[Pki-users] Looking for a short path to auto signing server certificates.

Nalin Dahyabhai nalin at redhat.com
Wed Apr 1 21:43:08 UTC 2015 

On Wed, Apr 01, 2015 at 03:37:58PM -0500, Steve Neuharth wrote:
> Hello everyone,
> 
> I have a requirement to provide a service to our internal linux systems to
> allow them to self-register and receive a certificate representing the host
> itself and then a cert representing any application on that host. I have
> installed DogTag, it's up and running and seems to be working.
> 
> I'd like to be able to use REST to request a certificate and have it
> auto-signed. I know that DogTag has a REST interface and while the
> interface is documented, there are no examples where I can see how it would
> actually be used to post a CSR, fetch a cert, etc.
> 
> Normally, I'd just sniff a request made with getcert but as I'm using just
> dogtag as a standalone install and not as a part of FreeIPA, getcert has no
> knowledge of my local DogTag CA:
> 
> *[root at dogtag lib]# getcert list-casCA 'SelfSign':        is-default:
> no        ca-type: INTERNAL:SELF        next-serial-number: 01CA
> 'IPA':        is-default: no        ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster':
> is-default: no        ca-type: EXTERNAL        helper-location:
> /usr/libexec/certmonger/certmaster-submitCA
> 'dogtag-ipa-renew-agent':        is-default: no        ca-type:
> EXTERNAL        helper-location:
> /usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local':
> is-default: no        ca-type: EXTERNAL        helper-location:
> /usr/libexec/certmonger/local-submit*
> 
> so... how do I make it aware? I'm using fedora21 so I'm at
> certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. It
> looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure what
> to add.

If you're after something you can use to poke at the server from the
command line, the 'pki' tool from the 'pki-tools' package may be closer
to what you're looking for.

If not, well, here's more than you probably want to know.

The CAs which certmonger knows about by default are the ones that don't
require any additional configuration to be passed to them.  For example,
the ipa-submit helper can dig up all of the configuration that it needs
from the IPA configuration files.  Along similar lines, the
dogtag-ipa-renew-agent-submit helper can dig through IPA's configuration
for some settings, and have hardwired defaults for the rest.

The general-purpose dogtag-submit helper doesn't have that expectation,
and it hasn't seen much use yet, so you may find some bugs (well, more
than usual).  Anyway, a new file telling certmonger how to invoke it
would look something like this:

 id=Dogtag
 ca_type=EXTERNAL
 ca_external_helper=/usr/libexec/certmonger/dogtag-submit ...

The flags that would be passed to the dogtag-submit helper depend on
whether or not it's expected to use agent creds to use Dogtag's agent
services to approve the signing requests that it submits.  Briefly:
-T caServerCert
   The name of the Dogtag enrollment profile to use.
-E http://server:8080/ca/ee/ca
   The location of Dogtag's end-user service.
-A https://server:8443/ca/agent/ca
   The location of Dogtag's agent services, if agent creds will be used.
-d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt
   The location of the agent creds, if agent creds will be used.

Some words of caution: the helper doesn't use the new REST API, but
rather the old forms-based one, due to a combination of wanting to
remain compatible with older versions of Dogtag and wanting to avoid
adding new dependencies to the server via the REST API.

If you try to use agent creds to auto-approve things, but the enrollment
profile doesn't provide defaults for every extension value that it
populates, the logic in dogtag-submit that tries to use agent creds to
approve requests won't be able to tell the server to just use the
defaults, and things could go awry.  The -O flag may help here.

You may want to run dogtag-submit interactively to get the flags sorted
out, passing in previous output using the -S flag to mimic the
certmonger daemon running it iteratively.

> I apologize in advance for the pedestrian questions. I have read the docs
> and the getting started guide and while they provide examples for
> self-signed certs and for using FreeIPA, I don't see much info on using
> getcert with DogTag as a standalone product. I'd also like to explore using
> SCEP for requesting certs from our MS PKI. Is there a guide or info setting
> up certmonger/getcert to hit a SCEP URL?

That functionality was new in 0.77, and I've just submitted a candidate
update build for F21, so hopefully some will be available in the
updates-testing tree this week.  Anyway, the short version of how to use
an SCEP server is:

* Use "getcert add-scep-ca -u $URL -c $NAME" to point the service at
  your SCEP server's URL and give the CA a nickname.
  * If it's an HTTPS URL, use the -R flag to point it to a PEM-formatted
    copy of the CA's certificate.  If not, use "getcert list" and
    "getcert list-cas" to display request and certificate fingerprints
    for manual verification.
* Use "getcert -c $NAME" to request a certificate.
  * Use the -L or -l flag to supply the enrollment PIN or point to a
    file that contains the enrollment PIN.

A lot of the logic for supporting SCEP is new, so if you run into
problems in that area, please make sure to let us know.

HTH,

Nalin

More information about the Pki-users mailing list