[Pki-users] Looking for a short path to auto signing server certificates.

Steve Neuharth steve at sylvation.com
Sat Apr 4 19:17:03 UTC 2015 

I see the issue now... I should have used -i instead of -C. I was also able
to add my new ca, Dogtag but i had to stop certmonger, add the ca and then
start certmonger again.

On Fri, Apr 3, 2015 at 4:07 PM, Steve Neuharth <steve at sylvation.com> wrote:

> I should add too that  *curl --cacert ca.crt
> https://dogtag.test.org:8443/ca/services
> <https://dogtag.test.org:8443/ca/services> *does get a valid response
> while using that file with the -C switch on dogtag-submit does not.
>
> On Fri, Apr 3, 2015 at 3:47 PM, Steve Neuharth <steve at sylvation.com>
> wrote:
>
>> Thanks again for the information. I have a couple more questions for you.
>>
>> first is that I have added a new 'Dogtag' ca in
>> /var/lib/certmonger/cas/20150331194831-5
>>
>>
>>
>>
>>
>>
>>
>>
>> *id=Dogtagca_aka=Dogtag
>> PKIca_is_default=0ca_type=EXTERNALca_external_helper=/usr/libexec/certmonger/dogtag-submitca_required_enroll_attributes=template-subjectca_required_renewal_attributes=template-subject*
>>
>> however, when I run getcert list-cas, it does not appear
>>
>> The next question is regarding the dogtag-submit helper itself. I'm
>> trying to execute this:
>>
>> */usr/libexec/certmonger/dogtag-submit -vv -c ~/test.crt -k ~/test.key -E
>> https://dogtag.test.org:8443/ca/ee/ca
>> <https://dogtag.test.org:8443/ca/ee/ca> -A
>> https://dogtag.test.org:8443/ca/agent/ca
>> <https://dogtag.test.org:8443/ca/agent/ca> -T caServerCert -d
>> /etc/httpd/alias -n caadmin -p /etc/pki/pki-tomcat/alias/pwdfile.txt -C
>> /etc/pki/pki-tomcat/alias*
>>
>> and then I paste in my csr and hit 'ctrl-d' and I get:
>>
>>
>>
>>
>>
>>
>> *code = 77code_text = "Problem with the SSL CA cert (path? access
>> rights?)"results = "(null)"Error 77 connecting to
>> https://dogtag.test.org:8443/ca/ee/ca/profileSubmit
>> <https://dogtag.test.org:8443/ca/ee/ca/profileSubmit>: Problem with the SSL
>> CA cert (path? access rights?).*
>> I guess I'm not sure what CA cert path it's talking about. I've tried the
>> pki-tomcat alias path and I've tried pointing to the CAcert that I
>> downloaded from the WebUI on the 'Import CA Certificate Chain' page but
>> I always get the same error.
>>
>> Thanks for your help,
>> --steve
>>
>> On Wed, Apr 1, 2015 at 4:43 PM, Nalin Dahyabhai <nalin at redhat.com> wrote:
>>
>>> On Wed, Apr 01, 2015 at 03:37:58PM -0500, Steve Neuharth wrote:
>>> > Hello everyone,
>>> >
>>> > I have a requirement to provide a service to our internal linux
>>> systems to
>>> > allow them to self-register and receive a certificate representing the
>>> host
>>> > itself and then a cert representing any application on that host. I
>>> have
>>> > installed DogTag, it's up and running and seems to be working.
>>> >
>>> > I'd like to be able to use REST to request a certificate and have it
>>> > auto-signed. I know that DogTag has a REST interface and while the
>>> > interface is documented, there are no examples where I can see how it
>>> would
>>> > actually be used to post a CSR, fetch a cert, etc.
>>> >
>>> > Normally, I'd just sniff a request made with getcert but as I'm using
>>> just
>>> > dogtag as a standalone install and not as a part of FreeIPA, getcert
>>> has no
>>> > knowledge of my local DogTag CA:
>>> >
>>> > *[root at dogtag lib]# getcert list-casCA 'SelfSign':        is-default:
>>> > no        ca-type: INTERNAL:SELF        next-serial-number: 01CA
>>> > 'IPA':        is-default: no        ca-type: EXTERNAL
>>> > helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster':
>>> > is-default: no        ca-type: EXTERNAL        helper-location:
>>> > /usr/libexec/certmonger/certmaster-submitCA
>>> > 'dogtag-ipa-renew-agent':        is-default: no        ca-type:
>>> > EXTERNAL        helper-location:
>>> > /usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local':
>>> > is-default: no        ca-type: EXTERNAL        helper-location:
>>> > /usr/libexec/certmonger/local-submit*
>>> >
>>> > so... how do I make it aware? I'm using fedora21 so I'm at
>>> > certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask.
>>> It
>>> > looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure
>>> what
>>> > to add.
>>>
>>> If you're after something you can use to poke at the server from the
>>> command line, the 'pki' tool from the 'pki-tools' package may be closer
>>> to what you're looking for.
>>>
>>> If not, well, here's more than you probably want to know.
>>>
>>> The CAs which certmonger knows about by default are the ones that don't
>>> require any additional configuration to be passed to them.  For example,
>>> the ipa-submit helper can dig up all of the configuration that it needs
>>> from the IPA configuration files.  Along similar lines, the
>>> dogtag-ipa-renew-agent-submit helper can dig through IPA's configuration
>>> for some settings, and have hardwired defaults for the rest.
>>>
>>> The general-purpose dogtag-submit helper doesn't have that expectation,
>>> and it hasn't seen much use yet, so you may find some bugs (well, more
>>> than usual).  Anyway, a new file telling certmonger how to invoke it
>>> would look something like this:
>>>
>>>  id=Dogtag
>>>  ca_type=EXTERNAL
>>>  ca_external_helper=/usr/libexec/certmonger/dogtag-submit ...
>>>
>>> The flags that would be passed to the dogtag-submit helper depend on
>>> whether or not it's expected to use agent creds to use Dogtag's agent
>>> services to approve the signing requests that it submits.  Briefly:
>>> -T caServerCert
>>>    The name of the Dogtag enrollment profile to use.
>>> -E http://server:8080/ca/ee/ca
>>>    The location of Dogtag's end-user service.
>>> -A https://server:8443/ca/agent/ca
>>>    The location of Dogtag's agent services, if agent creds will be used.
>>> -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt
>>>    The location of the agent creds, if agent creds will be used.
>>>
>>> Some words of caution: the helper doesn't use the new REST API, but
>>> rather the old forms-based one, due to a combination of wanting to
>>> remain compatible with older versions of Dogtag and wanting to avoid
>>> adding new dependencies to the server via the REST API.
>>>
>>> If you try to use agent creds to auto-approve things, but the enrollment
>>> profile doesn't provide defaults for every extension value that it
>>> populates, the logic in dogtag-submit that tries to use agent creds to
>>> approve requests won't be able to tell the server to just use the
>>> defaults, and things could go awry.  The -O flag may help here.
>>>
>>> You may want to run dogtag-submit interactively to get the flags sorted
>>> out, passing in previous output using the -S flag to mimic the
>>> certmonger daemon running it iteratively.
>>>
>>> > I apologize in advance for the pedestrian questions. I have read the
>>> docs
>>> > and the getting started guide and while they provide examples for
>>> > self-signed certs and for using FreeIPA, I don't see much info on using
>>> > getcert with DogTag as a standalone product. I'd also like to explore
>>> using
>>> > SCEP for requesting certs from our MS PKI. Is there a guide or info
>>> setting
>>> > up certmonger/getcert to hit a SCEP URL?
>>>
>>> That functionality was new in 0.77, and I've just submitted a candidate
>>> update build for F21, so hopefully some will be available in the
>>> updates-testing tree this week.  Anyway, the short version of how to use
>>> an SCEP server is:
>>>
>>> * Use "getcert add-scep-ca -u $URL -c $NAME" to point the service at
>>>   your SCEP server's URL and give the CA a nickname.
>>>   * If it's an HTTPS URL, use the -R flag to point it to a PEM-formatted
>>>     copy of the CA's certificate.  If not, use "getcert list" and
>>>     "getcert list-cas" to display request and certificate fingerprints
>>>     for manual verification.
>>> * Use "getcert -c $NAME" to request a certificate.
>>>   * Use the -L or -l flag to supply the enrollment PIN or point to a
>>>     file that contains the enrollment PIN.
>>>
>>> A lot of the logic for supporting SCEP is new, so if you run into
>>> problems in that area, please make sure to let us know.
>>>
>>> HTH,
>>>
>>> Nalin
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150404/10416ebd/attachment.htm>

More information about the Pki-users mailing list