[Pki-users] Looking for a short path to auto signing server certificates.

Steve Neuharth steve at sylvation.com
Fri Apr 3 21:07:08 UTC 2015 

I should add too that  *curl --cacert ca.crt
https://dogtag.test.org:8443/ca/services
<https://dogtag.test.org:8443/ca/services> *does get a valid response while
using that file with the -C switch on dogtag-submit does not.

On Fri, Apr 3, 2015 at 3:47 PM, Steve Neuharth <steve at sylvation.com> wrote:

> Thanks again for the information. I have a couple more questions for you.
>
> first is that I have added a new 'Dogtag' ca in
> /var/lib/certmonger/cas/20150331194831-5
>
>
>
>
>
>
>
>
> *id=Dogtagca_aka=Dogtag
> PKIca_is_default=0ca_type=EXTERNALca_external_helper=/usr/libexec/certmonger/dogtag-submitca_required_enroll_attributes=template-subjectca_required_renewal_attributes=template-subject*
>
> however, when I run getcert list-cas, it does not appear
>
> The next question is regarding the dogtag-submit helper itself. I'm trying
> to execute this:
>
> */usr/libexec/certmonger/dogtag-submit -vv -c ~/test.crt -k ~/test.key -E
> https://dogtag.test.org:8443/ca/ee/ca
> <https://dogtag.test.org:8443/ca/ee/ca> -A
> https://dogtag.test.org:8443/ca/agent/ca
> <https://dogtag.test.org:8443/ca/agent/ca> -T caServerCert -d
> /etc/httpd/alias -n caadmin -p /etc/pki/pki-tomcat/alias/pwdfile.txt -C
> /etc/pki/pki-tomcat/alias*
>
> and then I paste in my csr and hit 'ctrl-d' and I get:
>
>
>
>
>
>
> *code = 77code_text = "Problem with the SSL CA cert (path? access
> rights?)"results = "(null)"Error 77 connecting to
> https://dogtag.test.org:8443/ca/ee/ca/profileSubmit
> <https://dogtag.test.org:8443/ca/ee/ca/profileSubmit>: Problem with the SSL
> CA cert (path? access rights?).*
> I guess I'm not sure what CA cert path it's talking about. I've tried the
> pki-tomcat alias path and I've tried pointing to the CAcert that I
> downloaded from the WebUI on the 'Import CA Certificate Chain' page but I
> always get the same error.
>
> Thanks for your help,
> --steve
>
> On Wed, Apr 1, 2015 at 4:43 PM, Nalin Dahyabhai <nalin at redhat.com> wrote:
>
>> On Wed, Apr 01, 2015 at 03:37:58PM -0500, Steve Neuharth wrote:
>> > Hello everyone,
>> >
>> > I have a requirement to provide a service to our internal linux systems
>> to
>> > allow them to self-register and receive a certificate representing the
>> host
>> > itself and then a cert representing any application on that host. I have
>> > installed DogTag, it's up and running and seems to be working.
>> >
>> > I'd like to be able to use REST to request a certificate and have it
>> > auto-signed. I know that DogTag has a REST interface and while the
>> > interface is documented, there are no examples where I can see how it
>> would
>> > actually be used to post a CSR, fetch a cert, etc.
>> >
>> > Normally, I'd just sniff a request made with getcert but as I'm using
>> just
>> > dogtag as a standalone install and not as a part of FreeIPA, getcert
>> has no
>> > knowledge of my local DogTag CA:
>> >
>> > *[root at dogtag lib]# getcert list-casCA 'SelfSign':        is-default:
>> > no        ca-type: INTERNAL:SELF        next-serial-number: 01CA
>> > 'IPA':        is-default: no        ca-type: EXTERNAL
>> > helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster':
>> > is-default: no        ca-type: EXTERNAL        helper-location:
>> > /usr/libexec/certmonger/certmaster-submitCA
>> > 'dogtag-ipa-renew-agent':        is-default: no        ca-type:
>> > EXTERNAL        helper-location:
>> > /usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local':
>> > is-default: no        ca-type: EXTERNAL        helper-location:
>> > /usr/libexec/certmonger/local-submit*
>> >
>> > so... how do I make it aware? I'm using fedora21 so I'm at
>> > certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. It
>> > looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure
>> what
>> > to add.
>>
>> If you're after something you can use to poke at the server from the
>> command line, the 'pki' tool from the 'pki-tools' package may be closer
>> to what you're looking for.
>>
>> If not, well, here's more than you probably want to know.
>>
>> The CAs which certmonger knows about by default are the ones that don't
>> require any additional configuration to be passed to them.  For example,
>> the ipa-submit helper can dig up all of the configuration that it needs
>> from the IPA configuration files.  Along similar lines, the
>> dogtag-ipa-renew-agent-submit helper can dig through IPA's configuration
>> for some settings, and have hardwired defaults for the rest.
>>
>> The general-purpose dogtag-submit helper doesn't have that expectation,
>> and it hasn't seen much use yet, so you may find some bugs (well, more
>> than usual).  Anyway, a new file telling certmonger how to invoke it
>> would look something like this:
>>
>>  id=Dogtag
>>  ca_type=EXTERNAL
>>  ca_external_helper=/usr/libexec/certmonger/dogtag-submit ...
>>
>> The flags that would be passed to the dogtag-submit helper depend on
>> whether or not it's expected to use agent creds to use Dogtag's agent
>> services to approve the signing requests that it submits.  Briefly:
>> -T caServerCert
>>    The name of the Dogtag enrollment profile to use.
>> -E http://server:8080/ca/ee/ca
>>    The location of Dogtag's end-user service.
>> -A https://server:8443/ca/agent/ca
>>    The location of Dogtag's agent services, if agent creds will be used.
>> -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt
>>    The location of the agent creds, if agent creds will be used.
>>
>> Some words of caution: the helper doesn't use the new REST API, but
>> rather the old forms-based one, due to a combination of wanting to
>> remain compatible with older versions of Dogtag and wanting to avoid
>> adding new dependencies to the server via the REST API.
>>
>> If you try to use agent creds to auto-approve things, but the enrollment
>> profile doesn't provide defaults for every extension value that it
>> populates, the logic in dogtag-submit that tries to use agent creds to
>> approve requests won't be able to tell the server to just use the
>> defaults, and things could go awry.  The -O flag may help here.
>>
>> You may want to run dogtag-submit interactively to get the flags sorted
>> out, passing in previous output using the -S flag to mimic the
>> certmonger daemon running it iteratively.
>>
>> > I apologize in advance for the pedestrian questions. I have read the
>> docs
>> > and the getting started guide and while they provide examples for
>> > self-signed certs and for using FreeIPA, I don't see much info on using
>> > getcert with DogTag as a standalone product. I'd also like to explore
>> using
>> > SCEP for requesting certs from our MS PKI. Is there a guide or info
>> setting
>> > up certmonger/getcert to hit a SCEP URL?
>>
>> That functionality was new in 0.77, and I've just submitted a candidate
>> update build for F21, so hopefully some will be available in the
>> updates-testing tree this week.  Anyway, the short version of how to use
>> an SCEP server is:
>>
>> * Use "getcert add-scep-ca -u $URL -c $NAME" to point the service at
>>   your SCEP server's URL and give the CA a nickname.
>>   * If it's an HTTPS URL, use the -R flag to point it to a PEM-formatted
>>     copy of the CA's certificate.  If not, use "getcert list" and
>>     "getcert list-cas" to display request and certificate fingerprints
>>     for manual verification.
>> * Use "getcert -c $NAME" to request a certificate.
>>   * Use the -L or -l flag to supply the enrollment PIN or point to a
>>     file that contains the enrollment PIN.
>>
>> A lot of the logic for supporting SCEP is new, so if you run into
>> problems in that area, please make sure to let us know.
>>
>> HTH,
>>
>> Nalin
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150403/4e92c438/attachment.htm>

More information about the Pki-users mailing list