need to
> > replace the certs, you just need to restart the service.
> > 
> > If the instance is crashing then that's a bug that needs fixing. Please
> > file a bug report so the problem can get fixed.
> > 
> > Ade can comment on the specific errors you reported.
> > 
> > -- 
> > John




From kriteejhawar at gmail.com  Fri Oct 17 08:28:44 2014
From: kriteejhawar at gmail.com (kritee jhawar)
Date: Fri, 17 Oct 2014 13:58:44 +0530
Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag
In-Reply-To: <1413468302.9052.6.camel@aleeredhat.laptop>
References: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
	<543EC7B0.40806@redhat.com>
	<4A6FC86F-341F-4319-BF6F-D5237ABB8EDB@gmail.com>
	<1413468302.9052.6.camel@aleeredhat.laptop>
Message-ID: <8F790279-AC31-4434-B12A-2A11D26B836F@gmail.com>

Thanks a lot 

All this while I was using a Microsoft external CA. 

One more doubt I had: 
Do we have a way we're we can just provide a public private keypaor in a particular location and dogtag will always use that as root cert? 
Something like providing a static root certificate ?

Regards 
Kritee

> On Thursday, 16 October 2014, Ade Lee <alee at redhat.com> wrote:
> On Thu, 2014-10-16 at 07:21 +0530, Kritee Jhawar wrote:
> > Thanks for the response
> >
> > I got the setup to work with external CA just yesterday. This time I used a dogtag as the external CA rather than OpenSSL and Microsoft.
> >
> OK, I suspected that the cert being used as the external CA cert was the
> problem.  As I recall, there is a current bug being fixed to address
> issues with Microsoft issued CA certs.  If you can use a dogtag cert as
> your external CA, then you'll avoid any issues.
> 
> > I'll have multiple instances of dogtag in my deployment. Ideally I want all of them to come up with these root certificate. Is there some location I can place a public private key pair wich dogtag uses to come up ?
> >
> I don't understand what you are trying to do here.  You have created
> several dogtag CA's that are subordinate to the external CA.  They are
> CA's in their own right, with their own signing certificates.  Why do
> they need access to the root CA?
> 
> If you want several CA's with exactly the same signing cert, then you
> want clones.
> 
> > Also what I meant by services not coming up was not other components like KRA and DRM.
> > I just have the CA subsystem and even though it was getting spawned wo were unable to use it.
> >
> > Thanks
> > Kritee
> >
> > Sent from my iPhone
> >
> > > On 16-Oct-2014, at 00:44, John Dennis <jdennis at redhat.com> wrote:
> > >
> > >> On 10/10/2014 07:14 AM, kritee jhawar wrote:
> > >> Dogtag is the private CA for multiple services in a cluster. Trust is
> > >> established by providing the root certificate of dogtag to all the
> > >> services. What happens if dogtag crashes? All the services will have to
> > >> be given the root certificate of the new dogatg.
> > >>
> > >> How can we avoid this?
> > >
> > > Why do you need to re-provision the services with a new root certificate
> > > if Dogtag crashes? Why not just restart the Dogtag instance with the
> > > existing certs? It sounds like you're throwing away the old instance and
> > > creating a new Dogtag instance needlessly.
> > >
> > > Also, I don't understand why your services won't run if Dogtag isn't
> > > currently running (unless you're using OCSP). Dogtag provisions certs, a
> > > service using a cert issued by Dogtag doesn't need to communicate with
> > > Dogtag unless you're using OCSP). As long as your services have been
> > > provisioned with the certs issued by Dogtag they should run fine (or are
> > > you issuing very short duration certs that need constant refreshing?)
> > >
> > > FWIW, what you describe, re-provisioning of a new CA cert is exactly
> > > identical to handling an expired CA cert. There was documentation
> > > written up recently on how to handle expiring CA certs but I don't have
> > > a pointer to it, sorry. But as I mentioned above I don't you need to
> > > replace the certs, you just need to restart the service.
> > >
> > > If the instance is crashing then that's a bug that needs fixing. Please
> > > file a bug report so the problem can get fixed.
> > >
> > > Ade can comment on the specific errors you reported.
> > >
> > > --
> > > John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141017/b4553b8f/attachment.htm>

From kriteejhawar at gmail.com  Fri Oct 17 17:12:27 2014
From: kriteejhawar at gmail.com (kritee jhawar)
Date: Fri, 17 Oct 2014 22:42:27 +0530
Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag
In-Reply-To: <1413468302.9052.6.camel@aleeredhat.laptop>
References: <CAGJVne0qT9ig=hUFN_ZRbYKVJEJO8fGF8q5ApDmhQnqyaoqWUw@mail.gmail.com>
	<543EC7B0.40806@redhat.com>
	<4A6FC86F-341F-4319-BF6F-D5237ABB8EDB@gmail.com>
	<1413468302.9052.6.camel@aleeredhat.laptop>
Message-ID: <CAGJVne38wSdPO6=95yR3m1-yqPKsYyx8jeTm6-4h=QG7Z9gnoQ@mail.gmail.com>

Thanks a lot

All this while I was using a Microsoft external CA.

