From WilliamC.Elliott at s-itsolutions.at Tue Jun 9 06:08:29 2015 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Tue, 9 Jun 2015 06:08:29 +0000 Subject: [Pki-users] RedHat Summit Message-ID: <85C87A9995875247B2DD471950E0AE4D1B8EF4C7@M0182.s-mxs.net> Hi, Is there anything regarding PKI to watch out for at the summit in Boston? Best regards, William Elliott s IT Solutions Open System Services s IT Solutions AT Spardat GmbH Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna This message and any attached files are confidential and intended solely for the addressee(s). Any publication, transmission or other use of the information by a person or entity other than the intended addressee is prohibited. If you receive this in error please contact the sender and delete the material. The sender does not accept liability for any errors or omissions as a result of the transmission. From dpal at redhat.com Tue Jun 9 12:17:07 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 09 Jun 2015 08:17:07 -0400 Subject: [Pki-users] RedHat Summit In-Reply-To: <85C87A9995875247B2DD471950E0AE4D1B8EF4C7@M0182.s-mxs.net> References: <85C87A9995875247B2DD471950E0AE4D1B8EF4C7@M0182.s-mxs.net> Message-ID: <5576D943.4020901@redhat.com> On 06/09/2015 02:08 AM, Elliott William C OSS sIT wrote: > Hi, > > Is there anything regarding PKI to watch out for at the summit in Boston? > > Best regards, > > William Elliott > s IT Solutions > Open System Services > > s IT Solutions AT Spardat GmbH > > Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna > > This message and any attached files are confidential and intended solely for the addressee(s). Any publication, transmission or other use of the information by a person or entity other than the intended addressee is prohibited. If you receive this in error please contact the sender and delete the material. The sender does not accept liability for any errors or omissions as a result of the transmission. > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users IPA is adding a lot of PKI related capabilities based on the Dogtag project in its next release. You can learn about that if you are interested. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From WilliamC.Elliott at s-itsolutions.at Thu Jun 11 07:00:20 2015 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Thu, 11 Jun 2015 07:00:20 +0000 Subject: [Pki-users] RedHat Summit In-Reply-To: <5576D943.4020901@redhat.com> References: <85C87A9995875247B2DD471950E0AE4D1B8EF4C7@M0182.s-mxs.net> <5576D943.4020901@redhat.com> Message-ID: <85C87A9995875247B2DD471950E0AE4D1B8F0663@M0182.s-mxs.net> Well if anyone is attending the Summit and wants to get together I'd be interested in hearing about your experience Dogtag. Best Regards, William WilliamElliotts-itsolutionsat -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Dienstag, 09. Juni 2015 14:17 To: pki-users at redhat.com Subject: Re: [Pki-users] RedHat Summit [heur] On 06/09/2015 02:08 AM, Elliott William C OSS sIT wrote: > Hi, > > Is there anything regarding PKI to watch out for at the summit in Boston? > > Best regards, > > William Elliott > s IT Solutions > Open System Services > > s IT Solutions AT Spardat GmbH > > Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna > > This message and any attached files are confidential and intended solely for the addressee(s). Any publication, transmission or other use of the information by a person or entity other than the intended addressee is prohibited. If you receive this in error please contact the sender and delete the material. The sender does not accept liability for any errors or omissions as a result of the transmission. > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users IPA is adding a lot of PKI related capabilities based on the Dogtag project in its next release. You can learn about that if you are interested. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From dsirrine at redhat.com Thu Jun 11 12:49:58 2015 From: dsirrine at redhat.com (Dave Sirrine) Date: Thu, 11 Jun 2015 08:49:58 -0400 (EDT) Subject: [Pki-users] RedHat Summit In-Reply-To: <85C87A9995875247B2DD471950E0AE4D1B8F0663@M0182.s-mxs.net> References: <85C87A9995875247B2DD471950E0AE4D1B8EF4C7@M0182.s-mxs.net> <5576D943.4020901@redhat.com> <85C87A9995875247B2DD471950E0AE4D1B8F0663@M0182.s-mxs.net> Message-ID: <1589483407.15430876.1434026998954.JavaMail.zimbra@redhat.com> I will be there working the IdM area and happen to be giving a talk this weekend at Southeast Linux Fest on the CLI and API in dogtag 10.2... Would be happy to chat about it! -- David ----- Original Message ----- > From: "Elliott William C OSS sIT" > To: pki-users at redhat.com > Sent: Thursday, June 11, 2015 3:00:20 AM > Subject: Re: [Pki-users] RedHat Summit > > Well if anyone is attending the Summit and wants to get together I'd be > interested in hearing about your experience Dogtag. > > Best Regards, > William > > WilliamElliotts-itsolutionsat > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On > Behalf Of Dmitri Pal > Sent: Dienstag, 09. Juni 2015 14:17 > To: pki-users at redhat.com > Subject: Re: [Pki-users] RedHat Summit [heur] > > On 06/09/2015 02:08 AM, Elliott William C OSS sIT wrote: > > Hi, > > > > Is there anything regarding PKI to watch out for at the summit in Boston? > > > > Best regards, > > > > William Elliott > > s IT Solutions > > Open System Services > > > > s IT Solutions AT Spardat GmbH > > > > Head Office: Vienna Commercial Register No.: 152289f Commercial Court of > > Vienna > > > > This message and any attached files are confidential and intended solely > > for the addressee(s). Any publication, transmission or other use of the > > information by a person or entity other than the intended addressee is > > prohibited. If you receive this in error please contact the sender and > > delete the material. The sender does not accept liability for any errors > > or omissions as a result of the transmission. > > > > > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > IPA is adding a lot of PKI related capabilities based on the Dogtag > project in its next release. > You can learn about that if you are interested. > > -- > Thank you, > Dmitri Pal > > Director of Engineering for IdM portfolio > Red Hat, Inc. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From alee at redhat.com Thu Jun 11 17:46:07 2015 From: alee at redhat.com (Ade Lee) Date: Thu, 11 Jun 2015 13:46:07 -0400 Subject: [Pki-users] Documenting Issues with pkispawn, pkidestroy, pkiconsole Message-ID: <1434044767.4891.11.camel@localhost.localdomain> Hi all, I'm editing the troubleshooting chapter in the Installation Guide which currently consists of a series of FAQ of issues that people might/ have run into when running pkispawn/ pkiconsole. I'd like to get input from folks so that we can hopefully help other folks who might run into the same issues. Some of these will show up in the doc and others will be collated on the wiki. I've started an etherpad for folks to add their FAQs. Please add to it so we can improve the docs! Thanks, Ade Etherpad Link: http://piratepad.net/sQurNFFmiT (aargh!) From p.pan48711 at gmail.com Tue Jun 23 19:23:27 2015 From: p.pan48711 at gmail.com (Peter P.) Date: Tue, 23 Jun 2015 15:23:27 -0400 Subject: [Pki-users] Dogtag ReST Interface Enrollment Java Null Pointer Exception Message-ID: Hi, I have encountered a Java null pointer exception when I try to do an an enrollment using Dogtag 10.2.4's ReST interface. I receive the following response back from Dogtag when I POST to the resource ending in /ca/rest/certrequests. com.netscape.certsrv.base.PKIException500java.lang.NullPointerException2015/ I understand that there is a new ReST interface that was introduced to Dogtag where enrollment requests should be posted to the resource ending in /pki/request. However, when I do that, I receive a 404 page back in response. I am using Fedora 22 Server 32 bit with just the 389 directory service installed alongside Dogtag 10.2.4. Any guidance would be appreciated. Thanks, Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Tue Jun 23 20:47:54 2015 From: jmagne at redhat.com (John Magne) Date: Tue, 23 Jun 2015 16:47:54 -0400 (EDT) Subject: [Pki-users] Dogtag ReST Interface Enrollment Java Null Pointer Exception In-Reply-To: References: Message-ID: <180320916.25763411.1435092474375.JavaMail.zimbra@redhat.com> Hi: Would it be possible to post the exact or similar command line you were trying? ----- Original Message ----- > From: "Peter P." > To: pki-users at redhat.com > Sent: Tuesday, June 23, 2015 12:23:27 PM > Subject: [Pki-users] Dogtag ReST Interface Enrollment Java Null Pointer Exception > > Hi, > > I have encountered a Java null pointer exception when I try to do an an > enrollment using Dogtag 10.2.4's ReST interface. I receive the following > response back from Dogtag when I POST to the resource ending in > /ca/rest/certrequests. > > standalone="yes"?>com.netscape.certsrv.base.PKIException500java.lang.NullPointerException2015/ > > I understand that there is a new ReST interface that was introduced to Dogtag > where enrollment requests should be posted to the resource ending in > /pki/request. However, when I do that, I receive a 404 page back in > response. > > I am using Fedora 22 Server 32 bit with just the 389 directory service > installed alongside Dogtag 10.2.4. > > Any guidance would be appreciated. > > Thanks, > > Peter > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From p.pan48711 at gmail.com Tue Jun 23 22:33:46 2015 From: p.pan48711 at gmail.com (Peter P.) Date: Tue, 23 Jun 2015 18:33:46 -0400 Subject: [Pki-users] Dogtag ReST Interface Enrollment Java Null Pointer Exception In-Reply-To: <180320916.25763411.1435092474375.JavaMail.zimbra@redhat.com> References: <180320916.25763411.1435092474375.JavaMail.zimbra@redhat.com> Message-ID: Hi John, Thank you for helping me with this issue! I build an XML response using snprintf shown below that I post using libcURL with this URL https://mydogtagserver:8443/ca/rest/certrequests snprintf(payload, MAX_CERT_LEN, "" " %s false false" " pkcs10\t" " %s ", profile_id, pkcs10_csr); profile_id is the profile I wish to enroll with and pkcs10_csr is my CSR. Let me know if you need any more information from me. Thank you, Peter On Tue, Jun 23, 2015 at 4:47 PM, John Magne wrote: > Hi: > > Would it be possible to post the exact or similar command line you were > trying? > > > > ----- Original Message ----- > > From: "Peter P." > > To: pki-users at redhat.com > > Sent: Tuesday, June 23, 2015 12:23:27 PM > > Subject: [Pki-users] Dogtag ReST Interface Enrollment Java Null Pointer > Exception > > > > Hi, > > > > I have encountered a Java null pointer exception when I try to do an an > > enrollment using Dogtag 10.2.4's ReST interface. I receive the following > > response back from Dogtag when I POST to the resource ending in > > /ca/rest/certrequests. > > > > > > standalone="yes"?>com.netscape.certsrv.base.PKIException500java.lang.NullPointerException2015/ > > > > I understand that there is a new ReST interface that was introduced to > Dogtag > > where enrollment requests should be posted to the resource ending in > > /pki/request. However, when I do that, I receive a 404 page back in > > response. > > > > I am using Fedora 22 Server 32 bit with just the 389 directory service > > installed alongside Dogtag 10.2.4. > > > > Any guidance would be appreciated. > > > > Thanks, > > > > Peter > > > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Wed Jun 24 14:07:14 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Wed, 24 Jun 2015 14:07:14 +0000 Subject: [Pki-users] Resolvable CRL Distribution Points in the certificate Message-ID: Hi, I?ve DogTag 10.1.2 setup in my environment. I updated the caServerCert profile to support CRL Distribution Points configuration via pkiconsole. After I issued the new server cert, the CRL Distribution Points are included in the cert as expected shown below: ---------------------------------------------------------------------------- ?. Extension: CRL Distribution Points (2.5.29.31) Critical: no URI:http://crl.example-domain.com/master.crl ---------------------------------------------------------------------------- What is the step that needs to be done so that DogTag can publish/generate CRL at the above url so that it can be downloadable/accessible by client? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Wed Jun 24 17:56:36 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Wed, 24 Jun 2015 17:56:36 +0000 Subject: [Pki-users] Resolvable CRL Distribution Points in the certificate Message-ID: I?m able to resolve this by following steps outlined in the link below: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/crls-http.html - Mahendra From: , "Jain, Mahendra" > Date: Wednesday, June 24, 2015 at 10:07 AM To: "pki-users at redhat.com" > Subject: [Pki-users] Resolvable CRL Distribution Points in the certificate Hi, I?ve DogTag 10.1.2 setup in my environment. I updated the caServerCert profile to support CRL Distribution Points configuration via pkiconsole. After I issued the new server cert, the CRL Distribution Points are included in the cert as expected shown below: ---------------------------------------------------------------------------- ?. Extension: CRL Distribution Points (2.5.29.31) Critical: no URI:http://crl.example-domain.com/master.crl ---------------------------------------------------------------------------- What is the step that needs to be done so that DogTag can publish/generate CRL at the above url so that it can be downloadable/accessible by client? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Jun 24 18:09:53 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Jun 2015 13:09:53 -0500 Subject: [Pki-users] Dogtag ReST Interface Enrollment Java Null Pointer Exception In-Reply-To: References: <180320916.25763411.1435092474375.JavaMail.zimbra@redhat.com> Message-ID: <558AF271.4080203@redhat.com> On 6/23/2015 5:33 PM, Peter P. wrote: > Hi John, > > Thank you for helping me with this issue! I build an XML response using > snprintf shown below that I post using libcURL with this URL > https://mydogtagserver:8443/ca/rest/certrequests > > snprintf(payload, MAX_CERT_LEN, " encoding=\"UTF-8\" standalone=\"yes\"?>" > " %s > false false" > " name=\"cert_request_type\">pkcs10\t" > " %s > ", > profile_id, pkcs10_csr); > > profile_id is the profile I wish to enroll with and pkcs10_csr is my CSR. > > Let me know if you need any more information from me. > > Thank you, > > Peter Hi Peter, The XML request format above seems to be outdated. Please take a look at the following page: http://pki.fedoraproject.org/wiki/User_Certificate_Setup You can also run the CLI and see the actual XML request sent by the CLI: $ pki -c Secret123 client-init $ mkdir tmp $ pki -v --output tmp -c Secret123 client-cert-request uid=testuser $ cat tmp/http-request-2 -- Endi S. Dewata From p.pan48711 at gmail.com Wed Jun 24 18:31:42 2015 From: p.pan48711 at gmail.com (Peter P.) Date: Wed, 24 Jun 2015 14:31:42 -0400 Subject: [Pki-users] Dogtag ReST Interface Enrollment Java Null Pointer Exception In-Reply-To: <558AF271.4080203@redhat.com> References: <180320916.25763411.1435092474375.JavaMail.zimbra@redhat.com> <558AF271.4080203@redhat.com> Message-ID: Hi Endi, Is there more documentation for the whole XML schema described on that page? I believe for my use case I will need to adjust some of the tags present in my XML posts to Dogtag. Thank you, Peter On Wed, Jun 24, 2015 at 2:09 PM, Endi Sukma Dewata wrote: > On 6/23/2015 5:33 PM, Peter P. wrote: > >> Hi John, >> >> Thank you for helping me with this issue! I build an XML response using >> snprintf shown below that I post using libcURL with this URL >> https://mydogtagserver:8443/ca/rest/certrequests >> >> snprintf(payload, MAX_CERT_LEN, "> encoding=\"UTF-8\" standalone=\"yes\"?>" >> " %s >> false false" >> " > name=\"cert_request_type\">pkcs10\t" >> " %s >> ", >> profile_id, pkcs10_csr); >> >> profile_id is the profile I wish to enroll with and pkcs10_csr is my CSR. >> >> Let me know if you need any more information from me. >> >> Thank you, >> >> Peter >> > > Hi Peter, > > The XML request format above seems to be outdated. Please take a look at > the following page: > http://pki.fedoraproject.org/wiki/User_Certificate_Setup > > You can also run the CLI and see the actual XML request sent by the CLI: > $ pki -c Secret123 client-init > $ mkdir tmp > $ pki -v --output tmp -c Secret123 client-cert-request uid=testuser > $ cat tmp/http-request-2 > > -- > Endi S. Dewata > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Jun 24 18:44:52 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Jun 2015 13:44:52 -0500 Subject: [Pki-users] Dogtag ReST Interface Enrollment Java Null Pointer Exception In-Reply-To: References: <180320916.25763411.1435092474375.JavaMail.zimbra@redhat.com> <558AF271.4080203@redhat.com> Message-ID: <558AFAA4.4000008@redhat.com> On 6/24/2015 1:31 PM, Peter P. wrote: > Hi Endi, > > Is there more documentation for the whole XML schema described on that > page? I believe for my use case I will need to adjust some of the tags > present in my XML posts to Dogtag. > > Thank you, > > Peter Right now we don't have XML schema documentation yet because the XML is generated automatically from a POJO. So for now you'd have to look at the code, or capture the CLI output like I showed you earlier, to figure out the XML format. Please feel free to file a ticket for this. Thanks! -- Endi S. Dewata From p.pan48711 at gmail.com Wed Jun 24 21:24:20 2015 From: p.pan48711 at gmail.com (Peter P.) Date: Wed, 24 Jun 2015 17:24:20 -0400 Subject: [Pki-users] Dogtag ReST Interface Enrollment Java Null Pointer Exception In-Reply-To: <558AFAA4.4000008@redhat.com> References: <180320916.25763411.1435092474375.JavaMail.zimbra@redhat.com> <558AF271.4080203@redhat.com> <558AFAA4.4000008@redhat.com> Message-ID: Hi, I was able to resolve my issue using the information Endi provided. I have included the CLI output below with the CSR redacted. Thanks again, Peter caUserCert false keyGenInputImpl Key Generation pkcs10 keygen_request_type Key Generation Request Type CSR GOES HERE keygen_request Key Generation Request subjectNameInputImpl Subject Name testuser string UID string Email string Common Name string Organizational Unit 3 string Organizational Unit 2 string Organizational Unit 1 string Organizational Unit string Organization string Country submitterInfoInputImpl Requestor Information string Requestor Name string Requestor Email string Requestor Phone On Wed, Jun 24, 2015 at 2:44 PM, Endi Sukma Dewata wrote: > On 6/24/2015 1:31 PM, Peter P. wrote: > >> Hi Endi, >> >> Is there more documentation for the whole XML schema described on that >> page? I believe for my use case I will need to adjust some of the tags >> present in my XML posts to Dogtag. >> >> Thank you, >> >> Peter >> > > Right now we don't have XML schema documentation yet because the XML is > generated automatically from a POJO. So for now you'd have to look at the > code, or capture the CLI output like I showed you earlier, to figure out > the XML format. Please feel free to file a ticket for this. Thanks! > > -- > Endi S. Dewata > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Thu Jun 25 18:23:58 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Thu, 25 Jun 2015 18:23:58 +0000 Subject: [Pki-users] Configure externally acquired private key and certificate Message-ID: Hi, I?ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link below) and the setup works perfectly fine: http://man.sourcentral.org/f18/8+pkispawn I would like to know if DogTag also supports configuring externally acquired private key and certificate. In other words, If I generate the private key and CSR using openssl and submit CSR to CA for certificate. Once the CA issued the certificate, I would like to setup DogTag using the existing private key (created using openssl) and certificate. Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Fri Jun 26 16:03:56 2015 From: cfu at redhat.com (Christina Fu) Date: Fri, 26 Jun 2015 09:03:56 -0700 Subject: [Pki-users] Configure externally acquired private key and certificate In-Reply-To: References: Message-ID: <558D77EC.8000009@redhat.com> On 06/25/2015 11:23 AM, Jain, Mahendra wrote: > Hi, > > I've DogTag 10.1.2 setup with externally signed CA (using the steps > outline in the link below) and the setup works perfectly fine: > > http://man.sourcentral.org/f18/8+pkispawn > > I would like to know if DogTag also supports configuring externally > acquired private key and certificate. > > In other words, If I generate the private key and CSR using openssl > and submit CSR to CA for certificate. > Once the CA issued the certificate, I would like to setup DogTag using > the existing private key (created using openssl) and certificate. Hi, I'm sorry I read your questions a few times and I'm not certain what you wish to do. What would you like to use this certificate for? For example, is this an SSL server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are you talking about replacing certain system cert of the CA you just set up? > > Thanks, > Mahendra > > > "This message (including any attachments) is intended only > for the use of the individual or entity to which it is > addressed, and may contain information that is non-public, > proprietary, privileged, confidential and exempt from > disclosure under applicable law or may be constituted as > attorney work product. If you are not the intended > recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this > communication is strictly prohibited. If you have received > this message in error, notify sender immediately and delete > this message immediately." > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Fri Jun 26 16:10:56 2015 From: cfu at redhat.com (Christina Fu) Date: Fri, 26 Jun 2015 09:10:56 -0700 Subject: [Pki-users] Resolvable CRL Distribution Points in the certificate In-Reply-To: References: Message-ID: <558D7990.4070602@redhat.com> Hi Mahendra, I'm glad that you found your answer, and I appreciate your sharing the information with the community. Yes, in general, the latest Red Hat Certificate System documentation applies to Dogtag with some exceptions (e.g. installation). Christina On 06/24/2015 10:56 AM, Jain, Mahendra wrote: > I'm able to resolve this by following steps outlined in the link below: > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/crls-http.html > > - Mahendra > > From: , "Jain, Mahendra" > > Date: Wednesday, June 24, 2015 at 10:07 AM > To: "pki-users at redhat.com " > > > Subject: [Pki-users] Resolvable CRL Distribution Points in the certificate > > Hi, > > I've DogTag 10.1.2 setup in my environment. > > I updated the caServerCert profile to support CRL Distribution Points > configuration via pkiconsole. > > After I issued the new server cert, the CRL Distribution Points are > included in the cert as expected shown below: > > ---------------------------------------------------------------------------- > .... > > Extension: CRL Distribution Points (2.5.29.31) > Critical: no > *URI:http://crl.example-domain.com/master.crl* > ---------------------------------------------------------------------------- > > What is the step that needs to be done so that DogTag can > publish/generate CRL at the above url so that it can be > downloadable/accessible by client? > > Thanks, > Mahendra > > > "This message (including any attachments) is intended only > for the use of the individual or entity to which it is > addressed, and may contain information that is non-public, > proprietary, privileged, confidential and exempt from > disclosure under applicable law or may be constituted as > attorney work product. If you are not the intended > recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this > communication is strictly prohibited. If you have received > this message in error, notify sender immediately and delete > this message immediately." > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Fri Jun 26 16:22:33 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Fri, 26 Jun 2015 16:22:33 +0000 Subject: [Pki-users] Configure externally acquired private key and certificate In-Reply-To: <558D77EC.8000009@redhat.com> References: <558D77EC.8000009@redhat.com> Message-ID: Hi Christina, Sorry for the confusion. Let me rephrase the steps below if it is supported: 1. Generate private key and CSR for intermediate CA using openssl 2. Submit the CSR to external CA (Ex: Symantec) for signing 3. Receive the signed certificate from CA 4. Setup DogTag with the private key (generated in step #1) and intermediate CA certificate (acquired in step #3) I?m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many times I need using the existing private key and certificate on any host. Please let me know if you need further clarification. Thanks, Mahendra From: Christina Fu > Date: Friday, June 26, 2015 at 12:03 PM To: "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate On 06/25/2015 11:23 AM, Jain, Mahendra wrote: Hi, I?ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link below) and the setup works perfectly fine: http://man.sourcentral.org/f18/8+pkispawn I would like to know if DogTag also supports configuring externally acquired private key and certificate. In other words, If I generate the private key and CSR using openssl and submit CSR to CA for certificate. Once the CA issued the certificate, I would like to setup DogTag using the existing private key (created using openssl) and certificate. Hi, I'm sorry I read your questions a few times and I'm not certain what you wish to do. What would you like to use this certificate for? For example, is this an SSL server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are you talking about replacing certain system cert of the CA you just set up? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? _______________________________________________ Pki-users mailing list Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Mon Jun 29 14:32:09 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Mon, 29 Jun 2015 14:32:09 +0000 Subject: [Pki-users] Configure externally acquired private key and certificate In-Reply-To: References: <558D77EC.8000009@redhat.com> Message-ID: Hi Christina, Here?s some detailed information: I?m planning to setup intermediate CA with DogTag and issue SSL server certs. I?m trying 2 options with DogTag setup: Option 1: Installing an externally signed CA I followed the steps outlined in http://man.sourcentral.org/f18/8+pkispawn and this setup works perfectly fine with no issues. This option involves following steps: 1. Generate a certificate signing request (CSR) for the signing certificate in DogTag setup phase 1 2. Submit the CSR to the external CA (Ex: Symantec) 3. Obtain the resulting intermediate certificate and certificate chain 4. Continue with DogTag setup phase 2 Option 2: Installing an externally signed CA (One time setup of keys/CSR) The desired steps are as follows: 1. Generate a certificate signing request (CSR) for the signing certificate using OpenSSL 2. Submit the CSR to the external CA (Ex: Symantec) 