From marcinmierzejewski1024 at gmail.com Sun Nov 1 13:15:24 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Sun, 1 Nov 2015 14:15:24 +0100 Subject: [Pki-users] CRMF aka CMP format reader or howto get private key from crmf with proof of possesion In-Reply-To: References: <563012FD.2060100@redhat.com> Message-ID: Christina You were right I shouldn't try to do that functionality 2015-10-28 17:53 GMT+01:00 Marcin Mierzejewski < marcinmierzejewski1024 at gmail.com>: > Hi Christina > > I read and reread your email a few times but am still not sure why you >> want the CA to be responsible for giving you the p12, especially the CA has >> no idea what password was used for enveloping > > envolope password may be empty, or defined by user in renewal request to > my application. > > Could the user not just get the renewed cert, import it into the nss db, >> and then export the cert and its keys into a p12 themselves? Why use an >> old p12? > > My users can't do that kind of thing like repacking private key to new > certificate. They just want new private key without asking for it from kra > and waiting for approval. > > > > > 2015-10-28 1:12 GMT+01:00 Christina Fu : > >> I read and reread your email a few times but am still not sure why you >> want the CA to be responsible for giving you the p12, especially the CA has >> no idea what password was used for enveloping. And why does the user need >> the private key if the user is supposed to already have the private key? >> The KRA does allow you to recover keys if you lost your keys, but it >> requires agent approval. >> >> Could the user not just get the renewed cert, import it into the nss db, >> and then export the cert and its keys into a p12 themselves? Why use an >> old p12? >> >> Christina >> >> >> >> On 10/27/2015 04:20 AM, Marcin Mierzejewski wrote: >> >> I'm trying to generate new .p12 file for renewed certificate, becouse old >> version p12 file after that renewation has private key linked to >> certificate which is not the latest one(however keypair and all subject >> data are the same) >> What is my idea? >> - create "caManualRenewal" enrollment >> - read crmf from enrollment >> - get private key from crmf >> - approve renewal request >> - return new p12 file with new cert and this privkey to user >> >> It's even possible to do something like this? It makes sense to recreate >> that file or user can use old p12 file even after renewal? >> >> >> >> _______________________________________________ >> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Sun Nov 1 13:48:46 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Sun, 1 Nov 2015 14:48:46 +0100 Subject: [Pki-users] How to retrieve private key in DRM Message-ID: Hi all, I got lots of problems with dogtag(ekhmmm... almost 20 threads in october : ) if somebody not notice) but this is propably the last one:D It happens if recovery needs more than one agent approval. I get request accepted by admins and problem is I can retrieve private key from browser code, but if I am trying to do this in code it throws PKI Exception and creates new recovery request //creates new recovery request "recover" throws: PKIException "Unauthorized request." Key recoveredX509Key = keyClient.retrieveKeyByPKCS12(keyid,cert,password); //creates new recovery request "securityDataRecovery" and throws: "RuntimeException com.netscape.certsrv.base.PKIException: Unauthorized request. Recovery request not approved." Key recoveredX509Key = keyClient.retrieveKey(keyid); but for this same key when I open it in browser I got form to retrieve key to pk12 and it works perfectly. I check logs and it shows me where this form data goes: [01/lis/2015:13:29:04][http-bio-8443-exec-2]: CMSServlet:service() uri = /kra/agent/kra/getAsyncPk12 [01/lis/2015:13:29:04][http-bio-8443-exec-2]: CMSServlet::service() param name='seqNum' value='339' [01/lis/2015:13:29:04][http-bio-8443-exec-2]: CMSServlet::service() param name='p12Password' value='(sensitive)' [01/lis/2015:13:29:04][http-bio-8443-exec-2]: CMSServlet::service() param name='p12PasswordAgain' value='(sensitive)' [01/lis/2015:13:29:04][http-bio-8443-exec-2]: CMSServlet::service() param name='op' value='getAsyncPk12' [01/lis/2015:13:29:04][http-bio-8443-exec-2]: CMSServlet::service() param name='reqID' value='339' Anyone have idea what I'm doing wrong? Is there any way to execute getAsyncPk12 service from code? If You need more code or context, give me a note. -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Sun Nov 1 13:11:48 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Sun, 1 Nov 2015 14:11:48 +0100 Subject: [Pki-users] Dogtag is changing my renewal request after enrollment In-Reply-To: References: Message-ID: the problem was setting serial_num via inputs. It works now well with data.setSerialNum(oldCertificateId); 