[Pki-users] Router identity certificate auto-renewal questions
Christina Fu
cfu at redhat.com
Fri Apr 10 22:02:29 UTC 2015
reposting, since I Emily possibly joined the mailing list after I
replied ;-).
Christina
On 04/10/2015 09:14 AM, Christina Fu wrote:
> Hi Emily,
> Please see my in-line reply below.
> Actually, you might want to read my last comment first, and then
> circle back, so you won't get confused.
>
> Christina
>
> On 04/08/2015 02:38 PM, Emily Stemmerich wrote:
>> Hi,
>>
>> I was referred to this email list by alee on the #dogtag-pki IRC
>> group to get some help on automatic certificate renewals. We are
>> trying to get Dogtag 10.2.1 set up to be a certificate authority for
>> Cisco routers' identity certificates. For the first step I have
>> things working to get a certificate using the caRouterCert.cfg
>> profile with a one-time password in the flatfile.txt. For the second
>> step I'm trying to get auto-renewal of the identity certificates
>> working. Here is where I stand:
>>
> If you intend to do auto-enrollment, then one-time pin is not the
> right authentication method. See my reply to #2 below.
>
>> 1. For testing, I have set the validity to 1 day so that the renewal
>> attempt happens the next day... I don't see a way of making it any
>> shorter to expedite testing.
> a trick I hear in testing is to reset the clock
>
>>
>> 2. I have added "renewal=true" to the caRouterCert.cfg hoping that it
>> will enable auto-renewal. I'm not sure if using the same profile
>> would require that a "one-time" password needs to be in flatfile.txt
>> again (which isn't practical)? If I would need a different profile
>> for the renewal I'm not clear on how to add and then use it for the
>> renewal.
> the caRouterCert profile works just like all the other profiles where
> the authentication/authorization are configurable.
> Here is a link that explains how authentication works and how to
> configure in profiles:
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html
>
> You have choices of authentication. For example, if you want
> auto-approval (without agent manual approval), you will need to set up
> directory-based authentication.
>
>>
>> 3. I have renewal.graceBefore=10 and renewal.graceAfter=1 in the
>> profile just for testing purposes.
>>
>> 4. I have confirmed on the router that the expiration is as expected
>> (24hrs) and it shows a date/time that it will attempt to renew
>> automatically (the link below discusses cert renewal from the
>> perspective of IOS).
>> http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116094-maintain-ios-pki.html#anc8
>>
>> 5. When the renewal time comes on the router, I see lots of activity
>> in the dogtag debug log, but am unsure of what to look for to
>> troubleshoot it failing.
>
> Please note that the renewal feature is not intended for the router.
> You can read the doc here:
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html
>
> In case of router renewal, you just need to go through the same
> caRouterCert profile. As you can see from the renewal link above,
> renewal can take two forms:
> 1. reuse keys - in this case, you just need to resubmit the same request
> 2. new keys - in this case, you generate a new request to submit
>
> Hope this helps.
> Christina
>
>
>>
>> Please advise on what to change and/or look for. I can also send
>> logs and/or config files if that would help.
>>
>> Best Regards,
>> -Emily
>>
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150410/a812ec58/attachment.htm>
More information about the Pki-users
mailing list