[Pki-users] Router identity certificate auto-renewal questions

Christina Fu cfu at redhat.com
Fri Apr 10 16:14:34 UTC 2015 

Hi Emily,
  Please see my in-line reply below.
Actually, you might want to read my last comment first, and then circle 
back, so you won't get confused.

Christina

On 04/08/2015 02:38 PM, Emily Stemmerich wrote:
> Hi,
>
> I was referred to this email list by alee on the #dogtag-pki IRC group 
> to get some help on automatic certificate renewals.  We are trying to 
> get Dogtag 10.2.1 set up to be a certificate authority for Cisco 
> routers' identity certificates.  For the first step I have things 
> working to get a certificate using the caRouterCert.cfg profile with a 
> one-time password in the flatfile.txt.  For the second step I'm trying 
> to get auto-renewal of the identity certificates working.  Here is 
> where I stand:
>
If you intend to do auto-enrollment, then one-time pin is not the right 
authentication method.  See my reply to #2 below.

> 1.  For testing, I have set the validity to 1 day so that the renewal 
> attempt happens the next day... I don't see a way of making it any 
> shorter to expedite testing.
a trick I hear in testing is to reset the clock

>
> 2. I have added "renewal=true" to the caRouterCert.cfg hoping that it 
> will enable auto-renewal.  I'm not sure if using the same profile 
> would require that a "one-time" password needs to be in flatfile.txt 
> again (which isn't practical)?  If I would need a different profile 
> for the renewal I'm not clear on how to add and then use it for the 
> renewal.
the caRouterCert profile works just like all the other profiles where 
the authentication/authorization are configurable.
Here is a link that explains how authentication works and how to 
configure in profiles:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html

You have choices of authentication.  For example, if you want 
auto-approval (without agent manual approval), you will need to set up 
directory-based authentication.

>
> 3.  I have renewal.graceBefore=10 and renewal.graceAfter=1 in the 
> profile just for testing purposes.
>
> 4.  I have confirmed on the router that the expiration is as expected 
> (24hrs) and it shows a date/time that it will attempt to renew 
> automatically (the link below discusses cert renewal from the 
> perspective of IOS).
> http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116094-maintain-ios-pki.html#anc8
>
> 5.  When the renewal time comes on the router, I see lots of activity 
> in the dogtag debug log, but am unsure of what to look for to 
> troubleshoot it failing.

Please note that the renewal feature is not intended for the router.  
You can read the doc here:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html

In case of router renewal, you just need to go through the same 
caRouterCert profile.  As you can see from the renewal link above, 
renewal can take two forms:
1. reuse keys - in this case, you just need to resubmit the same request
2. new keys - in this case, you generate a new request to submit

Hope this helps.
Christina


>
> Please advise on what to change and/or look for.  I can also send logs 
> and/or config files if that would help.
>
> Best Regards,
> -Emily
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150410/f8630cd6/attachment.htm>

More information about the Pki-users mailing list