2015-10-31 18:05 GMT+01:00 Marcin Mierzejewski < marcinmierzejewski1024 at gmail.com>: > I got method which creates renewal request for given certificate > >> private CertEnrollmentRequest createUserEncryptionArchivedCertRenewalEnrollment(int oldCertificateId) { >> >> CertEnrollmentRequest data = new CertEnrollmentRequest(); >> data.setProfileId("caManualRenewal"); >> data.setRenewal(true); >> >> ProfileInput certReq = data.createInput("Serial Number of Certificate to Renew"); >> certReq.addAttribute(new ProfileAttribute("serial_num", Integer.toString(oldCertificateId), null)); >> >> return data; >> } >> >> but after enroll this request I get request for renewal of PKI > Administrator for localdomain. If I choose not to loging in as PKI Admin, > there is a error telling me that I don't have any certificates to renewal > or certificate is corupted.That's weird becouse it works via dogtag enduser > entity, even without loggin in. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Sun Nov 1 22:17:08 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 2 Nov 2015 08:17:08 +1000 Subject: [Pki-users] X.509 preauth In-Reply-To: <5633EA90.4040308@gmail.com> References: <5633EA90.4040308@gmail.com> Message-ID: <20151101221708.GG20018@dhcp-40-8.bne.redhat.com> On Fri, Oct 30, 2015 at 11:09:20PM +0100, Pascal Jakobi wrote: > Hi there > > I am trying to run pkinit/X.509 with the standard MIT rpms delivered on > CentOS/Fedora/RHEL. > I have created the certificates with OpenSSL, everything looks fine - I have > a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and the > corresponding KDC cert and CA cert have been checked. > I also modified the principal with kadmin : "modprinc +requires_preauth > toto". > > I run kinit for the "toto" principal with KRB5_TRACE set. I can see that the > KDC sends the following to the client : > > [6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133 > > PA-PK-AS-REQ (16), which I understand is for X.509 certificate > preauthentication, is not in the list. > > I guess something is therefore wrong on my KDC configuration, but I cannot > see what. > Can someone enlight me ? > Thanks in advance > > -- > Pascal Jakobi > 116 rue de Stalingrad, 93100 Montreuil > France > Tel : +33 6 87 47 58 19 > [logging] > default = FILE:/var/log/kerberos/krb5libs.log > kdc = FILE:/var/log/kerberos/krb5kdc.log > kdc = SYSLOG:DEBUG:LOCAL1 > admin_server = FILE:/var/log/kerberos/kadmind.log > > [libdefaults] > dns_lookup_realm = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_realm = THALES.COM > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > THALES.COM = { > kdc = kdc.jakobi.fr > admin_server = kdc.jakobi.fr > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem > pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem > } > > [domain_realm] > .jakobi.fr = THALES.COM > jakobi.fr = THALES.COM Hi Pascal, FYI, this mailing list is for Dogtag Certificate System questions. Anyhow, did you read the MIT Kerberos pkinit guide[1]? It looks like the space after the comma in the `pkinit_anchors' directive should not be there. [1] http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html#configuring-the-kdc Cheers, Fraser > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From spawn at rloteck.net Thu Nov 5 20:52:38 2015 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Thu, 5 Nov 2015 12:52:38 -0800 Subject: [Pki-users] SAN Feild in the MSCE profile Message-ID: Hi Pki-Users, I am trying to create a cert using a CSR that has more then one CN using the Manuel Server Certificate Enrollment (MSCE) profile, but it seem that it does not support a SAN Feild by default. Can I create a custom profile that duplicates the MSCE profile, but adds the SAN Feild? Is so, what is the process for doing that? Thanks, Rafael -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Thu Nov 5 22:11:44 2015 From: jmagne at redhat.com (John Magne) Date: Thu, 5 Nov 2015 17:11:44 -0500 (EST) Subject: [Pki-users] SAN Feild in the MSCE profile In-Reply-To: References: Message-ID: <1750199276.7990122.1446761504387.JavaMail.zimbra@redhat.com> You should be able to do this: First for info on profiles and how to make new ones start here: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles If you look in this directory: /var/lib/pki/pki-tomcat/ca/profiles/ca This is where the raw profile files are. Looking through these should provide an example of somebody using the subject alt name extension. Whatever happening there can be created in a new profile. ----- Original Message ----- From: "Rafael Leiva-Ochoa" To: pki-users at redhat.com Sent: Thursday, November 5, 2015 12:52:38 PM Subject: [Pki-users] SAN Feild in the MSCE profile Hi Pki-Users, I am trying to create a cert using a CSR that has more then one CN using the Manuel Server