3. Obtain the resulting intermediate certificate and certificate chain 4. Store private key and certificate obtained in above steps in secured media so that it can be used later 5. Setup DogTag using the private key (generated in step #1) and intermediate CA certificate (acquired in step #3) The desired expectation in option #2 is to perform step 1-3 below once and then setup DogTag (or recreate VM) as many times I need using private key and certificate obtained earlier. This will prevent us from regenerating CSR and get it signed with external CA (Ex: Symantec). Please let me know if you have any questions. Thanks, Mahendra From: , "Jain, Mahendra" > Date: Friday, June 26, 2015 at 12:22 PM To: Christina Fu >, "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate Hi Christina, Sorry for the confusion. Let me rephrase the steps below if it is supported: 1. Generate private key and CSR for intermediate CA using openssl 2. Submit the CSR to external CA (Ex: Symantec) for signing 3. Receive the signed certificate from CA 4. Setup DogTag with the private key (generated in step #1) and intermediate CA certificate (acquired in step #3) I?m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many times I need using the existing private key and certificate on any host. Please let me know if you need further clarification. Thanks, Mahendra From: Christina Fu > Date: Friday, June 26, 2015 at 12:03 PM To: "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate On 06/25/2015 11:23 AM, Jain, Mahendra wrote: Hi, I?ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link below) and the setup works perfectly fine: http://man.sourcentral.org/f18/8+pkispawn I would like to know if DogTag also supports configuring externally acquired private key and certificate. In other words, If I generate the private key and CSR using openssl and submit CSR to CA for certificate. Once the CA issued the certificate, I would like to setup DogTag using the existing private key (created using openssl) and certificate. Hi, I'm sorry I read your questions a few times and I'm not certain what you wish to do. What would you like to use this certificate for? For example, is this an SSL server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are you talking about replacing certain system cert of the CA you just set up? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? _______________________________________________ Pki-users mailing list Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Jun 30 15:56:38 2015 From: cfu at redhat.com (Christina Fu) Date: Tue, 30 Jun 2015 08:56:38 -0700 Subject: [Pki-users] Configure externally acquired private key and certificate In-Reply-To: References: <558D77EC.8000009@redhat.com> Message-ID: <5592BC36.1010907@redhat.com> On 06/29/2015 07:32 AM, Jain, Mahendra wrote: > Hi Christina, > > Here?s some detailed information: > > I?m planning to setup intermediate CA with DogTag and issue SSL server > certs. > > I?m trying 2 options with DogTag setup: > > *Option 1: Installing an externally signed CA* > I followed the steps outlined in > http://man.sourcentral.org/f18/8+pkispawn and this setup works > perfectly fine with no issues. > This option involves following steps: > > 1. Generate a certificate signing request (CSR) for the signing > certificate in DogTag setup phase 1 > 2. Submit the CSR to the external CA (Ex: Symantec) > 3. Obtain the resulting intermediate certificate and certificate chain > 4. Continue with DogTag setup phase 2 > > *Option 2: Installing an externally signed CA (One time setup of > keys/CSR)* > > The desired steps are as follows: > > 1. Generate a certificate signing request (CSR) for the signing > certificate using *OpenSSL* > 2. Submit the CSR to the external CA (Ex: Symantec) > 3. Obtain the resulting intermediate certificate and certificate chain > 4. Store private key and certificate obtained in above steps in > secured media so that it can be used later > 5. Setup DogTag using the private key (generated in step #1) and > intermediate CA certificate (acquired in step #3) > > The desired expectation in option #2 is to perform step 1-3 below once > and then setup DogTag (or recreate VM) as many times I need using > private key and certificate obtained earlier. This will prevent us > from regenerating CSR and get it signed with external CA (Ex: Symantec). If I read it correctly, you want to set up multiple CA's sharing the same singing cert/keys? Dogtag supports cloning. Did you look into that? > > Please let me know if you have any questions. > > Thanks, > Mahendra > > > From: , "Jain, Mahendra" > > Date: Friday, June 26, 2015 at 12:22 PM > To: Christina Fu >, > "pki-users at redhat.com " > > > Subject: Re: [Pki-users] Configure externally acquired private key and > certificate > > Hi Christina, > > Sorry for the confusion. Let me rephrase the steps below if it is > supported: > > 1. Generate private key and CSR for intermediate CA using *openssl* > 2. Submit the CSR to external CA (Ex: Symantec) for signing > 3. Receive the signed certificate from CA > 4. Setup DogTag with the private key (generated in step #1) and > intermediate CA certificate (acquired in step #3) > > I?m hoping this approach allows me to perform step 1-3 once and then > setup DogTag as many times I need using the existing private key and > certificate on any host. > > Please let me know if you need further clarification. > > Thanks, > Mahendra > > > From: Christina Fu > > Date: Friday, June 26, 2015 at 12:03 PM > To: "pki-users at redhat.com " > > > Subject: Re: [Pki-users] Configure externally acquired private key and > certificate > > > On 06/25/2015 11:23 AM, Jain, Mahendra wrote: >> Hi, >> >> I?ve DogTag 10.1.2 setup with externally signed CA (using the steps >> outline in the link below) and the setup works perfectly fine: >> >> http://man.sourcentral.org/f18/8+pkispawn >> >> I would like to know if DogTag also supports configuring externally >> acquired private key and certificate. >> >> In other words, If I generate the private key and CSR using openssl >> and submit CSR to CA for certificate. >> Once the CA issued the certificate, I would like to setup DogTag >> using the existing private key (created using openssl) and certificate. > > Hi, I'm sorry I read your questions a few times and I'm not certain > what you wish to do. What would you like to use this certificate > for? For example, is this an SSL server cert, or CA signing cert? > etc. And you mean in another new Dogtag instance, or are you talking > about replacing certain system cert of the CA you just set up? >> >> Thanks, >> Mahendra >> >> >> ?This message (including any attachments) is intended only >> for the use of the individual or entity to which it is >> addressed, and may contain information that is