[Pki-users] Router identity certificate auto-renewal questions

Christina Fu cfu at redhat.com
Fri Apr 10 22:02:29 UTC 2015 

reposting, since I Emily possibly joined the mailing list after I 
replied ;-).

Christina

On 04/10/2015 09:14 AM, Christina Fu wrote:
> Hi Emily,
>  Please see my in-line reply below.
> Actually, you might want to read my last comment first, and then 
> circle back, so you won't get confused.
>
> Christina
>
> On 04/08/2015 02:38 PM, Emily Stemmerich wrote:
>> Hi,
>>
>> I was referred to this email list by alee on the #dogtag-pki IRC 
>> group to get some help on automatic certificate renewals.  We are 
>> trying to get Dogtag 10.2.1 set up to be a certificate authority for 
>> Cisco routers' identity certificates.  For the first step I have 
>> things working to get a certificate using the caRouterCert.cfg 
>> profile with a one-time password in the flatfile.txt.  For the second 
>> step I'm trying to get auto-renewal of the identity certificates 
>> working.  Here is where I stand:
>>
> If you intend to do auto-enrollment, then one-time pin is not the 
> right authentication method.  See my reply to #2 below.
>
>> 1.  For testing, I have set the validity to 1 day so that the renewal 
>> attempt happens the next day... I don't see a way of making it any 
>> shorter to expedite testing.
> a trick I hear in testing is to reset the clock
>
>>
>> 2. I have added "renewal=true" to the caRouterCert.cfg hoping that it 
>> will enable auto-renewal.  I'm not sure if using the same profile 
>> would require that a "one-time" password needs to be in flatfile.txt 
>> again (which isn't practical)?  If I would need a different profile 
>> for the renewal I'm not clear on how to add and then use it for the 
>> renewal.
> the caRouterCert profile works just like all the other profiles where 
> the authentication/authorization are configurable.
> Here is a link that explains how authentication works and how to 
> configure in profiles:
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html
>
> You have choices of authentication.  For example, if you want 
> auto-approval (without agent manual approval), you will need to set up 
> directory-based authentication.
>
>>
>> 3.  I have renewal.graceBefore=10 and renewal.graceAfter=1 in the 
>> profile just for testing purposes.
>>
>> 4.  I have confirmed on the router that the expiration is as expected 
>> (24hrs) and it shows a date/time that it will attempt to renew 
>> automatically (the link below discusses cert renewal from the 
>> perspective of IOS).
>> http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116094-maintain-ios-pki.html#anc8
>>
>> 5.  When the renewal time comes on the router, I see lots of activity 
>> in the dogtag debug log, but am unsure of what to look for to 
>> troubleshoot it failing.
>
> Please note that the renewal feature is not intended for the router.  
> You can read the doc here:
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html
>
> In case of router renewal, you just need to go through the same 
> caRouterCert profile.  As you can see from the renewal link above, 
> renewal can take two forms:
> 1. reuse keys - in this case, you just need to resubmit the same request
> 2. new keys - in this case, you generate a new request to submit
>
> Hope this helps.
> Christina
>
>
>>
>> Please advise on what to change and/or look for.  I can also send 
>> logs and/or config files if that would help.
>>
>> Best Regards,
>> -Emily
>>
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150410/a812ec58/attachment.htm>

More information about the Pki-users mailing list