Certificate Enrollment (MSCE) profile, but it seem that it does not support a SAN Feild by default. Can I create a custom profile that duplicates the MSCE profile, but adds the SAN Feild? Is so, what is the process for doing that? Thanks, Rafael _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From spawn at rloteck.net Fri Nov 6 00:40:39 2015 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Thu, 5 Nov 2015 16:40:39 -0800 Subject: [Pki-users] SAN Feild in the MSCE profile In-Reply-To: <1750199276.7990122.1446761504387.JavaMail.zimbra@redhat.com> References: <1750199276.7990122.1446761504387.JavaMail.zimbra@redhat.com> Message-ID: Thx, I will give that a try. On Thursday, November 5, 2015, John Magne wrote: > You should be able to do this: > > First for info on profiles and how to make new ones start here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles > > > > If you look in this directory: > > /var/lib/pki/pki-tomcat/ca/profiles/ca > > This is where the raw profile files are. Looking through these should > provide an example of somebody using the subject alt name extension. > Whatever happening there can be created in a new profile. > > > ----- Original Message ----- > From: "Rafael Leiva-Ochoa" > > To: pki-users at redhat.com > Sent: Thursday, November 5, 2015 12:52:38 PM > Subject: [Pki-users] SAN Feild in the MSCE profile > > Hi Pki-Users, > > I am trying to create a cert using a CSR that has more then one CN using > the Manuel Server Certificate Enrollment (MSCE) profile, but it seem that > it does not support a SAN Feild by default. Can I create a custom profile > that duplicates the MSCE profile, but adds the SAN Feild? Is so, what is > the process for doing that? > > Thanks, > > Rafael > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From spawn at rloteck.net Sat Nov 7 01:29:40 2015 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Fri, 6 Nov 2015 17:29:40 -0800 Subject: [Pki-users] SAN Feild in the MSCE profile In-Reply-To: References: <1750199276.7990122.1446761504387.JavaMail.zimbra@redhat.com> Message-ID: Still not working: This is what I put on the new profile policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true policyset.serverCertSet.9.default.params.subjAltExtPattern_0= policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 The CSR looks like this: *Common Name:* node1.example.com *Subject Alternative Names:* test.example.com, test1.example.com, test2.example.com *Organization:* Test Corp *Organization Unit:* IT Department *Locality:* LA *State:* OR *Country:* US On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa wrote: > Thx, I will give that a try. > > > On Thursday, November 5, 2015, John Magne wrote: > >> You should be able to do this: >> >> First for info on profiles and how to make new ones start here: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles >> >> >> >> If you look in this directory: >> >> /var/lib/pki/pki-tomcat/ca/profiles/ca >> >> This is where the raw profile files are. Looking through these should >> provide an example of somebody using the subject alt name extension. >> Whatever happening there can be created in a new profile. >> >> >> ----- Original Message ----- >> From: "Rafael Leiva-Ochoa" >> To: pki-users at redhat.com >> Sent: Thursday, November 5, 2015 12:52:38 PM >> Subject: [Pki-users] SAN Feild in the MSCE profile >> >> Hi Pki-Users, >> >> I am trying to create a cert using a CSR that has more then one CN using >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem that >> it does not support a SAN Feild by default. Can I create a custom profile >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what is >> the process for doing that? >> >> Thanks, >> >> Rafael >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Sat Nov 7 01:41:19 2015 From: jmagne at redhat.com (John Magne) Date: Fri, 6 Nov 2015 20:41:19 -0500 (EST) Subject: [Pki-users] SAN Feild in the MSCE profile In-Reply-To: References: <1750199276.7990122.1446761504387.JavaMail.zimbra@redhat.com> Message-ID: <1715879700.9793544.1446860479993.JavaMail.zimbra@redhat.com> If you could possibly give us the "debug" log, the failure could possibly be isolated more easily. ----- Original Message ----- From: "Rafael Leiva-Ochoa" To: "John Magne" Cc: pki-users at redhat.com Sent: Friday, November 6, 2015 5:29:40 PM Subject: Re: SAN Feild in the MSCE profile Still not working: This is what I put on the new profile policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true policyset.serverCertSet.9.default.params.subjAltExtPattern_0= policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 The CSR looks like this: *Common Name:* node1.example.com *Subject Alternative Names:* test.example.com, test1.example.com, test2.example.com *Organization:* Test Corp *Organization Unit:* IT Department *Locality:* LA *State:* OR *Country:* US On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa wrote: > Thx, I will give that a try. > > > On Thursday, November 5, 2015, John Magne wrote: > >> You should be able to do this: >> >> First for info on profiles and how to make new ones start here: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles >> >> >> >> If you look in this directory: >> >> /var/lib/pki/pki-tomcat/ca/profiles/ca >> >> This is where the raw profile files are. Looking through these should >> provide an example of somebody using the subject alt name extension. >> Whatever happening there can be created in a new profile. >> >> >> ----- Original Message ----- >> From: "Rafael Leiva-Ochoa" >> To: pki-users at redhat.com >> Sent: Thursday, November 5, 2015 12:52:38 PM >> Subject: [Pki-users] SAN Feild in the MSCE profile >> >> Hi Pki-Users, >> >> I am trying to create a cert using a CSR that has more then one CN using >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem that >> it does not support a SAN Feild by default. Can I create a custom profile >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what is >> the process for doing that? >> >> Thanks, >> >> Rafael >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > From ftweedal at redhat.com Sun Nov 8 22:48:08 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 9 Nov 2015 08:48:08 +1000 Subject: [Pki-users] SAN Feild in the MSCE profile In-Reply-To: References: <1750199276.7990122.1446761504387.JavaMail.zimbra@redhat.com> Message-ID: <20151108224808.GB31495@dhcp-40-8.bne.redhat.com> On Fri, Nov 06, 2015 at 05:29:40PM -0800, Rafael Leiva-Ochoa wrote: > Still not working: > > This is what I put on the new profile > > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.9.constraint.name=No Constraint > > policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl > > policyset.serverCertSet.9.default.name=Subject Alternative Name Extension > Default > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > > policyset.serverCertSet.9.default.params.subjAltExtPattern_0= > > policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName > > policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 > > > The CSR looks like this: > > *Common Name:* node1.example.com > > *Subject Alternative Names:* test.example.com, test1.example.com, > test2.example.com > > *Organization:* Test Corp > > *Organization Unit:* IT Department > > *Locality:* LA > > *State:* OR > > *Country:* US > The SubjectAltNameExtDefault profile policy class does not copy altNames from the CSR. Rather, it takes the subjAltExPattern_N's specified (yours is empty, which is a problem) and formats them. You can reference various aspects of the request in the pattern. See the documentation for more info: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default If you want to directly copy an extension value directly from the CSR into the certificate (e.g. so the SAN request extension is used in the certificate) you can do that too. This approach demands caution because there is no validation of the extension value. See the caIPAserviceCert profile for an example of how to do this for SAN. Cheers, Fraser > On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa > wrote: > > > Thx, I will give that a try. > > > > > > On Thursday, November 5, 2015, John Magne wrote: > > > >> You should be able to do this: > >> > >> First for info on profiles and how to make new ones start here: > >> > >> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles > >> > >> > >> > >> If you look in this directory: > >> > >> /var/lib/pki/pki-tomcat/ca/profiles/ca > >> > >> This is where the raw profile files are. Looking through these should > >> provide an example of somebody using the subject alt name extension. > >> Whatever happening there can be created in a new profile. > >> > >> > >> ----- Original Message ----- > >> From: "Rafael Leiva-Ochoa" > >> To: pki-users at redhat.com > >> Sent: Thursday, November 5, 2015 12:52:38 PM > >> Subject: [Pki-users] SAN Feild in the MSCE profile > >> > >> Hi Pki-Users, > >> > >> I am trying to create a cert using a CSR that has more then one CN using > >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem that > >> it does not support a SAN Feild by default. Can I create a custom profile > >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what is > >> the process for doing that? > >> > >> Thanks, > >> > >> Rafael > >> > >> _______________________________________________ > >> Pki-users mailing list > >> Pki-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-users > >> > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From spawn at rloteck.net Mon Nov 9 04:40:09 2015 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Sun, 8 Nov 2015 20:40:09 -0800 