From grzemba at contac-dt.de Wed Dec 9 07:08:14 2015 From: grzemba at contac-dt.de (Carsten Grzemba) Date: Wed, 09 Dec 2015 08:08:14 +0100 Subject: [Pki-users] SAN:howt is it possible to sign certificate requests with DNS alias names? Message-ID: I try to sign certificate requests with SAN extension to have DNS alias names, but with no success. I see that there are subjectAltNameExt in the profile but my policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ is always null, although I have input.i3.name=subjectAltNameExtInputImpl for the inputs. What I am doing wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Florian.Supper at s-itsolutions.at Wed Dec 9 07:19:54 2015 From: Florian.Supper at s-itsolutions.at (Supper Florian OSS sIT) Date: Wed, 9 Dec 2015 07:19:54 +0000 Subject: [Pki-users] SAN:howt is it possible to sign certificate requests with DNS alias names? In-Reply-To: References: Message-ID: Hi, here the section in my profile. With this extionsion, you can easily put the SAN Names in your certificate request. policyset.webprofile.10.constraint.class_id=noConstraintImpl policyset. webprofile.10.constraint.name=No Constraint policyset. webprofile.10.constraint.subjAltNameExtCritical=false policyset. webprofile.10.default.class_id=userExtensionDefaultImpl policyset. webprofile.10.default.name=User Supplied Extension Default policyset. webprofile.10.default.params.userExtOID=2.5.29.17 Br Florian -----Urspr?ngliche Nachricht----- Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] Im Auftrag von Carsten Grzemba Gesendet: Mittwoch, 09. Dezember 2015 08:08 An: Pki-users at redhat.com Betreff: [Pki-users] SAN:howt is it possible to sign certificate requests with DNS alias names? [phishing][bayes][heur][html-removed] I try to sign certificate requests with SAN extension to have DNS alias names, but with no success. I see that there are subjectAltNameExt in the profile but my policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ is always null, although I have input.i3.name=subjectAltNameExtInputImpl for the inputs. What I am doing wrong? _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From chobicho at gmail.com Tue Dec 15 11:43:05 2015 From: chobicho at gmail.com (Cho Chan) Date: Tue, 15 Dec 2015 12:43:05 +0100 Subject: [Pki-users] CA/SSL certs customization Message-ID: Hello all, I am trying to build internal PKI - two levels CA (Root and Intermediate) with dogtag 10.1.2 on CentOS 7.1. When I use pkispawn to create the first CA (Root) the certificates are created with predefined validity, signature algorithm, CN name, X509v3 extensions and etc. I searched for options/parameters which I can use with pkispawn and deployment config but I manage to find only this: https://fedorapeople.org/cgit/edewata/public_git/pki-dev.git/tree/scripts/ca.cfg Are there such options/parameters to customize the validity, CN, algorithm and etc during the build process with pkispawn? Or if not what are my options? Maybe I have to edit the some of the cfg in /usr/share/pki/ca/conf ? Much appreciate if someone can give me hints or help! Thank you in advance! Cho -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Tue Dec 15 15:45:21 2015 From: alee at redhat.com (Ade Lee) Date: Tue, 15 Dec 2015 10:45:21 -0500 Subject: [Pki-users] CA/SSL certs customization In-Reply-To: References: Message-ID: <1450194321.19134.13.camel@redhat.com> On Tue, 2015-12-15 at 12:43 +0100, Cho Chan wrote: > Hello all, > > I am trying to build internal PKI - two levels CA (Root and > Intermediate) with dogtag 10.1.2 on CentOS 7.1. > > When I use pkispawn to create the first CA (Root) the certificates > are created with predefined validity, signature algorithm, CN name, > X509v3 extensions and etc. > > I searched for options/parameters which I can use with pkispawn and > deployment config but I manage to find only this: > https://fedorapeople.org/cgit/edewata/public_git/pki-dev.git/tree/scr > ipts/ca.cfg > > Are there such options/parameters to customize the validity, CN, > algorithm and etc during the build process with pkispawn? > Or if not what are my options? > > Maybe I have to edit the some of the cfg in /usr/share/pki/ca/conf ? > > Much appreciate if someone can give me hints or help! > > Thank you in advance! > > Cho Some of the properties you are looking for are specifiable in pkispawn. See "man pki_default.cfg" and look for the section: SYSTEM CERTIFICATE PARAMETERS. Also, all the pkispawn parameters are in /etc/pki/default.cfg These parameters would include signing algorithm, subject dn, key size etc. As for things like validity and extensions, you will need to modify the profiles used for the system certificates before starting pkispawn. These files are: /usr/share/pki/ca/conf/*.profile Ade > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com> https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From exharrison at yahoo.com Mon Dec 21 22:52:47 2015 From: exharrison at yahoo.com (Alex Harrison) Date: Mon, 21 Dec 2015 22:52:47 +0000 (UTC) Subject: [Pki-users] pki cli default CA Admin Unauthorized References: <100902454.2049455.1450738367303.