Another doubt I had:
Do we have a way we're we can just provide a public private key pair in a
particular location and dogtag will always use that as root cert?
Something like providing a static root certificate ?

Regards
Kritee

On Thursday, 16 October 2014, Ade Lee <alee at redhat.com> wrote:

> On Thu, 2014-10-16 at 07:21 +0530, Kritee Jhawar wrote:
> > Thanks for the response
> >
> > I got the setup to work with external CA just yesterday. This time I
> used a dogtag as the external CA rather than OpenSSL and Microsoft.
> >
> OK, I suspected that the cert being used as the external CA cert was the
> problem.  As I recall, there is a current bug being fixed to address
> issues with Microsoft issued CA certs.  If you can use a dogtag cert as
> your external CA, then you'll avoid any issues.
>
> > I'll have multiple instances of dogtag in my deployment. Ideally I want
> all of them to come up with these root certificate. Is there some location
> I can place a public private key pair wich dogtag uses to come up ?
> >
> I don't understand what you are trying to do here.  You have created
> several dogtag CA's that are subordinate to the external CA.  They are
> CA's in their own right, with their own signing certificates.  Why do
> they need access to the root CA?
>
> If you want several CA's with exactly the same signing cert, then you
> want clones.
>
> > Also what I meant by services not coming up was not other components
> like KRA and DRM.
> > I just have the CA subsystem and even though it was getting spawned wo
> were unable to use it.
> >
> > Thanks
> > Kritee
> >
> > Sent from my iPhone
> >
> > > On 16-Oct-2014, at 00:44, John Dennis <jdennis at redhat.com
> <javascript:;>> wrote:
> > >
> > >> On 10/10/2014 07:14 AM, kritee jhawar wrote:
> > >> Dogtag is the private CA for multiple services in a cluster. Trust is
> > >> established by providing the root certificate of dogtag to all the
> > >> services. What happens if dogtag crashes? All the services will have
> to
> > >> be given the root certificate of the new dogatg.
> > >>
> > >> How can we avoid this?
> > >
> > > Why do you need to re-provision the services with a new root
> certificate
> > > if Dogtag crashes? Why not just restart the Dogtag instance with the
> > > existing certs? It sounds like you're throwing away the old instance
> and
> > > creating a new Dogtag instance needlessly.
> > >
> > > Also, I don't understand why your services won't run if Dogtag isn't
> > > currently running (unless you're using OCSP). Dogtag provisions certs,
> a
> > > service using a cert issued by Dogtag doesn't need to communicate with
> > > Dogtag unless you're using OCSP). As long as your services have been
> > > provisioned with the certs issued by Dogtag they should run fine (or
> are
> > > you issuing very short duration certs that need constant refreshing?)
> > >
> > > FWIW, what you describe, re-provisioning of a new CA cert is exactly
> > > identical to handling an expired CA cert. There was documentation
> > > written up recently on how to handle expiring CA certs but I don't have
> > > a pointer to it, sorry. But as I mentioned above I don't you need to
> > > replace the certs, you just need to restart the service.
> > >
> > > If the instance is crashing then that's a bug that needs fixing. Please
> > > file a bug report so the problem can get fixed.
> > >
> > > Ade can comment on the specific errors you reported.
> > >
> > > --
> > > John
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141017/0e1f3dc3/attachment.htm>

From rperez at pgjtabasco.gob.mx  Fri Oct 17 17:44:49 2014
From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez)
Date: Fri, 17 Oct 2014 12:44:49 -0500 (CDT)
Subject: [Pki-users] Dogtag and Internet Explorer 11 Compatible?
In-Reply-To: <378744945.99850.1413563656861.JavaMail.root@pgjtabasco.gob.mx>
Message-ID: <281960883.100099.1413567889607.JavaMail.root@pgjtabasco.gob.mx>

Hi... I'm trying generate certificate request from an computer with Windows 7 64 bits and Internet Explorer 11 . 

In the Certificate Profile page " Certificate Profile - Manual User Dual-Use Certificate Enrollment" 

Internet Explorer 11 does not display the values of Key Generation. 

And finally when I send the certificate request, I get the error: 


Sorry, your request is not submitted. The reason is "Certificate Request Not Found". 




