From rperez at pgjtabasco.gob.mx Thu Sep 11 02:17:11 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Wed, 10 Sep 2014 21:17:11 -0500 (CDT) Subject: [Pki-users] ERROR: Package pki-ocsp is NOT installed! In-Reply-To: <1212115453.61767.1410401748558.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <1764028962.61776.1410401831515.JavaMail.root@pgjtabasco.gob.mx> I get: ERROR: Package pki-ocsp is NOT installed! When I try create an OCSP instance with pkispawn From alee at redhat.com Thu Sep 11 02:58:11 2014 From: alee at redhat.com (Ade Lee) Date: Wed, 10 Sep 2014 22:58:11 -0400 Subject: [Pki-users] ERROR: Package pki-ocsp is NOT installed! In-Reply-To: <1764028962.61776.1410401831515.JavaMail.root@pgjtabasco.gob.mx> References: <1764028962.61776.1410401831515.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <1410404291.11995.39.camel@aleeredhat.laptop> So, is pki-ocsp installed? rpm -q pki-ocsp If not installed, yum install pki-ocsp Ade On Wed, 2014-09-10 at 21:17 -0500, Ricardo Alexander Alexander Perez Ricardez wrote: > I get: > > ERROR: Package pki-ocsp is NOT installed! > > When I try create an OCSP instance with pkispawn > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From ftweedal at redhat.com Thu Sep 11 07:22:25 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 11 Sep 2014 17:22:25 +1000 Subject: [Pki-users] Generating certificates with DSA signatures Message-ID: <20140911072225.GB11840@dhcp-40-8.bne.redhat.com> Hi all, Is there some documentation somewhere about how to set up / configure a CA subsystem such that it can sign requests with DSA rather than RSA? I guess that you need to spawn an instance with a DSA signing key or somehow configure one after the spawning, but I'm not sure how to do this. Cheers, Fraser From cfu at redhat.com Sat Sep 13 00:04:05 2014 From: cfu at redhat.com (Christina Fu) Date: Fri, 12 Sep 2014 17:04:05 -0700 Subject: [Pki-users] Generating certificates with DSA signatures In-Reply-To: <20140911072225.GB11840@dhcp-40-8.bne.redhat.com> References: <20140911072225.GB11840@dhcp-40-8.bne.redhat.com> Message-ID: <541389F5.3070904@redhat.com> Hi Fraser, The CA does not need to be DSA. It can be RSA and sign a DSA cert for you. You just need to generate a CSR with DSA key. For example, you can use certutil to generate a DSA CSR: # certutil -d . -R -k dsa -s "CN=cfuTestDSA" -a -o cfuDSA.req.b64 # cat cfuDSA.req.b64 MIICFjCCAdYCAQAwFTETMBEGA1UEAxMKY2Z1VGVzdERTQTCCAbYwggErBgcqhkjO OAQBMIIBHgKBgQCY7zqucJibRNs1hsG2wkd8tP+Z6K5E8uvDviMPZdBMBIKQp51K yJN/Qd/4gGsLaH+v5Ki1spnDafs/5xvQD6l6SgS/UJ4iM7iJUyQQ+Wh3ra8QaLjT aF2jw+tyO6ALc2XF0fqMwH2qUik0RAG/EiX+GArIP8FgSNutk7ZhZ9eoLQIVALWw hItEKfYzWaE8vtJ/NaF2JwOBAoGABA6DafHNfeUMeJPWSW8ABE4ObDeqOCJH0ljs gxKV+Zzx9Cf/15lXNcZkTMBHEjFQgjwqBwMB7zAJiYJBdnHanleLdjg3X6XNMoRF jUwXVCtdwmu6PqB7ldcAQvcIuIOHYOHl9BpUwiDaODrRthD0yzXal5KH1qU3YrST ShUhpRADgYQAAoGAKDm/ww3NZTM+Npdc1WnZZlebT78BcKQVUfMMHvqG+TJRrkjZ RwhUKeNoYeRxPt0bJ8QUtRDG/ihQ+mH22bOJkhogXuf/GdGbKTRjInnXho6NEaQo sSY3CJ/865RXvPXDBleYoF1WzAntEQtWY+9/uSGZD20uubrKUopNioNTD86gADAJ BgcqhkjOOAQDAy8AMCwCFD59mJXc3EnJWY8N66DhCoKeg8yGAhQpYqFI14WFTk39 CXfwXSsLE5qSfw== Paste that into "Other Certificate Enrollment" at the CA EE page, submit Go to CA agent and approve it and I see: Subject Public Key Info: Algorithm: DSA - 1.2.840.10040.4.1 Hope this helps, Christina On 09/11/2014 12:22 AM, Fraser Tweedale wrote: > Hi all, > > Is there some documentation somewhere about how to set up / > configure a CA subsystem such that it can sign requests with DSA > rather than RSA? > > I guess that you need to spawn an instance with a DSA signing key or > somehow configure one after the spawning, but I'm not sure how to do > this. > > Cheers, > > Fraser > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From ftweedal at redhat.com Mon Sep 15 03:00:55 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 15 Sep 2014 13:00:55 +1000 Subject: [Pki-users] Generating certificates with DSA signatures In-Reply-To: <541389F5.3070904@redhat.com> References: <20140911072225.GB11840@dhcp-40-8.bne.redhat.com> <541389F5.3070904@redhat.com> Message-ID: <20140915030055.GD5346@dhcp-40-8.bne.redhat.com> On Fri, Sep 12, 2014 at 05:04:05PM -0700, Christina Fu wrote: > Hi Fraser, > > The CA does not need to be DSA. It can be RSA and sign a DSA cert for you. > You just need to generate a CSR with DSA key. > Thanks Christina, Sorry, I could have more clearly stated my objective. I wish to configure the CA to use a DSA signing key. And while on that topic, I would also like to know how to configure it to use ECDSA to sign requests. I imagine the process would be similar in either case. Regards, Fraser > For example, you can use certutil to generate a DSA CSR: > # certutil -d . -R -k dsa -s "CN=cfuTestDSA" -a -o cfuDSA.req.b64 > # cat cfuDSA.req.b64 > MIICFjCCAdYCAQAwFTETMBEGA1UEAxMKY2Z1VGVzdERTQTCCAbYwggErBgcqhkjO > OAQBMIIBHgKBgQCY7zqucJibRNs1hsG2wkd8tP+Z6K5E8uvDviMPZdBMBIKQp51K > yJN/Qd/4gGsLaH+v5Ki1spnDafs/5xvQD6l6SgS/UJ4iM7iJUyQQ+Wh3ra8QaLjT > aF2jw+tyO6ALc2XF0fqMwH2qUik0RAG/EiX+GArIP8FgSNutk7ZhZ9eoLQIVALWw > hItEKfYzWaE8vtJ/NaF2JwOBAoGABA6DafHNfeUMeJPWSW8ABE4ObDeqOCJH0ljs > gxKV+Zzx9Cf/15lXNcZkTMBHEjFQgjwqBwMB7zAJiYJBdnHanleLdjg3X6XNMoRF > jUwXVCtdwmu6PqB7ldcAQvcIuIOHYOHl9BpUwiDaODrRthD0yzXal5KH1qU3YrST > ShUhpRADgYQAAoGAKDm/ww3NZTM+Npdc1WnZZlebT78BcKQVUfMMHvqG+TJRrkjZ > RwhUKeNoYeRxPt0bJ8QUtRDG/ihQ+mH22bOJkhogXuf/GdGbKTRjInnXho6NEaQo > sSY3CJ/865RXvPXDBleYoF1WzAntEQtWY+9/uSGZD20uubrKUopNioNTD86gADAJ > BgcqhkjOOAQDAy8AMCwCFD59mJXc3EnJWY8N66DhCoKeg8yGAhQpYqFI14WFTk39 > CXfwXSsLE5qSfw== > > Paste that into "Other Certificate Enrollment" at the CA EE page, submit > Go to CA agent and approve it and I see: > > > Subject Public Key Info: > Algorithm: DSA - 1.2.840.10040.4.1 > > > > Hope this helps, > Christina > > > On 09/11/2014 12:22 AM, Fraser Tweedale wrote: > >Hi all, > > > >Is there some documentation somewhere about how to set up / > >configure a CA subsystem such that it can sign requests with DSA > >rather than RSA? > > > >I guess that you need to spawn an instance with a DSA signing key or > >somehow configure one after the spawning, but I'm not sure how to do > >this. > > > >Cheers, > > > >Fraser > > > >_______________________________________________ > >Pki-users mailing list > >Pki-users at redhat.com > >https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From jindrich.dolezal at adaptivemobile.com Tue Sep 16 13:19:51 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Tue, 16 Sep 2014 15:19:51 +0200 Subject: [Pki-users] profiles for generating server and client certificates Message-ID: <541838F7.50102@adaptivemobile.com> hi, can anyone advice me how to configure dogtag (having 9.0.3) to have 2 profiles for generating server and client certificate. for cert generating im currently using /var/lib/pki-ca/profiles/ca/caRouterCert.cfg where there is line: policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 OID 1.3.6.1.5.5.7.3.2 is for client, 1.3.6.1.5.5.7.3.1 is for server so for generating the server certificate, i have to reconfigure and restart ca which is very annoying for test env and unthinkable in production env. i have configured clients to be able to get their own certificates via scep. and for server i generate certs manually with the use of jscep-cli tool. is there a way/is it possible to configure dogtag so that i can get me server certificate without reconfiguring? thanks a lot jd *****************************************This email and any files transmitted with are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error then please delete it and notify the sender. Do not make a copy or forward it to anyone. This footnote also confirms that this email message has been swept for the presence of computer viruses. Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK). Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O***************************************** From rperez at pgjtabasco.gob.mx Sat Sep 27 16:55:49 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Sat, 27 Sep 2014 11:55:49 -0500 (CDT) Subject: [Pki-users] Use of graphometric data by digitizing handwritten signature. In-Reply-To: <1884337680.77862.1411836825707.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <1443712233.77874.1411836949113.JavaMail.root@pgjtabasco.gob.mx> Hi ... I am using a wacom tablet to sign documents by digitizing handwritten signature. ?DogTag Certificate System supports the use of graphometric data? As in the image attached to the email ... -------------- next part -------------- A non-text attachment was scrubbed... Name: 27.png Type: image/png Size: 32832 bytes Desc: not available URL: From rperez at pgjtabasco.gob.mx Sat Sep 27 19:02:49 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Sat, 27 Sep 2014 14:02:49 -0500 (CDT) Subject: [Pki-users] Graphometric Dynamic Signature (Advanced Electronic Signature) In-Reply-To: <27320554.77976.1411844195261.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <430968220.78381.1411844569801.JavaMail.root@pgjtabasco.gob.mx> Hi, Is possible use this characteristic with DogTag Certificate System? Graphometric Dynamic Signature (Advanced Electronic Signature) Including in the document graphometric information captured during the signature execution and embedding everything with digital signature. More info here: http://www.andxor.com/supported-signatures.html How Graphometric Signature and Verification is performed When the user perform a Graphometric Signature the following information are captured: * the image of the signature, * the position and direction * the pressure (1024 levels) * the time * the curvature * the acceleration During a Graphometric Signature the important element is not the graphical mage (like during 2D normal ink signature) but the biometric characteristics of the image. Including the time and the pressure, the x,y position the velocity and direction we can have spatial dynamic information not available during a normal ink signature. In the next picture you can see a normal ink signature in a 2Dimensional space and the same signature in a 3Dimensional space including the time. In fact " ONLY the the biometric information without the image of the signature " are stored and are useful for matching a future signature. This allow more security and dynamic verification This is the typical verification process. All these information will be included in the digital signature creating and Advanced Electronic Signature. Once the Advanced Electronic Signature using Biometrical information is bonded with the document via a Digital Signature the final final receive the Persistent Security to allow legal verification of authenticity, presence in time and Integrity as well as non repudiation. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Obama Signature biometric.jpg Type: image/jpeg Size: 36129 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Graphometrical Signature Points and Velocity.jpg Type: image/jpeg Size: 16700 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Graphometrical signature Spatial dynamic.jpg Type: image/jpeg Size: 14331 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Graphometric Verification.jpg Type: image/jpeg Size: 36538 bytes Desc: not available URL: From rperez at pgjtabasco.gob.mx Sat Sep 27 19:06:40 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Sat, 27 Sep 2014 14:06:40 -0500 (CDT) Subject: [Pki-users] Advance Biometric Signature using Digital Signature In-Reply-To: <1141904393.78384.1411844672465.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <881782123.78496.1411844800650.JavaMail.root@pgjtabasco.gob.mx> Advance Biometric Signature using Digital Signature Is possible use DogTag Certificate System with " Advance Biometric Signature using Digital Signature" ? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Signature Types.jpg Type: image/jpeg Size: 78024 bytes Desc: not available URL: From ftweedal at redhat.com Mon Sep 29 01:53:50 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 29 Sep 2014 11:53:50 +1000 Subject: [Pki-users] Advance Biometric Signature using Digital Signature In-Reply-To: <881782123.78496.1411844800650.JavaMail.root@pgjtabasco.gob.mx> References: <1141904393.78384.1411844672465.JavaMail.root@pgjtabasco.gob.mx> <881782123.78496.1411844800650.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <20140929015350.GF5346@dhcp-40-8.bne.redhat.com> On Sat, Sep 27, 2014 at 02:06:40PM -0500, Ricardo Alexander Alexander Perez Ricardez wrote: > Advance Biometric Signature using Digital Signature > > Is possible use DogTag Certificate System with " Advance Biometric Signature using Digital Signature" ? > > Hi Ricardo, It would be helpful to know more about your use case (e.g., signed PDF documents, S/MIME, something else?) and the particular standards involved (I did a quick search but was unable to find any standards concerning the graphometric/biometric signature information). Regards, Fraser > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From WilliamC.Elliott at s-itsolutions.at Mon Sep 29 11:55:46 2014 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Mon, 29 Sep 2014 11:55:46 +0000 Subject: [Pki-users] SCEP Enrollment fails with Certificate not found . Message-ID: <85C87A9995875247B2DD471950E0AE4D1B844DC5@M0182.s-mxs.net> Hello, We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs setup for SCEP enrollment. But, no matter whether we try the older HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a successful SCEP request. The following exception occurs in the debug log: [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation [29/Sep/2014:13:41:17][http-9180-1]: message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61 JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0 QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+ [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: token name: osstest' [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1' [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:701) [29/Sep/2014:13:41:17][http-9180-1]: ServletException javax.servlet.ServletException: Failed to process message in CEP servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 What stands out is the line with mNickname. After restarting the service, with the first request, the HSM token name appears to be listed twice in the mNickname string. Interestingly, with each new request, the number of token names increases by one in the string. i.e. with the 2nd attempt, the same exception occurs but the token name appears three times: [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: token name: osstest' [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:osstest:caSigningCert cert-pki-testca1' [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:701) [29/Sep/2014:13:41:17][http-9180-1]: ServletException javax.servlet.ServletException: Failed to process message in CEP servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 As mentioned, the exception occurs with both versions 4 and 5 of LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating with SCEP enrollment.) With local tokens, (no HSMs) the error does not occur. Any Ideas, how we can track this down? We definitely need to get this running. Best regards! William Elliott s IT Solutions Open System Services s IT Solutions AT Spardat GmbH A-1110 Wien, Geiselbergstra?e 21 - 25 Phone: +43 (0)5 0100 - 39376 Fax: +43 (0)5 0100 9 - 39376 Mobile: +43 (0) 5 0100 6 - 39376 mailto:william.elliott at s-itsolutions.at www.s-itsolutions.com Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna This message and any attached files are confidential and intended solely for the addressee(s). Any publication, transmission or other use of the information by a person or entity other than the intended addressee is prohibited. If you receive this in error please contact the sender and delete the material. The sender does not accept liability for any errors or omissions as a result of the transmission. -------------- next part -------------- An HTML attachment was scrubbed... URL: From philip.shuman at sri.com Mon Sep 29 19:43:46 2014 From: philip.shuman at sri.com (Philip Shuman) Date: Mon, 29 Sep 2014 12:43:46 -0700 Subject: [Pki-users] End-Of-Life Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) Message-ID: <5429B672.5010704@sri.com> Just wanted to update this thread: we just got off the phone with our Gemalto rep and they say the Gemalto TOP IM FIPS CY2 is not End-Of-Life and is still available in quantity. > ----- Original Message ----- > From: "Fabian Bertholm" > To: "pki-users" > Sent: Monday, May 6, 2013 12:33:53 AM > Subject: [Pki-users] End-Of-Life Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) > > Hi, > > I got a message from my smartard dealer that the Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) ist now EOL. > > Which other smartcard is officially supported? I need something with at least 64k. Anyone with an idea? > > best regards > Fabian -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4027 bytes Desc: S/MIME Cryptographic Signature URL: From ftweedal at redhat.com Tue Sep 30 01:35:35 2014 From: ftweedal at redhat.com ('Fraser Tweedale') Date: Tue, 30 Sep 2014 11:35:35 +1000 Subject: [Pki-users] Advance Biometric Signature using Digital Signature In-Reply-To: <004001cfdbff$d587bd60$80973820$@pgjtabasco.gob.mx> References: <1141904393.78384.1411844672465.JavaMail.root@pgjtabasco.gob.mx> <881782123.78496.1411844800650.JavaMail.root@pgjtabasco.gob.mx> <20140929015350.GF5346@dhcp-40-8.bne.redhat.com> <004001cfdbff$d587bd60$80973820$@pgjtabasco.gob.mx> Message-ID: <20140930013535.GI5346@dhcp-40-8.bne.redhat.com> On Mon, Sep 29, 2014 at 11:10:05AM -0500, Ricardo Alexander Perez Ricardez wrote: > Hi Fraser, > > Here more information about this: > > http://www.andxor.com/supported-signatures.html > > https://www.softpro.de/en/academy/electronic-signatures-security.aspx > Thanks Ricardo, So to clarify, your use case is production and/or verification of digitally signed PDF documents that include a biometric signature? Are you use any specific software that you hope to integrate with Dogtag to provide the digital signing capabilities? If the biometric signature is simply part of the data that gets digitally signed, then Dogtag fundamentally supports the required operations. The standards in play are paywalled so I cannot confirm this or comment on how the integration might work. I will try and get copies of the relevant standards to further the investigation. These include: - ISO/IEC 19794-7:2007 -- Biometric data interchange formats -- Part 7: Signature/sign time series data - ISO 19005-2:2011 -- Electronic document file format for long-term preservation -- Part 2: Use of ISO 32000-1 (PDF/A-2) Regards, Fraser > > -----Mensaje original----- > De: Fraser Tweedale [mailto:ftweedal at redhat.com] > Enviado el: domingo, 28 de septiembre de 2014 20:54 > Para: Ricardo Alexander Alexander Perez Ricardez > CC: pki-users at redhat.com > Asunto: Re: [Pki-users] Advance Biometric Signature using Digital Signature > > On Sat, Sep 27, 2014 at 02:06:40PM -0500, Ricardo Alexander Alexander Perez > Ricardez wrote: > > Advance Biometric Signature using Digital Signature > > > > Is possible use DogTag Certificate System with " Advance Biometric > Signature using Digital Signature" ? > > > > > Hi Ricardo, > > It would be helpful to know more about your use case (e.g., signed PDF > documents, S/MIME, something else?) and the particular standards involved (I > did a quick search but was unable to find any standards concerning the > graphometric/biometric signature information). > > Regards, > > Fraser > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users >