Subject: [Pki-users] SAN Feild in the MSCE profile In-Reply-To: <20151108224808.GB31495@dhcp-40-8.bne.redhat.com> References: <1750199276.7990122.1446761504387.JavaMail.zimbra@redhat.com> <20151108224808.GB31495@dhcp-40-8.bne.redhat.com> Message-ID: Thanks for the reply Fraser, I was wondering why the CSR SAN field was being ignored on the SubjectAltNameExtDefault profile policy class. However, I am a bit confused, you said: "Rather, it takes the subjAltExPattern_N's specified (yours is empty, which is a problem) and formats them." How do I make it "not" empty". Is this something I do when I approve the request on the DogTag CA web interface? How do I specify this? I need the SAN to be verified when the web client (browser) checks the CN, or the SAN. Thanks again for you help....: ) Rafael On Sun, Nov 8, 2015 at 2:48 PM, Fraser Tweedale wrote: > On Fri, Nov 06, 2015 at 05:29:40PM -0800, Rafael Leiva-Ochoa wrote: > > Still not working: > > > > This is what I put on the new profile > > > > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl > > > > policyset.serverCertSet.9.constraint.name=No Constraint > > > > policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl > > > > policyset.serverCertSet.9.default.name=Subject Alternative Name > Extension > > Default > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > > > > policyset.serverCertSet.9.default.params.subjAltExtPattern_0= > > > > policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName > > > > policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false > > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 > > > > > > The CSR looks like this: > > > > *Common Name:* node1.example.com > > > > *Subject Alternative Names:* test.example.com, test1.example.com, > > test2.example.com > > > > *Organization:* Test Corp > > > > *Organization Unit:* IT Department > > > > *Locality:* LA > > > > *State:* OR > > > > *Country:* US > > > > The SubjectAltNameExtDefault profile policy class does not copy > altNames from the CSR. Rather, it takes the subjAltExPattern_N's > specified (yours is empty, which is a problem) and formats them. > You can reference various aspects of the request in the pattern. > See the documentation for more info: > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > If you want to directly copy an extension value directly from the > CSR into the certificate (e.g. so the SAN request extension is used > in the certificate) you can do that too. This approach demands > caution because there is no validation of the extension value. See > the caIPAserviceCert profile for an example of how to do this for > SAN. > > Cheers, > Fraser > > > On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa > > wrote: > > > > > Thx, I will give that a try. > > > > > > > > > On Thursday, November 5, 2015, John Magne wrote: > > > > > >> You should be able to do this: > > >> > > >> First for info on profiles and how to make new ones start here: > > >> > > >> > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles > > >> > > >> > > >> > > >> If you look in this directory: > > >> > > >> /var/lib/pki/pki-tomcat/ca/profiles/ca > > >> > > >> This is where the raw profile files are. Looking through these should > > >> provide an example of somebody using the subject alt name extension. > > >> Whatever happening there can be created in a new profile. > > >> > > >> > > >> ----- Original Message ----- > > >> From: "Rafael Leiva-Ochoa" > > >> To: pki-users at redhat.com > > >> Sent: Thursday, November 5, 2015 12:52:38 PM > > >> Subject: [Pki-users] SAN Feild in the MSCE profile > > >> > > >> Hi Pki-Users, > > >> > > >> I am trying to create a cert using a CSR that has more then one CN > using > > >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem > that > > >> it does not support a SAN Feild by default. Can I create a custom > profile > > >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what > is > > >> the process for doing that? > > >> > > >> Thanks, > > >> > > >> Rafael > > >> > > >> _______________________________________________ > > >> Pki-users mailing list > > >> Pki-users at redhat.com > > >> https://www.redhat.com/mailman/listinfo/pki-users > > >> > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Mon Nov 9 09:25:43 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Mon, 9 Nov 2015 10:25:43 +0100 Subject: [Pki-users] How to find private key by owner certificate? Message-ID: Hello Dogtag users. Maybe You know how to find private key by owner certificate? On user side it can be done in data recovery manager -> search for keys -> show the key that corresponds to the following certificate. I download dogtag sources but all I found is some query building and resend it to this same page but I can't find where exactly this arguments are parsed and used for filtering results. KeyClient has only method called listKeys(type,state,max,size,time)(not sure about order) but I can't find method which takes more specific arguments. When I list all keys in drm, none of them have publicKey(so my idea to get public key from cert and looking for same key in all key list is not possible). Any ideas? It can be done within console interface? I tried with pki key-find but that doesnt work. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Nov 9 20:07:23 2015 From: jmagne at redhat.com (John Magne) Date: Mon, 9 Nov 2015 15:07:23 -0500 (EST) Subject: [Pki-users] SAN Feild in the MSCE profile In-Reply-To: References: <1750199276.7990122.1446761504387.JavaMail.zimbra@redhat.com> <1715879700.9793544.1446860479993.JavaMail.zimbra@redhat.com> Message-ID: <121976625.11896333.1447099643691.JavaMail.zimbra@redhat.com> Hi: I"m a bit swamped right now but look at this if not seen already: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html This has more specific info on how to set up subjectName and subjectAltName. There is a link in that piece of document that points to the subjectAltName defaults specifically. ----- Original Message ----- From: "Rafael Leiva-Ochoa" To: "John Magne" Sent: Friday, November 6, 2015 11:01:02 PM Subject: Re: SAN Feild in the MSCE profile Here you go. On Fri, Nov 6, 2015 at 5:47 PM, Rafael Leiva-Ochoa wrote: > ok. I will run one tonight. > > Thanks > > On Fri, Nov 6, 2015 at 5:41 PM, John Magne wrote: > >> If you could possibly give us the "debug" log, the failure could possibly >> be isolated more easily. >> >> ----- Original Message ----- >> From: "Rafael Leiva-Ochoa" >> To: "John Magne" >> Cc: pki-users at redhat.com >> Sent: Friday, November 6, 2015 5:29:40 PM >> Subject: Re: SAN Feild in the MSCE profile >> >> Still not working: >> >> This is what I put on the new profile >> >> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl >> >> policyset.serverCertSet.9.constraint.name=No Constraint >> >> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl >> >> policyset.serverCertSet.9.default.name=Subject Alternative Name Extension >> Default >> >> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true >> >> policyset.serverCertSet.9.default.params.subjAltExtPattern_0= >> >> policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName >> >> policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false >> >> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 >> >> >> The CSR looks like this: >> >> *Common Name:* node1.example.com >> >> *Subject Alternative Names:* test.example.com, test1.example.com, >> test2.example.com >> >> *Organization:* Test Corp >> >> *Organization Unit:* IT Department >> >> *Locality:* LA >> >> *State:* OR >> >> *Country:* US >> >> On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa >> wrote: >> >> > Thx, I will give that a try. >> > >> > >> > On Thursday, November 5, 2015, John Magne wrote: >> > >> >> You should be able to do this: >> >> >> >> First for info on profiles and how to make new ones start here: >> >> >> >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles >> >> >> >> >> >> >> >> If you look in this directory: >> >> >> >> /var/lib/pki/pki-tomcat/ca/profiles/ca >> >> >> >> This is where the raw profile files are. Looking through these should >> >> provide an example of somebody using the subject alt name extension. >> >> Whatever happening there can be created in a new profile. >> >> >> >> >> >> ----- Original Message ----- >> >> From: "Rafael Leiva-Ochoa" >> >> To: pki-users at redhat.com >> >> Sent: Thursday, November 5, 2015 12:52:38 PM >> >> Subject: [Pki-users] SAN Feild in the MSCE profile >> >> >> >> Hi Pki-Users, >> >> >> >> I am trying to create a cert using a CSR that has more then one CN >> using >> >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem >> that >> >> it does not support a SAN Feild by default. Can I create a custom >> profile >> >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what >> is >> >> the process for doing that? >> >> >> >> Thanks, >> >> >> >> Rafael >> >> >> >> _______________________________________________ >> >> Pki-users mailing list >> >> Pki-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/pki-users >> >> >> > >> > > From ftweedal at redhat.com Wed Nov 11 07:07:17 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 11 Nov 2015 17:07:17 +1000 Subject: [Pki-users] SAN Feild in the MSCE profile In-Reply-To: References: <1750199276.7990122.1446761504387.JavaMail.zimbra@redhat.com> <20151108224808.GB31495@dhcp-40-8.bne.redhat.com> Message-ID: <20151111070717.GJ5336@dhcp-40-8.bne.redhat.com> On Sun, Nov 08, 2015 at 08:40:09PM -0800, Rafael Leiva-Ochoa wrote: > Thanks for the reply Fraser, I was wondering why the CSR SAN field was > being ignored on the SubjectAltNameExtDefault profile policy class. > However, I am a bit confused, you said: "Rather, it takes the > subjAltExPattern_N's specified (yours is empty, which is a problem) and > formats them." How do I make it "not" empty". Is this something I do when I > approve the request on the DogTag CA web interface? How do I specify this? > I need the SAN to be verified when the web client (browser) checks the CN, > or the SAN. > The patterns are defined, "hard-coded", as part of the profile configuration. Therefore the number of SANs for any given profile is fixed (if you are using the SubjectAltNameExtDefault class). Each pattern gets formatted using information available in the request. See the documentation linked below for a table of the variables you can include in these patterns. I cannot see a way to propagate arbitrary domain names, other than the CN (which is available as the $request.req_subject_name.cn$ variable), into SAN names, via SubjectAltNameExtDefault. > Thanks again for you help....: ) > > Rafael > > On Sun, Nov 8, 2015 at 2:48 PM, Fraser Tweedale wrote: > > > On Fri, Nov 06, 2015 at 05:29:40PM -0800, Rafael Leiva-Ochoa wrote: > > > Still not working: > > > > > > This is what I put on the new profile > > > > > > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl > > > > > > policyset.serverCertSet.9.constraint.name=No Constraint > > > > > > policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl > > > > > > policyset.serverCertSet.9.default.name=Subject Alternative Name > > Extension > > > Default > > > > > > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > > > > > > policyset.serverCertSet.9.default.params.subjAltExtPattern_0= > > > > > > policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName > > > > > > policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false > > > > > > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 > > > > > > > > > The CSR looks like this: > > > > > > *Common Name:* node1.example.com > > > > > > *Subject Alternative Names:* test.example.com, test1.example.com, > > > test2.example.com > > > > > > *Organization:* Test Corp > > > > > > *Organization Unit:* IT Department > > > > > > *Locality:* LA > > > > > > *State:* OR > > > > > > *Country:* US > > > > > > > The SubjectAltNameExtDefault profile policy class does not copy > > altNames from the CSR. Rather, it takes the subjAltExPattern_N's > > specified (yours is empty, which is a problem) and formats them. > > You can reference various aspects of the request in the pattern. > > See the documentation for more info: > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_and_CRL_Extensions.html#Subject_Alternative_Name_Extension_Default > > > > If you want to directly copy an extension value directly from the > > CSR into the certificate (e.g. so the SAN request extension is used > > in the certificate) you can do that too. This approach demands > > caution because there is no validation of the extension value. See > > the caIPAserviceCert profile for an example of how to do this for > > SAN. > > > > Cheers, > > Fraser > > > > > On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa > > > wrote: > > > > > > > Thx, I will give that a try. > > > > > > > > > > > > On Thursday, November 5, 2015, John Magne wrote: > > > > > > > >> You should be able to do this: > > > >> > > > >> First for info on profiles and how to make new ones start here: > > > >> > > > >> > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Certificate_Profiles.html#about-certificate-profiles > > > >> > > > >> > > > >> > > > >> If you look in this directory: > > > >> > > > >> /var/lib/pki/pki-tomcat/ca/profiles/ca > > > >> > > > >> This is where the raw profile files are. Looking through these should > > > >> provide an example of somebody using the subject alt name extension. > > > >> Whatever happening there can be created in a new profile. > > > >> > > > >> > > > >> ----- Original Message ----- > > > >> From: "Rafael Leiva-Ochoa" > > > >> To: pki-users at redhat.com > > > >> Sent: Thursday, November 5, 2015 12:52:38 PM > > > >> Subject: [Pki-users] SAN Feild in the MSCE profile > > > >> > > > >> Hi Pki-Users, > > > >> > > > >> I am trying to create a cert using a CSR that has more then one CN > > using > > > >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem > > that > > > >> it does not support a SAN Feild by default. Can I create a custom > > profile > > > >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what > > is > > > >> the process for doing that? > > > >> > > > >> Thanks, > > > >> > > > >> Rafael > > > >> > > > >> _______________________________________________ > > > >> Pki-users mailing list > > > >> Pki-users at redhat.com > > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > >> > > > > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > >