[Pki-users] Fwd: [HELP NEEDED] External CA configuration for Dogtag

kritee jhawar kriteejhawar at gmail.com
Mon Oct 13 17:38:27 UTC 2014 

Hi

After a little more debugging came to the conclusion that post external CA
configuration there seems to be some issue with the directory service

Upon making a rest call to list the certs, I get an LDAP exception with
 'Bad Search Filter' message.

Has anyone faced this?

Regards
Kritee

On Sat, Oct 11, 2014 at 10:15 AM, kritee jhawar <kriteejhawar at gmail.com>
wrote:

> Hi
>
> Thanks for the response.I am inline with what you said, that the clients
> just need to trust the CA and need not communicate with it. However my
> clients are physical devices which will need the trust store burnt into
> them which is why i need to have a constant trust chain.
> External CA seems like the best way to go. Please let me know if you could
> figure out why my configuartion won't go through with the data I have
> provided.
>
> Regards
> Kritee
>
> On Fri, Oct 10, 2014 at 6:13 PM, Gaiseric Vandal <
> gaiseric.vandal at gmail.com> wrote:
>
>>  The CA needs to generate or sign  certificates for other servers- e.g.
>> a web server.  Clients of those servers should trust the CA's certificate
>> as the CA certificate that signs the server certificates.  They don't need
>> to communicate with the CA directly.      (The exception might be if the CA
>> is also an online certificate revocation server -  but that is beyond my
>> experience.)
>>
>> You should assume that your CA will eventually crash-  or that you might
>> make a configuration change or an update that you want to roll back.  As
>> with any server, you should back up the critical files.  if this is a
>> virtual machine, it makes backing up the entire machine much easier.
>>
>>
>> I wouldn't imagine that the entire CA configuration and database
>> directories are very big.
>>
>>
>>
>>
>>
>>
>> On 10/10/14 07:18, kritee jhawar wrote:
>>
>>
>>  Hello,
>>
>> I am an engineer from India and I have been struggling with this for the
>> past 2 weeks. Request you to help me out.
>>
>> *USE-CASE: *
>>
>> Dogtag is the private CA for multiple services in a cluster. Trust is
>> established by providing the root certificate of dogtag to all the
>> services. What happens if dogtag crashes? All the services will have to be
>> given the root certificate of the new dogatg.
>>
>> How can we avoid this?
>>
>> Can we bring up multiple instances dogtag with a static certificate every
>> time?
>>
>> The only way I could find is by using the* external CA* option.
>>
>> I am following the 2-step pkispawn process with 2 config files
>> (deployment-1.cfg and deployment-2.cfg)
>>
>> In the first step the csr is generated. I take the csr and get a
>> certificate from the external CA and place it in the required location. The
>> root certificate of the CA has also been placed in the required location.
>> Step 2 of pkispawn goes through and the ca_admin cert is generated and
>> signed.
>>
>> However, when i make a REST call to list the certificates, I get 2
>> different errors:
>>
>> (Please note that I replicated the same steps with same files on 2 setups
>> and got 2 errors)
>>
>> curl -k --request GET https://localhost:9443/ca/rest/certs
>>
>> *ERROR 1*
>>
>> <?xml version="1.0" encoding="UTF-8"
>> >
>> standalone="yes"?><PKIException><ClassName>com.netscape.certsrv.base.PKIException</ClassName><Code>500</Code><Message>Error
>> listing certs in
>> CertsResourceService.listCerts!</Message><Attributes/></PKIException>
>>
>>
>>
>> *ERROR 2*
>>
>> With the same steps i also get a NullPointerException as well (Attached
>> logs - null-pointer-error.txt)
>>
>>
>>
>>  When i see the status of my pki-instance after pkispawn step-2, It says
>> the Instance is loaded and needs to be configured. (attched logs :
>> post-pkispawn-2.txt)
>> However it starts using systemctl without any errors
>>
>>
>>
>> I suspect I am missing some part in the configuration.
>>
>> Any help/pointers would be very helpful!
>>
>> Thanks
>>
>> Kritee
>>
>> *Attached files : *
>>
>> deployment-1.txt  - config file for pkispawn step 1
>>
>> deployment-2.txt - config file for pkispawn step 2
>>
>> pkispawn-1-log.txt - logs for pkisppawn step 1
>>
>> pkispan-2-log.txt - logs for pkispawn step 2
>>
>> dogtag-cert.txt - root certificate of dogtag generated by external CA
>>
>> ca-admin-cert.txt - admin cert signed by dogtag
>>
>> null-pointer-error.txt - null pointer exception while making a REST call
>> to list certs
>>
>> post-pkispawn-2.txt - status of pki-instance after pkispawn step 2
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141013/2523c89a/attachment.htm>

More information about the Pki-users mailing list