[Pki-users] Router identity certificate auto-renewal questions

Christina Fu cfu at redhat.com
Fri Apr 10 23:14:03 UTC 2015 

https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Setting_up_Directory_Based_Authentication

On 04/10/2015 04:02 PM, Emily Stemmerich wrote:
> Thanks Christina,
>
> Looks like I will need to figure out directory auth for the routers 
> instead of the one-time flatfile since the routers need to be able to 
> auto-renew their identities prior to expiration, otherwise their VPN 
> connections will drop.  Do you have any quick links to using 
> directory-based auth for certificate profiles?
>
> Unfortunately I can't do any clock manipulation for testing since that 
> would break things working on the Cisco router -- ntp clock 
> synchronization is a requirement.
>
> Any additional advise or information on this is welcome.
>
> Thanks,
> -Emily
>
> From: Christina Fu <cfu at redhat.com <mailto:cfu at redhat.com>>
> Date: Friday, April 10, 2015 at 3:02 PM
> To: "pki-users at redhat.com <mailto:pki-users at redhat.com>" 
> <pki-users at redhat.com <mailto:pki-users at redhat.com>>
> Subject: Re: [Pki-users] Router identity certificate auto-renewal 
> questions
>
> reposting, since I Emily possibly joined the mailing list after I 
> replied ;-).
>
> Christina
>
> On 04/10/2015 09:14 AM, Christina Fu wrote:
>> Hi Emily,
>>  Please see my in-line reply below.
>> Actually, you might want to read my last comment first, and then 
>> circle back, so you won't get confused.
>>
>> Christina
>>
>> On 04/08/2015 02:38 PM, Emily Stemmerich wrote:
>>> Hi,
>>>
>>> I was referred to this email list by alee on the #dogtag-pki IRC 
>>> group to get some help on automatic certificate renewals.  We are 
>>> trying to get Dogtag 10.2.1 set up to be a certificate authority for 
>>> Cisco routers' identity certificates.  For the first step I have 
>>> things working to get a certificate using the caRouterCert.cfg 
>>> profile with a one-time password in the flatfile.txt.  For the 
>>> second step I'm trying to get auto-renewal of the identity 
>>> certificates working.  Here is where I stand:
>>>
>> If you intend to do auto-enrollment, then one-time pin is not the 
>> right authentication method.  See my reply to #2 below.
>>
>>> 1.  For testing, I have set the validity to 1 day so that the 
>>> renewal attempt happens the next day... I don't see a way of making 
>>> it any shorter to expedite testing.
>> a trick I hear in testing is to reset the clock
>>
>>>
>>> 2. I have added "renewal=true" to the caRouterCert.cfg hoping that 
>>> it will enable auto-renewal.  I'm not sure if using the same profile 
>>> would require that a "one-time" password needs to be in flatfile.txt 
>>> again (which isn't practical)?  If I would need a different profile 
>>> for the renewal I'm not clear on how to add and then use it for the 
>>> renewal.
>> the caRouterCert profile works just like all the other profiles where 
>> the authentication/authorization are configurable.
>> Here is a link that explains how authentication works and how to 
>> configure in profiles:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html
>>
>> You have choices of authentication.  For example, if you want 
>> auto-approval (without agent manual approval), you will need to set 
>> up directory-based authentication.
>>
>>>
>>> 3.  I have renewal.graceBefore=10 and renewal.graceAfter=1 in the 
>>> profile just for testing purposes.
>>>
>>> 4.  I have confirmed on the router that the expiration is as 
>>> expected (24hrs) and it shows a date/time that it will attempt to 
>>> renew automatically (the link below discusses cert renewal from the 
>>> perspective of IOS).
>>> http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116094-maintain-ios-pki.html#anc8
>>>
>>> 5.  When the renewal time comes on the router, I see lots of 
>>> activity in the dogtag debug log, but am unsure of what to look for 
>>> to troubleshoot it failing.
>>
>> Please note that the renewal feature is not intended for the router.  
>> You can read the doc here:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html
>>
>> In case of router renewal, you just need to go through the same 
>> caRouterCert profile.  As you can see from the renewal link above, 
>> renewal can take two forms:
>> 1. reuse keys - in this case, you just need to resubmit the same request
>> 2. new keys - in this case, you generate a new request to submit
>>
>> Hope this helps.
>> Christina
>>
>>
>>>
>>> Please advise on what to change and/or look for.  I can also send 
>>> logs and/or config files if that would help.
>>>
>>> Best Regards,
>>> -Emily
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150410/d5cf0b69/attachment.htm>

More information about the Pki-users mailing list