On the server side... The request appears as "REJECTED" 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141017/746c312e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dogtagie11.png
Type: image/png
Size: 36088 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141017/746c312e/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dogtagie11_2.png
Type: image/png
Size: 44581 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141017/746c312e/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dogtagie11_3.png
Type: image/png
Size: 20149 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141017/746c312e/attachment-0002.png>

From tjaalton at ubuntu.com  Sat Oct 18 15:39:03 2014
From: tjaalton at ubuntu.com (Timo Aaltonen)
Date: Sat, 18 Oct 2014 18:39:03 +0300
Subject: [Pki-users] Dogtag 10.2.0 is now in Debian
Message-ID: <54428997.8060306@ubuntu.com>


	Hi!

  I'm happy to announce that Dogtag (version 10.2.0) has finally entered
Debian unstable repository this week. Assuming there won't be any nasty
surprises, the next stable release ("Jessie") will include it. Many
thanks to Ade Lee who did the first pass of packaging the long chain of
dependencies, up to and including RESTEasy.



and next week there should be another announcement..


-- 
t



From tjaalton at ubuntu.com  Sat Oct 18 15:42:38 2014
From: tjaalton at ubuntu.com (Timo Aaltonen)
Date: Sat, 18 Oct 2014 18:42:38 +0300
Subject: [Pki-users] Dogtag 10.2.0 is now in Debian
In-Reply-To: <54428997.8060306@ubuntu.com>
References: <54428997.8060306@ubuntu.com>
Message-ID: <54428A6E.8010406@ubuntu.com>

On 18.10.2014 18:39, Timo Aaltonen wrote:
> 
> 	Hi!
> 
>   I'm happy to announce that Dogtag (version 10.2.0) has finally entered
> Debian unstable repository this week. Assuming there won't be any nasty
> surprises, the next stable release ("Jessie") will include it. Many
> thanks to Ade Lee who did the first pass of packaging the long chain of
> dependencies, up to and including RESTEasy.

forgot the link
https://packages.qa.debian.org/d/dogtag-pki.html

there's a small update coming early next week

-- 
t



From ftweedal at redhat.com  Sun Oct 19 02:10:08 2014
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Sun, 19 Oct 2014 12:10:08 +1000
Subject: [Pki-users] [Pki-devel] Dogtag 10.2.0 is now in Debian
In-Reply-To: <54428A6E.8010406@ubuntu.com>
References: <54428997.8060306@ubuntu.com>
 <54428A6E.8010406@ubuntu.com>
Message-ID: <20141019021008.GV5346@dhcp-40-8.bne.redhat.com>

On Sat, Oct 18, 2014 at 06:42:38PM +0300, Timo Aaltonen wrote:
> On 18.10.2014 18:39, Timo Aaltonen wrote:
> > 
> > 	Hi!
> > 
> >   I'm happy to announce that Dogtag (version 10.2.0) has finally entered
> > Debian unstable repository this week. Assuming there won't be any nasty
> > surprises, the next stable release ("Jessie") will include it. Many
> > thanks to Ade Lee who did the first pass of packaging the long chain of
> > dependencies, up to and including RESTEasy.
> 
> forgot the link
> https://packages.qa.debian.org/d/dogtag-pki.html
> 
> there's a small update coming early next week
> 
Great!  Thanks for all your work, Timo.

Fraser

> -- 
> t
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel



From WilliamC.Elliott at s-itsolutions.at  Tue Oct 21 12:54:57 2014
From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT)
Date: Tue, 21 Oct 2014 12:54:57 +0000
Subject: [Pki-users] SCEP Enrollment fails with Certificate not found .
In-Reply-To: <542C98FC.3040209@redhat.com>
References: <85C87A9995875247B2DD471950E0AE4D1B844DC5@M0182.s-mxs.net>
	<542C9587.6080107@redhat.com> <542C98FC.3040209@redhat.com>
Message-ID: <85C87A9995875247B2DD471950E0AE4D1B84E511@M0182.s-mxs.net>

(sorry for the delay - I was out of the office for some time)

The package version we're trying is pki-ca-9.0.3-32.el6.noarch, on RHEL6 as I said. But since the last email we've also tried 9.0.3-38, with the same result.
We always ran through the wizard panels using all default values, changing nothing, but now we configure the ca with pkisilent with the same default values to make sure the configuration doesn't change from one test to the next.

The only change we make is afterwords to enable scep in the config:

ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.enable=true
ca.scep.encryptionAlgorithm=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.nonceSizeLimit=16

The whole thing always works fine when we use the internal token (and with RHEL5/Dogtag 1.3 on the hsm), but throws the exception when the hsm is used as token.
We use sscep to submit requests to the ca.

We had never set the two parameters (scep.nickname, scep.tokenname) you suggested trying. 
Here are the results of your suggestions below :

** 1. This is our current configuration which always produces the exception. 
       From debug log:
CRSEnrollment: init: SCEP support is enabled. 
CRSEnrollment: init: SCEP nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init:   CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init:    Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: true
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1'
handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...

** 2. Setting ca.scep.nickname at first produced no discernable change,
    other than, requests for the ca cert. with "sscep getca"  then fail reliably. 
    Due to token name not being set: 
       From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init:   CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init:    Token name:
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3 
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: internal token name: ''
CRSEnrollment: CryptoContext: mNickname: 'caSigningCert cert-pki-testca1'
handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...

** 3. setting both ca.scep.nickname and ca.scep.tokenname also does not get around the problem.

       From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init:   CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init:    Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3 
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest'                               			<-- from sscep getca request
CRSEnrollment: CryptoContext: mNickname: 'osstest:caSigningCert cert-pki-testca1'
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1'	<-- from sscep enroll request
handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)


best regards,
William

-----Original Message-----
From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu
Sent: Donnerstag, 02. Oktober 2014 02:15
To: pki-users at redhat.com
Subject: Re: [Pki-users] SCEP Enrollment fails with Certificate not found . [heur][html-removed]

btw, I'm not suggesting that you need either or both config params.

three sets of config you can try:
1. don't specify either ca.scep.nickname or ca.scep.tokenname
(I think by default it takes the ca signing cert, if that's what you 
intend to use anyway)

2. specify nickname only ca.scep.nickname (without the token)
ca.scep.nickname=caSigningCert cert-pki-testca1
(I think by default, if the nickname you specified matches that of the 
ca, it will find the token for you)

3. specify both nickname and token:
ca.scep.nickname=caSigningCert cert-pki-testca1
ca.scep.tokenname=osstest
(last resort, because when you do this, it thinks it's not using the ca 
signing cert.. )

Let us know.
Christina

On 10/01/2014 05:00 PM, Christina Fu wrote:
> What's your scep config values, specifically:
> ca.scep.nickname
> ca.scep.tokenname
>
> Christina
>
> On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>>
>> Hello,
>>
>> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs 
>> setup for SCEP enrollment.  But, no matter whether we try the older 
>> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a 
>> successful SCEP request. The following exception occurs in the debug log:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: 
>> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>>
>> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>>
>> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>>
>> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>>
>> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>>
>> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>>
>> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>>
>> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>>
>> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>>
>> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>>
>> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>>
>> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>>
>> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>>
>> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>>
>> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>>
>> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>>
>> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>>
>> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>>
>> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>>
>> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>>
>> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>>
>> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>>
>> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>>
>> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>>
>> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>>
>> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>>
>> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>>
>> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>>
>> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>>
>> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>>
>> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>>
>> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>>
>> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>>
>> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>>
>> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>>
>> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>>
>> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>>
>> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>>         at 
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>>         at 
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>>         at 
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>>         at 
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>>         at 
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>>         at 
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>>         at 
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>>         at 
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>>         at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException 
>> javax.servlet.ServletException: Failed to process message in CEP 
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> What stands out is the line with mNickname. After restarting the 
>> service, with the first request, the HSM token name appears to be 
>> listed twice in the *mNickname* string.  Interestingly, with each new 
>> request, the number of token names increases by one in the string. 
>> i.e. with the 2^nd attempt, the same exception occurs but the token 
>> name appears three times:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>>         at 
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>>         at 
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>>         at 
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>>         at 
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>>         at 
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>>         at 
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>>         at 
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>>         at 
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>>         at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException 
>> javax.servlet.ServletException: Failed to process message in CEP 
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> As mentioned, the exception occurs with both versions 4 and 5 of 
>> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating 
>> with SCEP enrollment.) With local tokens, (no HSMs) the error does 
>> not occur.
>>
>> Any Ideas, how we can track this down? We definitely need to get this 
>> running.
>>
>> Best regards!
>>
>> William Elliott
>>
>> s IT Solutions
>>
>> Open System Services
>>
>> s IT Solutions AT Spardat GmbH
>>
>> A-1110 Wien, Geiselbergstra?e 21 - 25
>>
>> Phone: +43 (0)5 0100 - 39376
>>
>> Fax: +43 (0)5 0100 9 - 39376
>>
>> Mobile: +43 (0)5 0100 6 - 39376
>>
>> _mailto:william.elliott at s-itsolutions.at 
>> <mailto:william.elliott%20at%20s-itsolutions.at>_
>>
>> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>>
>> Head Office: Vienna Commercial Register No.: 152289f Commercial Court 
>> of Vienna
>>
>> This message and any attached files are confidential and intended 
>> solely for the addressee(s). Any publication, transmission or other 
>> use of the information by a person or entity other than the intended 
>> addressee is prohibited. If you receive this in error please contact 
>> the sender and delete the material. The sender does not accept 
>> liability for any errors or omissions as a result of the transmission.
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users



From kriteejhawar at gmail.com  Mon Oct 27 07:15:53 2014
From: kriteejhawar at gmail.com (kritee jhawar)
Date: Mon, 27 Oct 2014 12:45:53 +0530
Subject: [Pki-users] Can OpensSSL be used as external CA ?
Message-ID: <CAGJVne1nUqkSEyZHpYEDpo-4em9yZY699gEgHQxRuhTKxa9iLQ@mail.gmail.com>

Hi

In my recent thread i read that there is a bug due to which Microsoft CA
can't work as external CA for dogtag.
Can OpenSSL be used ?

Thanks
Kritee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141027/c96322e8/attachment.htm>

From cfu at redhat.com  Mon Oct 27 16:15:39 2014
From: cfu at redhat.com (Christina Fu)
Date: Mon, 27 Oct 2014 09:15:39 -0700
Subject: [Pki-users] Can OpensSSL be used as external CA ?
In-Reply-To: <CAGJVne1nUqkSEyZHpYEDpo-4em9yZY699gEgHQxRuhTKxa9iLQ@mail.gmail.com>
References: <CAGJVne1nUqkSEyZHpYEDpo-4em9yZY699gEgHQxRuhTKxa9iLQ@mail.gmail.com>
Message-ID: <544E6FAB.1020003@redhat.com>

If you meant the following two:
https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not 
preserved at issuance with signing cert signed by an external CA
https://fedorahosted.org/pki/ticket/1110 - pkispawn (configuration) does 
not provide CA extensions in subordinate certificate signing requests (CSR)

They have just recently been fixed upstream so I imagine you could use 
Microsoft CA now.  Theoretically any other CA can be used as an external 
CA, but if you run into issues, please feel free to report.

Christina


On 10/27/2014 12:15 AM, kritee jhawar wrote:
> Hi
>
> In my recent thread i read that there is a bug due to which Microsoft 
> CA can't work as external CA for dogtag.
> Can OpenSSL be used ?
>
> Thanks
> Kritee
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141027/f71406d9/attachment.htm>

From kriteejhawar at gmail.com  Tue Oct 28 02:55:14 2014
From: kriteejhawar at gmail.com (kritee jhawar)
Date: Tue, 28 Oct 2014 08:25:14 +0530
Subject: [Pki-users] Can OpensSSL be used as external CA ?
In-Reply-To: <544E6FAB.1020003@redhat.com>
References: <CAGJVne1nUqkSEyZHpYEDpo-4em9yZY699gEgHQxRuhTKxa9iLQ@mail.gmail.com>
	<544E6FAB.1020003@redhat.com>
Message-ID: <CAGJVne28=CdqLz0vDu72POWYZszJgNDT0Y3jyP13t3jeiKgQcg@mail.gmail.com>

Hi Christina

I was undertaking this activity last month where Microsoft CA didn't work
out but Dogtag as external CA did.

While using Microsoft CA or OpenSSL CA, pki spawn goes through without any
error but dogtag stops communications to 389ds. Upon calling the rest Api
/ca/rest/certs I get a "PKIException error listing the certs".

Is there a particular format for the ca cert chain that we need to provide
? I was trying to reverse engineer the chain provided by dogtag.

Thanks
Kritee



On Monday, 27 October 2014, Christina Fu <cfu at redhat.com> wrote:

>  If you meant the following two:
> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not
> preserved at issuance with signing cert signed by an external CA
> https://fedorahosted.org/pki/ticket/1110 - pkispawn (configuration) does
> not provide CA extensions in subordinate certificate signing requests (CSR)
>
> They have just recently been fixed upstream so I imagine you could use
> Microsoft CA now.  Theoretically any other CA can be used as an external
> CA, but if you run into issues, please feel free to report.
>
> Christina
>
>
> On 10/27/2014 12:15 AM, kritee jhawar wrote:
>
> Hi
>
>  In my recent thread i read that there is a bug due to which Microsoft CA
> can't work as external CA for dogtag.
> Can OpenSSL be used ?
>
>  Thanks
> Kritee
>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.com <javascript:_e(%7B%7D,'cvml','Pki-users at redhat.com');>https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141028/b6b760bb/attachment.htm>

From cfu at redhat.com  Tue Oct 28 19:52:59 2014
From: cfu at redhat.com (Christina Fu)
Date: Tue, 28 Oct 2014 12:52:59 -0700
Subject: [Pki-users] Can OpensSSL be used as external CA ?
In-Reply-To: <CAGJVne28=CdqLz0vDu72POWYZszJgNDT0Y3jyP13t3jeiKgQcg@mail.gmail.com>
References: <CAGJVne1nUqkSEyZHpYEDpo-4em9yZY699gEgHQxRuhTKxa9iLQ@mail.gmail.com>	<544E6FAB.1020003@redhat.com>
	<CAGJVne28=CdqLz0vDu72POWYZszJgNDT0Y3jyP13t3jeiKgQcg@mail.gmail.com>
Message-ID: <544FF41B.3010705@redhat.com>

the cert chain you provide in the file specified under
pki_external_ca_cert_chain_path
should be just pkcs7 without header/footer.

