[Pki-users] Router identity certificate auto-renewal questions

Emily Stemmerich Emily at arcananet.com
Fri Apr 10 23:02:37 UTC 2015 

Thanks Christina,

Looks like I will need to figure out directory auth for the routers instead of the one-time flatfile since the routers need to be able to auto-renew their identities prior to expiration, otherwise their VPN connections will drop.  Do you have any quick links to using directory-based auth for certificate profiles?

Unfortunately I can’t do any clock manipulation for testing since that would break things working on the Cisco router – ntp clock synchronization is a requirement.

Any additional advise or information on this is welcome.

Thanks,
-Emily

From: Christina Fu <cfu at redhat.com<mailto:cfu at redhat.com>>
Date: Friday, April 10, 2015 at 3:02 PM
To: "pki-users at redhat.com<mailto:pki-users at redhat.com>" <pki-users at redhat.com<mailto:pki-users at redhat.com>>
Subject: Re: [Pki-users] Router identity certificate auto-renewal questions

reposting, since I Emily possibly joined the mailing list after I replied ;-).

Christina

On 04/10/2015 09:14 AM, Christina Fu wrote:
Hi Emily,
 Please see my in-line reply below.
Actually, you might want to read my last comment first, and then circle back, so you won't get confused.

Christina

On 04/08/2015 02:38 PM, Emily Stemmerich wrote:
Hi,

I was referred to this email list by alee on the #dogtag-pki IRC group to get some help on automatic certificate renewals.  We are trying to get Dogtag 10.2.1 set up to be a certificate authority for Cisco routers’ identity certificates.  For the first step I have things working to get a certificate using the caRouterCert.cfg profile with a one-time password in the flatfile.txt.  For the second step I’m trying to get auto-renewal of the identity certificates working.  Here is where I stand:

If you intend to do auto-enrollment, then one-time pin is not the right authentication method.  See my reply to #2 below.

1.  For testing, I have set the validity to 1 day so that the renewal attempt happens the next day… I don’t see a way of making it any shorter to expedite testing.
a trick I hear in testing is to reset the clock


2. I have added “renewal=true” to the caRouterCert.cfg hoping that it will enable auto-renewal.  I’m not sure if using the same profile would require that a “one-time” password needs to be in flatfile.txt again (which isn’t practical)?  If I would need a different profile for the renewal I’m not clear on how to add and then use it for the renewal.
the caRouterCert profile works just like all the other profiles where the authentication/authorization are configurable.
Here is a link that explains how authentication works and how to configure in profiles:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html

You have choices of authentication.  For example, if you want auto-approval (without agent manual approval), you will need to set up directory-based authentication.


3.  I have renewal.graceBefore=10 and renewal.graceAfter=1 in the profile just for testing purposes.

4.  I have confirmed on the router that the expiration is as expected (24hrs) and it shows a date/time that it will attempt to renew automatically (the link below discusses cert renewal from the perspective of IOS).
http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116094-maintain-ios-pki.html#anc8

5.  When the renewal time comes on the router, I see lots of activity in the dogtag debug log, but am unsure of what to look for to troubleshoot it failing.

Please note that the renewal feature is not intended for the router.  You can read the doc here:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html

In case of router renewal, you just need to go through the same caRouterCert profile.  As you can see from the renewal link above, renewal can take two forms:
1. reuse keys - in this case, you just need to resubmit the same request
2. new keys - in this case, you generate a new request to submit

Hope this helps.
Christina



Please advise on what to change and/or look for.  I can also send logs and/or config files if that would help.

Best Regards,
-Emily





_______________________________________________
Pki-users mailing list
Pki-users at redhat.com<mailto:Pki-users at redhat.com>https://www.redhat.com/mailman/listinfo/pki-users




_______________________________________________
Pki-users mailing list
Pki-users at redhat.com<mailto:Pki-users at redhat.com>https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150410/07c01548/attachment.htm>

More information about the Pki-users mailing list