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <100902454.2049455.1450738367303.JavaMail.yahoo@mail.yahoo.com> I've set up a new installation of the dogtag CA and I'm trying to approve requests using the default ca admin created at install using the commands from the wiki: http://pki.fedoraproject.org/wiki/CA_Admin_Setup When I try to approve, I simply get an "Unauthorized" response. It seems I receive this any time I perform either an admin or agent command. Any idea what steps I am missing? Thanks From edewata at redhat.com Tue Dec 22 00:41:30 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 21 Dec 2015 18:41:30 -0600 Subject: [Pki-users] pki cli default CA Admin Unauthorized In-Reply-To: <100902454.2049455.1450738367303.JavaMail.yahoo@mail.yahoo.com> References: <100902454.2049455.1450738367303.JavaMail.yahoo.ref@mail.yahoo.com> <100902454.2049455.1450738367303.JavaMail.yahoo@mail.yahoo.com> Message-ID: <56789C3A.9000002@redhat.com> On 12/21/2015 4:52 PM, Alex Harrison wrote: > I've set up a new installation of the dogtag CA and I'm trying to approve requests using the default ca admin created at install using the commands from the wiki: > http://pki.fedoraproject.org/wiki/CA_Admin_Setup > > When I try to approve, I simply get an "Unauthorized" response. It seems I receive this any time I perform either an admin or agent command. Any idea what steps I am missing? Hi, The above wiki page is actually used to create a new CA admin user, which requires an existing CA admin to approve it. When you install CA subsystem it will have a default CA admin user which you can use directly. It's not necessary to create another CA admin user unless you want to give admin access to someone else. To use the default CA admin user please take a look at this page: http://pki.fedoraproject.org/wiki/Default_CA_Admin You can either import the CA admin cert into ~/.dogtag/nssdb first, or use it directly from ~/.dogtag/pki-tomcat/ca/alias if you created the CA with pki_client_database_purge=False. If you're still having issues, could you post the exact commands you're trying to execute? Thanks. -- Endi S. Dewata From exharrison at yahoo.com Tue Dec 22 12:57:52 2015 From: exharrison at yahoo.com (Alex Harrison) Date: Tue, 22 Dec 2015 12:57:52 +0000 (UTC) Subject: [Pki-users] pki cli default CA Admin Unauthorized In-Reply-To: <56789C3A.9000002@redhat.com> References: <56789C3A.9000002@redhat.com> Message-ID: <1630977930.2249915.1450789072987.JavaMail.yahoo@mail.yahoo.com> Thanks for the help. All I really need to do is to use the default admin to approve certificate requests. These are the steps I am attempting to use to accomplish that goal: First, I import the admin cert: pki -c Secret123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123 ---------------------------------------- Imported certificates from PKCS #12 file ---------------------------------------- Then I find a request: pki ca-cert-request-show 7 ----------------------- Certificate request "7" ----------------------- Request ID: 7 Type: enrollment Request Status: pending Operation Result: success Then I try to approve it: pki ca-cert-request-review 7 --action approve Unauthorized So then I try to use the database that I initiated and imported the admin certificate into:pki -c Secret123 -n caadmin ca-cert-request-review 7 --action approve ProcessingException: Unable to invoke request It seems as if these are the steps I need to take, but I must have a detail incorrect. Thanks for you help. On Monday, December 21, 2015 7:41 PM, Endi Sukma Dewata wrote: On 12/21/2015 4:52 PM, Alex Harrison wrote: > I've set up a new installation of the dogtag CA and I'm trying to approve requests using the default ca admin created at install using the commands from the wiki: > http://pki.fedoraproject.org/wiki/CA_Admin_Setup > > When I try to approve, I simply get an "Unauthorized" response. It seems I receive this any time I perform