I don't know why it would not talk to the DS (did you turn on ssl for 
the ds?).
Not sure if you build your Dogtag from the master, if you do, I'd 
suggest you get the most updated so you get fixes from the tickets I 
provided previously which would address at least two issues relating to 
external CA.

Christina

On 10/27/2014 07:55 PM, kritee jhawar wrote:
> Hi Christina
>
> I was undertaking this activity last month where Microsoft CA didn't 
> work out but Dogtag as external CA did.
>
> While using Microsoft CA or OpenSSL CA, pki spawn goes through 
> without any error but dogtag stops communications to 389ds. Upon 
> calling the rest Api /ca/rest/certs I get a "PKIException error 
> listing the certs".
>
> Is there a particular format for the ca cert chain that we need to 
> provide ? I was trying to reverse engineer the chain provided by dogtag.
>
> Thanks
> Kritee
>
>
>
> On Monday, 27 October 2014, Christina Fu <cfu at redhat.com 
> <mailto:cfu at redhat.com>> wrote:
>
>     If you meant the following two:
>     https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding
>     not preserved at issuance with signing cert signed by an external CA
>     https://fedorahosted.org/pki/ticket/1110 - pkispawn
>     (configuration) does not provide CA extensions in subordinate
>     certificate signing requests (CSR)
>
>     They have just recently been fixed upstream so I imagine you could
>     use Microsoft CA now.  Theoretically any other CA can be used as
>     an external CA, but if you run into issues, please feel free to
>     report.
>
>     Christina
>
>
>     On 10/27/2014 12:15 AM, kritee jhawar wrote:
>>     Hi
>>
>>     In my recent thread i read that there is a bug due to which
>>     Microsoft CA can't work as external CA for dogtag.
>>     Can OpenSSL be used ?
>>
>>     Thanks
>>     Kritee
>>
>>
>>     _______________________________________________
>>     Pki-users mailing list
>>     Pki-users at redhat.com  <javascript:_e(%7B%7D,'cvml','Pki-users at redhat.com');>
>>     https://www.redhat.com/mailman/listinfo/pki-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141028/a967f843/attachment.htm>

From kriteejhawar at gmail.com  Wed Oct 29 08:16:46 2014
From: kriteejhawar at gmail.com (kritee jhawar)
Date: Wed, 29 Oct 2014 13:46:46 +0530
Subject: [Pki-users] Can OpensSSL be used as external CA ?
In-Reply-To: <544FF41B.3010705@redhat.com>
References: <CAGJVne1nUqkSEyZHpYEDpo-4em9yZY699gEgHQxRuhTKxa9iLQ@mail.gmail.com>
	<544E6FAB.1020003@redhat.com>
	<CAGJVne28=CdqLz0vDu72POWYZszJgNDT0Y3jyP13t3jeiKgQcg@mail.gmail.com>
	<544FF41B.3010705@redhat.com>
Message-ID: <CAGJVne16Mj--mUQcn4HZDvh3nne4MgTj8tpA8sy8gJ121-675g@mail.gmail.com>

Hi Christina

I have done the default configuration for 389ds and haven't specifically
turned on ssl for it.

Initially I tried using Microsoft and OpenSSL CA as external CAs. This is
about a month back and I pull the Rpms using yum (so I assume they are the
latest ones with the fix you mentioned).
With this, my pki spawn went fine. Infect the admin cert got generated
using the externally provided root cert as well. But dogtag couldn't
connect to the ds. As mentioned earlier it gave me a PKIException error
listing the certs with error code 500.
Looking at the ds logs I found that the error was 'bad search filter'.
However when I tried the same steps with dogtag as external CA the setup
went through without a glitch. The chain I imported was directly from the
GUI of dogtag. In fact I included the header and footer as well.

When I tried to reverse engineer the chain, I took the root cert of
external dogtag ca and used OpenSSL to convert it into pkcs7. This chain
was not the same as provided from the GUI. Hence I thought that there is
some particular format for the chain because of which the other CAs aren't
working.

Also, I updated the Rpms using yum and tried to generate the CSR with the
extra attributes. My csr still doesn't reflect those added attributes.

Is yum not the correct way to get the latest code ?

I am very new to this, really appreciate your assistance and time.

Regards
Kritee

On Wednesday, 29 October 2014, Christina Fu <cfu at redhat.com> wrote:

>  the cert chain you provide in the file specified under
> pki_external_ca_cert_chain_path
> should be just pkcs7 without header/footer.
>
> I don't know why it would not talk to the DS (did you turn on ssl for the
> ds?).
> Not sure if you build your Dogtag from the master, if you do, I'd suggest
> you get the most updated so you get fixes from the tickets I provided
> previously which would address at least two issues relating to external CA.
>
> Christina
>
> On 10/27/2014 07:55 PM, kritee jhawar wrote:
>
> Hi Christina
>
>  I was undertaking this activity last month where Microsoft CA didn't
> work out but Dogtag as external CA did.
>
>  While using Microsoft CA or OpenSSL CA, pki spawn goes through
> without any error but dogtag stops communications to 389ds. Upon calling
> the rest Api /ca/rest/certs I get a "PKIException error listing the certs".
>
>  Is there a particular format for the ca cert chain that we need to
> provide ? I was trying to reverse engineer the chain provided by dogtag.
>
>  Thanks
> Kritee
>
>
>
> On Monday, 27 October 2014, Christina Fu <cfu at redhat.com
> <javascript:_e(%7B%7D,'cvml','cfu at redhat.com');>> wrote:
>
>>  If you meant the following two:
>> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not
>> preserved at issuance with signing cert signed by an external CA
>> https://fedorahosted.org/pki/ticket/1110 - pkispawn (configuration) does
>> not provide CA extensions in subordinate certificate signing requests (CSR)
>>
>> They have just recently been fixed upstream so I imagine you could use
>> Microsoft CA now.  Theoretically any other CA can be used as an external
>> CA, but if you run into issues, please feel free to report.
>>
>> Christina
>>
>>
>> On 10/27/2014 12:15 AM, kritee jhawar wrote:
>>
>> Hi
>>
>>  In my recent thread i read that there is a bug due to which Microsoft
>> CA can't work as external CA for dogtag.
>> Can OpenSSL be used ?
>>
>>  Thanks
>> Kritee
>>
>>
>> _______________________________________________
>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141029/e6ede03a/attachment.htm>

From cfu at redhat.com  Fri Oct 31 17:06:45 2014
From: cfu at redhat.com (Christina Fu)
Date: Fri, 31 Oct 2014 10:06:45 -0700
Subject: [Pki-users] Can OpensSSL be used as external CA ?
In-Reply-To: <CAGJVne16Mj--mUQcn4HZDvh3nne4MgTj8tpA8sy8gJ121-675g@mail.gmail.com>
References: <CAGJVne1nUqkSEyZHpYEDpo-4em9yZY699gEgHQxRuhTKxa9iLQ@mail.gmail.com>	<544E6FAB.1020003@redhat.com>	<CAGJVne28=CdqLz0vDu72POWYZszJgNDT0Y3jyP13t3jeiKgQcg@mail.gmail.com>	<544FF41B.3010705@redhat.com>
	<CAGJVne16Mj--mUQcn4HZDvh3nne4MgTj8tpA8sy8gJ121-675g@mail.gmail.com>
Message-ID: <5453C1A5.5090206@redhat.com>

Kritee,

At the minimum, you need the fixes I talked about. They were checked 
into the master but has not been built officially so yum is not going to 
get you the right rpm.  However, you can check it out and build it yourself.
Here is how you check out the master:

git clone git://git.fedorahosted.org/git/pki.git

You can then use the build scripts to build.

Finally, I apologize that we are not supposed to respond to private 
emails.  Dogtag is a community where we share our knowledge.  In the 
future please send requests to the mailing list.
I took the exception this time to look at your CSR and certs and I could 
see that you need the fixes I talked about.  I don't know if you have 
other issues though, but AFAIK you need those two fixes.

Hope this helps.
Christina

On 10/29/2014 01:16 AM, kritee jhawar wrote:
> Hi Christina
>
> I have done the default configuration for 389ds and haven't 
> specifically turned on ssl for it.
>
> Initially I tried using Microsoft and OpenSSL CA as external CAs. This 
> is about a month back and I pull the Rpms using yum (so I assume they 
> are the latest ones with the fix you mentioned).
> With this, my pki spawn went fine. Infect the admin cert got generated 
> using the externally provided root cert as well. But dogtag couldn't 
> connect to the ds. As mentioned earlier it gave me a PKIException 
> error listing the certs with error code 500.
> Looking at the ds logs I found that the error was 'bad search filter'.
> However when I tried the same steps with dogtag as external CA the 
> setup went through without a glitch. The chain I imported was directly 
> from the GUI of dogtag. In fact I included the header and footer as well.
>
> When I tried to reverse engineer the chain, I took the root cert of 
> external dogtag ca and used OpenSSL to convert it into pkcs7. This 
> chain was not the same as provided from the GUI. Hence I thought that 
> there is some particular format for the chain because of which the 
> other CAs aren't working.
>
> Also, I updated the Rpms using yum and tried to generate the CSR with 
> the extra attributes. My csr still doesn't reflect those added 
> attributes.
>
> Is yum not the correct way to get the latest code ?
>
> I am very new to this, really appreciate your assistance and time.
>
> Regards
> Kritee
>
> On Wednesday, 29 October 2014, Christina Fu <cfu at redhat.com 
> <mailto:cfu at redhat.com>> wrote:
>
>     the cert chain you provide in the file specified under
>     pki_external_ca_cert_chain_path
>     should be just pkcs7 without header/footer.
>
>     I don't know why it would not talk to the DS (did you turn on ssl
>     for the ds?).
>     Not sure if you build your Dogtag from the master, if you do, I'd
>     suggest you get the most updated so you get fixes from the tickets
>     I provided previously which would address at least two issues
>     relating to external CA.
>
>     Christina
>
>     On 10/27/2014 07:55 PM, kritee jhawar wrote:
>>     Hi Christina
>>
>>     I was undertaking this activity last month where Microsoft CA
>>     didn't work out but Dogtag as external CA did.
>>
>>     While using Microsoft CA or OpenSSL CA, pki spawn goes through
>>     without any error but dogtag stops communications to 389ds. Upon
>>     calling the rest Api /ca/rest/certs I get a "PKIException error
>>     listing the certs".
>>
>>     Is there a particular format for the ca cert chain that we need
>>     to provide ? I was trying to reverse engineer the chain provided
>>     by dogtag.
>>
>>     Thanks
>>     Kritee
>>
>>
>>
>>     On Monday, 27 October 2014, Christina Fu <cfu at redhat.com
>>     <javascript:_e(%7B%7D,'cvml','cfu at redhat.com');>> wrote:
>>
>>         If you meant the following two:
>>         https://fedorahosted.org/pki/ticket/1190 CA: issuer DN
>>         encoding not preserved at issuance with signing cert signed
>>         by an external CA
>>         https://fedorahosted.org/pki/ticket/1110 - pkispawn
>>         (configuration) does not provide CA extensions in subordinate
>>         certificate signing requests (CSR)
>>
>>         They have just recently been fixed upstream so I imagine you
>>         could use Microsoft CA now. Theoretically any other CA can be
>>         used as an external CA, but if you run into issues, please
>>         feel free to report.
>>
>>         Christina
>>
>>
>>         On 10/27/2014 12:15 AM, kritee jhawar wrote:
>>>         Hi
>>>
>>>         In my recent thread i read that there is a bug due to which
>>>         Microsoft CA can't work as external CA for dogtag.
>>>         Can OpenSSL be used ?
>>>
>>>         Thanks
>>>         Kritee
>>>
>>>
>>>         _______________________________________________
>>>         Pki-users mailing list
>>>         Pki-users at redhat.com
>>>         https://www.redhat.com/mailman/listinfo/pki-users
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141031/cb8f2946/attachment.htm>

From mkosek at redhat.com  Mon Oct 20 06:47:03 2014
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 20 Oct 2014 06:47:03 -0000
Subject: [Pki-users] [Freeipa-devel] Dogtag 10.2.0 is now in Debian
In-Reply-To: <54428A6E.8010406@ubuntu.com>
References: <54428997.8060306@ubuntu.com> <54428A6E.8010406@ubuntu.com>
Message-ID: <5444AFE4.2070103@redhat.com>

On 10/18/2014 05:42 PM, Timo Aaltonen wrote:
> On 18.10.2014 18:39, Timo Aaltonen wrote:
>>
>> 	Hi!
>>
>>   I'm happy to announce that Dogtag (version 10.2.0) has finally entered
>> Debian unstable repository this week. Assuming there won't be any nasty
>> surprises, the next stable release ("Jessie") will include it. Many
>> thanks to Ade Lee who did the first pass of packaging the long chain of
>> dependencies, up to and including RESTEasy.
> 
> forgot the link
> https://packages.qa.debian.org/d/dogtag-pki.html
> 
> there's a small update coming early next week
> 

Thanks Timo for your great work! With Dogtag in Debian, we are getting wery
close to including FreeIPA as well - looking forward to this day :-)

As usual, let us know if you hit problems with porting FreeIPA there or
extending our platform-independent code.

Thanks,
Martin