non-public, >> proprietary, privileged, confidential and exempt from >> disclosure under applicable law or may be constituted as >> attorney work product. If you are not the intended >> recipient, you are hereby notified that any use, >> dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received >> this message in error, notify sender immediately and delete >> this message immediately.? >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Tue Jun 30 15:59:22 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Tue, 30 Jun 2015 15:59:22 +0000 Subject: [Pki-users] Configure Dogtag using externally acquired private key and certificate Message-ID: Any suggestions? Thanks you, Mahendra From: , "Jain, Mahendra" > Date: Monday, June 29, 2015 at 10:32 AM To: Christina Fu >, "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate Hi Christina, Here?s some detailed information: I?m planning to setup intermediate CA with DogTag and issue SSL server certs. I?m trying 2 options with DogTag setup: Option 1: Installing an externally signed CA I followed the steps outlined in http://man.sourcentral.org/f18/8+pkispawn and this setup works perfectly fine with no issues. This option involves following steps: 1. Generate a certificate signing request (CSR) for the signing certificate in DogTag setup phase 1 2. Submit the CSR to the external CA (Ex: Symantec) 3. Obtain the resulting intermediate certificate and certificate chain 4. Continue with DogTag setup phase 2 Option 2: Installing an externally signed CA (One time setup of keys/CSR) The desired steps are as follows: 1. Generate a certificate signing request (CSR) for the signing certificate using OpenSSL 2. Submit the CSR to the external CA (Ex: Symantec) 3. Obtain the resulting intermediate certificate and certificate chain 4. Store private key and certificate obtained in above steps in secured media so that it can be used later 5. Setup DogTag using the private key (generated in step #1) and intermediate CA certificate (acquired in step #3) The desired expectation in option #2 is to perform step 1-3 below once and then setup DogTag (or recreate VM) as many times I need using private key and certificate obtained earlier. This will prevent us from regenerating CSR and get it signed with external CA (Ex: Symantec). Please let me know if you have any questions. Thanks, Mahendra From: , "Jain, Mahendra" > Date: Friday, June 26, 2015 at 12:22 PM To: Christina Fu >, "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate Hi Christina, Sorry for the confusion. Let me rephrase the steps below if it is supported: 1. Generate private key and CSR for intermediate CA using openssl 2. Submit the CSR to external CA (Ex: Symantec) for signing 3. Receive the signed certificate from CA 4. Setup DogTag with the private key (generated in step #1) and intermediate CA certificate (acquired in step #3) I?m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many times I need using the existing private key and certificate on any host. Please let me know if you need further clarification. Thanks, Mahendra From: Christina Fu > Date: Friday, June 26, 2015 at 12:03 PM To: "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate On 06/25/2015 11:23 AM, Jain, Mahendra wrote: Hi, I?ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link below) and the setup works perfectly fine: http://man.sourcentral.org/f18/8+pkispawn I would like to know if DogTag also supports configuring externally acquired private key and certificate. In other words, If I generate the private key and CSR using openssl and submit CSR to CA for certificate. Once the CA issued the certificate, I would like to setup DogTag using the existing private key (created using openssl) and certificate. Hi, I'm sorry I read your questions a few times and I'm not certain what you wish to do. What would you like to use this certificate for? For example, is this an SSL server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are you talking about replacing certain system cert of the CA you just set up? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? _______________________________________________ Pki-users mailing list Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Tue Jun 30 16:14:30 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Tue, 30 Jun 2015 16:14:30 +0000 Subject: [Pki-users] Configure externally acquired private key and certificate In-Reply-To: <5592BC36.1010907@redhat.com> References: <558D77EC.8000009@redhat.com> <5592BC36.1010907@redhat.com> Message-ID: Hi Christina, Thanks for taking time to respond. We already have clone setup using steps outlined in http://man.sourcentral.org/f18/8+pkispawn and the setup works perfectly fine with no issues. My question is related to Setting up Dogtag using private key and certificate generated via openSSL command separately (on a completely different host from Dogtag). For example, If I delete the complete VM instance where Dogtag is running and reinstall, I could reuse the private key and certificate already generated via openSSL command earlier to setup new Dogtag instance without requiring to generate CSR and get it signed with external CA (Ex: Symantec). Hope this helps. Please let me know if you have any questions. Thanks, Mahendra From: Christina Fu > Date: Tuesday, June 30, 2015 at 11:56 AM To: "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate On 06/29/2015 07:32 AM, Jain, Mahendra wrote: Hi Christina, Here?s some detailed information: I?m planning to setup intermediate CA with DogTag and issue SSL server certs. I?m trying 2 options with DogTag setup: Option 1: Installing an externally signed CA I followed the steps outlined in http://man.sourcentral.org/f18/8+pkispawn and this setup works perfectly fine with no issues. This option involves following steps: 1. Generate a certificate signing request (CSR) for the signing certificate in DogTag setup phase 1 2. Submit the CSR to the external CA (Ex: Symantec) 3. Obtain the resulting intermediate certificate and certificate chain 4. Continue with DogTag setup phase 2 Option 2: Installing an externally signed CA (One time setup of keys/CSR) The desired steps are as follows: 1. Generate a certificate signing request (CSR) for the signing certificate using OpenSSL 2. Submit the CSR to the external CA (Ex: Symantec) 3. Obtain the resulting intermediate certificate and certificate chain 4. Store private key and certificate obtained in above steps in secured media so that it can be used later 5. Setup DogTag using the private key (generated in step #1) and intermediate CA certificate (acquired in step #3) The desired expectation in option #2 is to perform step 1-3 below once and then setup DogTag (or recreate VM) as many times I need using private key and certificate obtained earlier. This will prevent us from regenerating CSR and get it signed with external CA (Ex: Symantec). If I read it correctly, you want to set up multiple CA's sharing the same singing cert/keys? Dogtag supports cloning. Did you look into that? Please let me know if you have any questions. Thanks, Mahendra From: , "Jain, Mahendra" > Date: Friday, June 26, 2015 at 12:22 PM To: Christina Fu >, "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate Hi Christina, Sorry for the confusion. Let me rephrase the steps below if it is supported: 1. Generate private key and CSR for intermediate CA using openssl 2. Submit the CSR to external CA (Ex: Symantec) for signing 3. Receive the signed certificate from CA 4. Setup DogTag with the private key (generated in step #1) and intermediate CA certificate (acquired in step #3) I?m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many times I need using the existing private key and certificate on any host. Please let me know if you need further clarification. Thanks, Mahendra From: Christina Fu > Date: Friday, June 26, 2015 at 12:03 PM To: "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate On 06/25/2015 11:23 AM, Jain, Mahendra wrote: Hi, I?ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link below) and the setup works perfectly fine: http://man.sourcentral.org/f18/8+pkispawn I would like to know if DogTag also supports configuring externally acquired private key and certificate. In other words, If I generate the private key and CSR using openssl and submit CSR to CA for certificate. Once the CA issued the certificate, I would like to setup DogTag using the existing private key (created using openssl) and certificate. Hi, I'm sorry I read your questions a few times and I'm not certain what you wish to do. What would you like to use this certificate for? For example, is this an SSL server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are you talking about replacing certain system cert of the CA you just set up? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? _______________________________________________ Pki-users mailing list Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Jun 30 17:48:04 2015 From: cfu at redhat.com (Christina Fu) Date: Tue, 30 Jun 2015 10:48:04 -0700 Subject: [Pki-users] Configure externally acquired private key and certificate In-Reply-To: References: <558D77EC.8000009@redhat.com> <5592BC36.1010907@redhat.com> Message-ID: <5592D654.7080807@redhat.com> I think you are talking about this: https://fedorahosted.org/pki/ticket/456 The user have a chance to import own CA certificate with private key Christina On 06/30/2015 09:14 AM, Jain, Mahendra wrote: > Hi Christina, > > Thanks for taking time to respond. > We already have clone setup using steps outlined in > http://man.sourcentral.org/f18/8+pkispawn and the setup works > perfectly fine with no issues. > > My question is related to Setting up Dogtag using private key > and certificate generated via openSSL command separately (on a > completely different host from Dogtag). > For example, If I delete the complete VM instance where Dogtag is > running and reinstall, I could reuse the private key and certificate > already generated via openSSL command earlier to setup new Dogtag > instance without requiring to generate CSR and get it signed with > external CA (Ex: Symantec). > > Hope this helps. > > Please let me know if you have any questions. > Thanks, > Mahendra > > > From: Christina Fu > > Date: Tuesday, June 30, 2015 at 11:56 AM > To: "pki-users at redhat.com " > > > Subject: Re: [Pki-users] Configure externally acquired private key and > certificate > > > On 06/29/2015 07:32 AM, Jain, Mahendra wrote: >> Hi Christina, >> >> Here?s some detailed information: >> >> I?m planning to setup intermediate CA with DogTag and issue SSL >> server certs. >> >> I?m trying 2 options with DogTag setup: >> >> *Option 1: Installing an externally signed CA* >> I followed the steps outlined in >> http://man.sourcentral.org/f18/8+pkispawn and this setup works >> perfectly fine with no issues. >> This option involves following steps: >> >> 1. Generate a certificate signing request (CSR) for the signing >> certificate in DogTag setup phase 1 >> 2. Submit the CSR to the external CA (Ex: Symantec) >> 3. Obtain the resulting intermediate certificate and certificate chain >> 4. Continue with DogTag setup phase 2 >> >> *Option 2: Installing an externally signed CA (One time setup of >> keys/CSR)* >> >> The desired steps are as follows: >> >> 1. Generate a certificate signing request (CSR) for the signing >> certificate using *OpenSSL* >> 2. Submit the CSR to the external CA (Ex: Symantec) >> 3. Obtain the resulting intermediate certificate and certificate chain >> 4. Store private key and certificate obtained in above steps in >> secured media so that it can be used later >> 5. Setup DogTag using the private key (generated in step #1) and >> intermediate CA certificate (acquired in step #3) >> >> The desired expectation in option #2 is to perform step 1-3 below >> once and then setup DogTag (or recreate VM) as many times I need >> using private key and certificate obtained earlier. This will prevent >> us from regenerating CSR and get it signed with external CA (Ex: >> Symantec). > > If I read it correctly, you want to set up multiple CA's sharing the > same singing cert/keys? Dogtag supports cloning. Did you look into that? > >> >> Please let me know if you have any questions. >> >> Thanks, >> Mahendra >> >> >> From: , "Jain, Mahendra" > > >> Date: Friday, June 26, 2015 at 12:22 PM >> To: Christina Fu >, >> "pki-users at redhat.com " >> > >> Subject: Re: [Pki-users] Configure externally acquired private key >> and certificate >> >> Hi Christina, >> >> Sorry for the confusion. Let me rephrase the steps below if it is >> supported: >> >> 1. Generate private key and CSR for intermediate CA using *openssl* >> 2. Submit the CSR to external CA (Ex: Symantec) for signing >> 3. Receive the signed certificate from CA >> 4. Setup DogTag with the private key (generated in step #1) and >> intermediate CA certificate (acquired in step #3) >> >> I?m hoping this approach allows me to perform step 1-3 once and then >> setup DogTag as many times I need using the existing private key and >> certificate on any host. >> >> Please let me know if you need further clarification. >> >> Thanks, >> Mahendra >> >> >> From: Christina Fu > >> Date: Friday, June 26, 2015 at 12:03 PM >> To: "pki-users at redhat.com " >> > >> Subject: Re: [Pki-users] Configure externally acquired private key >> and certificate >> >> >> On 06/25/2015 11:23 AM, Jain, Mahendra wrote: >>> Hi, >>> >>> I?ve DogTag 10.1.2 setup with externally signed CA (using the steps >>> outline in the link below) and the setup works perfectly fine: >>> >>> http://man.sourcentral.org/f18/8+pkispawn >>> >>> I would like to know if DogTag also supports configuring externally >>> acquired private key and certificate. >>> >>> In other words, If I generate the private key and CSR using openssl >>> and submit CSR to CA for certificate. >>> Once the CA issued the certificate, I would like to setup DogTag >>> using the existing private key (created using openssl) and certificate. >> >> Hi, I'm sorry I read your questions a few times and I'm not certain >> what you wish to do. What would you like to use this certificate >> for? For example, is this an SSL server cert, or CA signing cert? >> etc. And you mean in another new Dogtag instance, or are you talking >> about replacing certain system cert of the CA you just set up? >>> >>> Thanks, >>> Mahendra >>> >>> >>> ?This message (including any attachments) is intended only >>> for the use of the individual or entity to which it is >>> addressed, and may contain information that is non-public, >>> proprietary, privileged, confidential and exempt from >>> disclosure under applicable law or may be constituted as >>> attorney work product. If you are not the intended >>> recipient, you are hereby notified that any use, >>> dissemination, distribution, or copying of this >>> communication is strictly prohibited. If you have received >>> this message in error, notify sender immediately and >>> delete this message immediately.? >>> >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Tue Jun 30 18:02:06 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Tue, 30 Jun 2015 18:02:06 +0000 Subject: [Pki-users] Configure externally acquired private key and certificate In-Reply-To: <5592D654.7080807@redhat.com> References: <558D77EC.8000009@redhat.com> <5592BC36.1010907@redhat.com> <5592D654.7080807@redhat.com> Message-ID: Hi Christina, Thank you so much. This is exactly I was looking for. Looking at the ticket details, it seems quite old (the last response posted ~ 7 months ago). I?ll give it a try and let you know how it goes. Thanks again, Mahendra From: Christina Fu > Date: Tuesday, June 30, 2015 at 1:48 PM To: "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate I think you are talking about this: https://fedorahosted.org/pki/ticket/456 The user have a chance to import own CA certificate with private key Christina On 06/30/2015 09:14 AM, Jain, Mahendra wrote: Hi Christina, Thanks for taking time to respond. We already have clone setup using steps outlined in http://man.sourcentral.org/f18/8+pkispawn and the setup works perfectly fine with no issues. My question is related to Setting up Dogtag using private key and certificate generated via openSSL command separately (on a completely different host from Dogtag). For example, If I delete the complete VM instance where Dogtag is running and reinstall, I could reuse the private key and certificate already generated via openSSL command earlier to setup new Dogtag instance without requiring to generate CSR and get it signed with external CA (Ex: Symantec). Hope this helps. Please let me know if you have any questions. Thanks, Mahendra From: Christina Fu > Date: Tuesday, June 30, 2015 at 11:56 AM To: "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate On 06/29/2015 07:32 AM, Jain, Mahendra wrote: Hi Christina, Here?s some detailed information: I?m planning to setup intermediate CA with DogTag and issue SSL server certs. I?m trying 2 options with DogTag setup: Option 1: Installing an externally signed CA I followed the steps outlined in http://man.sourcentral.org/f18/8+pkispawn and this setup works perfectly fine with no issues. This option involves following steps: 1. Generate a certificate signing request (CSR) for the signing certificate in DogTag setup phase 1 2. Submit the CSR to the external CA (Ex: Symantec) 3. Obtain the resulting intermediate certificate and certificate chain 4. Continue with DogTag setup phase 2 Option 2: Installing an externally signed CA (One time setup of keys/CSR) The desired steps are as follows: 1. Generate a certificate signing request (CSR) for the signing certificate using OpenSSL 2. Submit the CSR to the external CA (Ex: Symantec) 3. Obtain the resulting intermediate certificate and certificate chain 4. Store private key and certificate obtained in above steps in secured media so that it can be used later 5. Setup DogTag using the private key (generated in step #1) and intermediate CA certificate (acquired in step #3) The desired expectation in option #2 is to perform step 1-3 below once and then setup DogTag (or recreate VM) as many times I need using private key and certificate obtained earlier. This will prevent us from regenerating CSR and get it signed with external CA (Ex: Symantec). If I read it correctly, you want to set up multiple CA's sharing the same singing cert/keys? Dogtag supports cloning. Did you look into that? Please let me know if you have any questions. Thanks, Mahendra From: , "Jain, Mahendra" > Date: Friday, June 26, 2015 at 12:22 PM To: Christina Fu >, "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate Hi Christina, Sorry for the confusion. Let me rephrase the steps below if it is supported: 1. Generate private key and CSR for intermediate CA using openssl 2. Submit the CSR to external CA (Ex: Symantec) for signing 3. Receive the signed certificate from CA 4. Setup DogTag with the private key (generated in step #1) and intermediate CA certificate (acquired in step #3) I?m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many times I need using the existing private key and certificate on any host. Please let me know if you need further clarification. Thanks, Mahendra From: Christina Fu > Date: Friday, June 26, 2015 at 12:03 PM To: "pki-users at redhat.com" > Subject: Re: [Pki-users] Configure externally acquired private key and certificate On 06/25/2015 11:23 AM, Jain, Mahendra wrote: Hi, I?ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link below) and the setup works perfectly fine: http://man.sourcentral.org/f18/8+pkispawn I would like to know if DogTag also supports configuring externally acquired private key and certificate. In other words, If I generate the private key and CSR using openssl and submit CSR to CA for certificate. Once the CA issued the certificate, I would like to setup DogTag using the existing private key (created using openssl) and certificate. Hi, I'm sorry I read your questions a few times and I'm not certain what you wish to do. What would you like to use this certificate for? For example, is this an SSL server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are you talking about replacing certain system cert of the CA you just set up? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? _______________________________________________ Pki-users mailing list Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: