[Pki-users] Looking for a short path to auto signing server certificates.

Steve Neuharth steve at sylvation.com
Fri Apr 3 20:47:43 UTC 2015 

Thanks again for the information. I have a couple more questions for you.

first is that I have added a new 'Dogtag' ca in
/var/lib/certmonger/cas/20150331194831-5








*id=Dogtagca_aka=Dogtag
PKIca_is_default=0ca_type=EXTERNALca_external_helper=/usr/libexec/certmonger/dogtag-submitca_required_enroll_attributes=template-subjectca_required_renewal_attributes=template-subject*

however, when I run getcert list-cas, it does not appear

The next question is regarding the dogtag-submit helper itself. I'm trying
to execute this:

*/usr/libexec/certmonger/dogtag-submit -vv -c ~/test.crt -k ~/test.key -E
https://dogtag.test.org:8443/ca/ee/ca
<https://dogtag.test.org:8443/ca/ee/ca> -A
https://dogtag.test.org:8443/ca/agent/ca
<https://dogtag.test.org:8443/ca/agent/ca> -T caServerCert -d
/etc/httpd/alias -n caadmin -p /etc/pki/pki-tomcat/alias/pwdfile.txt -C
/etc/pki/pki-tomcat/alias*

and then I paste in my csr and hit 'ctrl-d' and I get:






*code = 77code_text = "Problem with the SSL CA cert (path? access
rights?)"results = "(null)"Error 77 connecting to
https://dogtag.test.org:8443/ca/ee/ca/profileSubmit
<https://dogtag.test.org:8443/ca/ee/ca/profileSubmit>: Problem with the SSL
CA cert (path? access rights?).*
I guess I'm not sure what CA cert path it's talking about. I've tried the
pki-tomcat alias path and I've tried pointing to the CAcert that I
downloaded from the WebUI on the 'Import CA Certificate Chain' page but I
always get the same error.

Thanks for your help,
--steve

On Wed, Apr 1, 2015 at 4:43 PM, Nalin Dahyabhai <nalin at redhat.com> wrote:

> On Wed, Apr 01, 2015 at 03:37:58PM -0500, Steve Neuharth wrote:
> > Hello everyone,
> >
> > I have a requirement to provide a service to our internal linux systems
> to
> > allow them to self-register and receive a certificate representing the
> host
> > itself and then a cert representing any application on that host. I have
> > installed DogTag, it's up and running and seems to be working.
> >
> > I'd like to be able to use REST to request a certificate and have it
> > auto-signed. I know that DogTag has a REST interface and while the
> > interface is documented, there are no examples where I can see how it
> would
> > actually be used to post a CSR, fetch a cert, etc.
> >
> > Normally, I'd just sniff a request made with getcert but as I'm using
> just
> > dogtag as a standalone install and not as a part of FreeIPA, getcert has
> no
> > knowledge of my local DogTag CA:
> >
> > *[root at dogtag lib]# getcert list-casCA 'SelfSign':        is-default:
> > no        ca-type: INTERNAL:SELF        next-serial-number: 01CA
> > 'IPA':        is-default: no        ca-type: EXTERNAL
> > helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster':
> > is-default: no        ca-type: EXTERNAL        helper-location:
> > /usr/libexec/certmonger/certmaster-submitCA
> > 'dogtag-ipa-renew-agent':        is-default: no        ca-type:
> > EXTERNAL        helper-location:
> > /usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local':
> > is-default: no        ca-type: EXTERNAL        helper-location:
> > /usr/libexec/certmonger/local-submit*
> >
> > so... how do I make it aware? I'm using fedora21 so I'm at
> > certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. It
> > looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure
> what
> > to add.
>
> If you're after something you can use to poke at the server from the
> command line, the 'pki' tool from the 'pki-tools' package may be closer
> to what you're looking for.
>
> If not, well, here's more than you probably want to know.
>
> The CAs which certmonger knows about by default are the ones that don't
> require any additional configuration to be passed to them.  For example,
> the ipa-submit helper can dig up all of the configuration that it needs
> from the IPA configuration files.  Along similar lines, the
> dogtag-ipa-renew-agent-submit helper can dig through IPA's configuration
> for some settings, and have hardwired defaults for the rest.
>
> The general-purpose dogtag-submit helper doesn't have that expectation,
> and it hasn't seen much use yet, so you may find some bugs (well, more
> than usual).  Anyway, a new file telling certmonger how to invoke it
> would look something like this:
>
>  id=Dogtag
>  ca_type=EXTERNAL
>  ca_external_helper=/usr/libexec/certmonger/dogtag-submit ...
>
> The flags that would be passed to the dogtag-submit helper depend on
> whether or not it's expected to use agent creds to use Dogtag's agent
> services to approve the signing requests that it submits.  Briefly:
> -T caServerCert
>    The name of the Dogtag enrollment profile to use.
> -E http://server:8080/ca/ee/ca
>    The location of Dogtag's end-user service.
> -A https://server:8443/ca/agent/ca
>    The location of Dogtag's agent services, if agent creds will be used.
> -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt
>    The location of the agent creds, if agent creds will be used.
>
> Some words of caution: the helper doesn't use the new REST API, but
> rather the old forms-based one, due to a combination of wanting to
> remain compatible with older versions of Dogtag and wanting to avoid
> adding new dependencies to the server via the REST API.
>
> If you try to use agent creds to auto-approve things, but the enrollment
> profile doesn't provide defaults for every extension value that it
> populates, the logic in dogtag-submit that tries to use agent creds to
> approve requests won't be able to tell the server to just use the
> defaults, and things could go awry.  The -O flag may help here.
>
> You may want to run dogtag-submit interactively to get the flags sorted
> out, passing in previous output using the -S flag to mimic the
> certmonger daemon running it iteratively.
>
> > I apologize in advance for the pedestrian questions. I have read the docs
> > and the getting started guide and while they provide examples for
> > self-signed certs and for using FreeIPA, I don't see much info on using
> > getcert with DogTag as a standalone product. I'd also like to explore
> using
> > SCEP for requesting certs from our MS PKI. Is there a guide or info
> setting
> > up certmonger/getcert to hit a SCEP URL?
>
> That functionality was new in 0.77, and I've just submitted a candidate
> update build for F21, so hopefully some will be available in the
> updates-testing tree this week.  Anyway, the short version of how to use
> an SCEP server is:
>
> * Use "getcert add-scep-ca -u $URL -c $NAME" to point the service at
>   your SCEP server's URL and give the CA a nickname.
>   * If it's an HTTPS URL, use the -R flag to point it to a PEM-formatted
>     copy of the CA's certificate.  If not, use "getcert list" and
>     "getcert list-cas" to display request and certificate fingerprints
>     for manual verification.
> * Use "getcert -c $NAME" to request a certificate.
>   * Use the -L or -l flag to supply the enrollment PIN or point to a
>     file that contains the enrollment PIN.
>
> A lot of the logic for supporting SCEP is new, so if you run into
> problems in that area, please make sure to let us know.
>
> HTH,
>
> Nalin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150403/c3cc9c18/attachment.htm>

More information about the Pki-users mailing list