either an admin or agent command. Any idea what steps I am missing? Hi, The above wiki page is actually used to create a new CA admin user, which requires an existing CA admin to approve it. When you install CA subsystem it will have a default CA admin user which you can use directly. It's not necessary to create another CA admin user unless you want to give admin access to someone else. To use the default CA admin user please take a look at this page: http://pki.fedoraproject.org/wiki/Default_CA_Admin You can either import the CA admin cert into ~/.dogtag/nssdb first, or use it directly from ~/.dogtag/pki-tomcat/ca/alias if you created the CA with pki_client_database_purge=False. If you're still having issues, could you post the exact commands you're trying to execute? Thanks. -- Endi S. Dewata From edewata at redhat.com Tue Dec 22 16:35:26 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Dec 2015 10:35:26 -0600 Subject: [Pki-users] pki cli default CA Admin Unauthorized In-Reply-To: <1630977930.2249915.1450789072987.JavaMail.yahoo@mail.yahoo.com> References: <56789C3A.9000002@redhat.com> <1630977930.2249915.1450789072987.JavaMail.yahoo@mail.yahoo.com> Message-ID: <56797BCE.9080602@redhat.com> On 12/22/2015 6:57 AM, Alex Harrison wrote: > Thanks for the help. All I really need to do is to use the default admin to approve certificate requests. These are the steps I am attempting to use to accomplish that goal: > > First, I import the admin cert: pki -c Secret123 client-cert-import > --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123 Before that, make sure you delete the old admin cert from previous installation (if any), or just re-initialize the client database with pki -c Secret123 client-init. Then import the new admin cert with the above command. Verify the admin cert is added with this command: pki client-cert-find Also see the nickname of the certificate in the above output. The nickname is configurable using pki_admin_nickname parameter in the pkispawn deployment configuration. > Then I find a request: pki ca-cert-request-show 7 You can find pending requests with this command: pki -c Secret123 -n caadmin ca-cert-request-find --status pending > Then I try to approve it: > > pki ca-cert-request-review 7 --action approve This will not work since the operation requires agent credentials (i.e. the default admin user). > So then I try to use the database that I initiated and imported the admin certificate into:pki -c Secret123 -n caadmin ca-cert-request-review 7 --action approve > ProcessingException: Unable to invoke request This should work assuming the nickname and the cert is correct. If it still doesn't work, try running it in verbose mode: pki -v -c Secret123 -n caadmin ca-cert-request-review 7 --action approve Also check the debug log (/var/log/pki/pki-tomcat/ca/debug) to see if there's a problem on the server. > It seems as if these are the steps I need to take, but I must have a detail incorrect. Thanks for you help. -- Endi S. Dewata From exharrison at yahoo.com Tue Dec 22 20:03:47 2015 From: exharrison at yahoo.com (Alex Harrison) Date: Tue, 22 Dec 2015 20:03:47 +0000 (UTC) Subject: [Pki-users] pki cli default CA Admin Unauthorized In-Reply-To: <56797BCE.9080602@redhat.com> References: <56797BCE.9080602@redhat.com> Message-ID: <2050905823.2501696.1450814627128.JavaMail.yahoo@mail.yahoo.com> >Verify the admin cert is added with this command: >pki client-cert-find >Also see the nickname of the certificate in the above output. The >nickname is configurable using pki_admin_nickname parameter in the >pkispawn deployment configuration. I think you've found my problem. When I issue that command I see: ---------------------- 2 certificate(s) found ---------------------- Serial Number: 0x6 Nickname: PKI Administrator for localdomain Subject DN: CN=PKI Administrator,E=caadmin at localdomain,O=localdomain Security Domain Issuer DN: CN=CA Signing Certificate,O=localdomain Security Domain "E=caadmin at localdomain" is telling me that the nickname is "caadmin at localdomain", right? So I need to put the whole string in my command authentication with the -n parameter, not just "caadmin". Is that correct? If so, that explains my problems. When I use the entire string with the domain, the commands all work as I expect. Thanks for your help. On Tuesday, December 22, 2015 11:35 AM, Endi Sukma Dewata wrote: On 12/22/2015 6:57 AM, Alex Harrison wrote: > Thanks for the help. All I really need to do is to use the default admin to approve certificate requests. These are the steps I am attempting to use to accomplish that goal: > > First, I import the admin cert: pki -c Secret123 client-cert-import > --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password secret123 Before that, make sure you delete the old admin cert from previous installation (if any), or just re-initialize the client database with pki -c Secret123 client-init. Then import the new admin cert with the above command. Verify the admin cert is added with this command: pki client-cert-find Also see the nickname of the certificate in the above output. The nickname is configurable using pki_admin_nickname parameter in the pkispawn deployment configuration. > Then I find a request: pki ca-cert-request-show 7 You can find pending requests with this command: pki -c Secret123 -n caadmin ca-cert-request-find --status pending > Then I try to approve it: > > pki ca-cert-request-review 7 --action approve This will not work since the operation requires agent credentials (i.e. the default admin user). > So then I try to use the database that I initiated and imported the admin certificate into:pki -c Secret123 -n caadmin ca-cert-request-review 7 --action approve > ProcessingException: Unable to invoke request This should work assuming the nickname and the cert is correct. If it still doesn't work, try running it in verbose mode: pki -v -c Secret123 -n caadmin ca-cert-request-review 7 --action approve Also check the debug log (/var/log/pki/pki-tomcat/ca/debug) to see if there's a problem on the server. > It seems as if these are the steps I need to take, but I must have a detail incorrect. Thanks for you help. -- Endi S. Dewata From edewata at redhat.com Tue Dec 22 21:33:24 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Dec 2015 15:33:24 -0600 Subject: [Pki-users] pki cli default CA Admin Unauthorized In-Reply-To: <2050905823.2501696.1450814627128.JavaMail.yahoo@mail.yahoo.com> References: <56797BCE.9080602@redhat.com> <2050905823.2501696.1450814627128.JavaMail.yahoo@mail.yahoo.com> Message-ID: <5679C1A4.7000402@redhat.com> On 12/22/2015 2:03 PM, Alex Harrison wrote: >> Verify the admin cert is added with this command: >> pki client-cert-find > >> Also see the nickname of the certificate in the above output. The >> nickname is configurable using pki_admin_nickname parameter in the >> pkispawn deployment configuration. > > I think you've found my problem. When I issue that command I see: > ---------------------- > 2 certificate(s) found > ---------------------- > Serial Number: 0x6 > Nickname: PKI Administrator for localdomain > Subject DN: CN=PKI Administrator,E=caadmin at localdomain,O=localdomain Security > Domain > Issuer DN: CN=CA Signing Certificate,O=localdomain Security Domain > > "E=caadmin at localdomain" is telling me that the nickname is "caadmin at localdomain", right? So I need to put the whole string in my command authentication with the -n parameter, not just "caadmin". Is that correct? If so, that explains my problems. When I use the entire string with the domain, the commands all work as I expect. > > Thanks for your help. Actually, the "E=..." specifies the email address used to construct the certificate subject DN. The nickname of the above certificate is "PKI Administrator for localdomain". If "caadmin at localdomain" works, you probably have another certificate added with that as a nickname. To avoid confusions I'd suggest you re-initialize the client database using pki client-init and reimport the admin certificate. Just let me know if you still have a problem. -- Endi S. Dewata From sam.elliott at opencredo.com Wed Dec 23 12:23:01 2015 From: sam.elliott at opencredo.com (Sam Elliott) Date: Wed, 23 Dec 2015 12:23:01 +0000 Subject: [Pki-users] CRL Distribution point Message-ID: Hi, I maybe missing something here, but I have configured CRL distribution point within the certificate profile, and this shows up within generated certificates, but when I setup the CRL issuing distribution point it doesn't seem to have any affect. I have enabled it, configured pointType to DirectoryName and then pointName to crl/master.crl, after revoking some certs I try downloading the CRL but get a 404, not sure if I am missing something with the configuration? Regards, Sam -- opencredo.com . Twitter . LinkedIn OpenCredo Ltd -- Excellence in Enterprise Application Development Registered Office: 5-11 Lavington Street, London, SE1 0NZ Registered in UK. No 3943999 -------------- next part -------------- An HTML attachment was scrubbed... URL: