From marcinmierzejewski1024 at gmail.com Mon Oct 5 06:55:26 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Mon, 5 Oct 2015 08:55:26 +0200 Subject: [Pki-users] Problem with authenticate to dogtag agent Message-ID: Hi I got problem to authenticate to dogtag admin, if you don't mind check this question on stackexchange: http://unix.stackexchange.com/questions/233954/dogtag-ca-after-installation -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Tue Oct 13 14:36:26 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Tue, 13 Oct 2015 16:36:26 +0200 Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: References: Message-ID: there is a caEncECUserCert that works as I expect but generates Eliptic curve certificate. Is there any eqiuvalent for RSA? And next question is: could I use this profile to generate enduser certificate remote by calling REST service? 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < marcinmierzejewski1024 at gmail.com>: > Hi All, > > What I want is simple profile for requesting encryption(not sign) personal > certificate that will private key be stored in KRA/DRM. I check existing > profiles and found profile that name and description meet the goals I want > to achieve. > > *CaEncUserCert.cfg* > > this profile was not visible I change that. I opened this profile in end > user CA application > > > *Certificate Profile - Manual User Encryption Certificates Enrollment * > > This certificate profile is for enrolling user encryption certificates > with option to archive keys. > *Certificate Request Input * > - Certificate Request Type list ( pcks10 or crmf) > - Certificate Request (text area for request) > * Subject Name * -fields with info about user(propably should be same > values that were in certificate request) > > *Requestor Information *- info about requestor > > How it's possible to store private key without even sending it to CA? can > be private key enclosed into "Certificate Request"? If answer is no - as I > think why there is a "option to archieve keys"? > > > > Marcin > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Tue Oct 13 13:51:42 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Tue, 13 Oct 2015 15:51:42 +0200 Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA Message-ID: Hi All, What I want is simple profile for requesting encryption(not sign) personal certificate that will private key be stored in KRA/DRM. I check existing profiles and found profile that name and description meet the goals I want to achieve. *CaEncUserCert.cfg* this profile was not visible I change that. I opened this profile in end user CA application *Certificate Profile - Manual User Encryption Certificates Enrollment * This certificate profile is for enrolling user encryption certificates with option to archive keys. *Certificate Request Input * - Certificate Request Type list ( pcks10 or crmf) - Certificate Request (text area for request) * Subject Name * -fields with info about user(propably should be same values that were in certificate request) *Requestor Information *- info about requestor How it's possible to store private key without even sending it to CA? can be private key enclosed into "Certificate Request"? If answer is no - as I think why there is a "option to archieve keys"? Marcin -------------- next part -------------- An HTML attachment was scrubbed... URL: From dsirrine at redhat.com Tue Oct 13 17:27:10 2015 From: dsirrine at redhat.com (Dave Sirrine) Date: Tue, 13 Oct 2015 13:27:10 -0400 Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: References: Message-ID: Marcin, Not sure what exactly you're looking for here, but the beauty of profiles is you can create your own. If the ECC profile works as you would expect, you can always create a copy with a new name and change the appropriate lines. A quick diff of the two profiles you mention shows that there's not a lot that's different between the two: diff caEncECUserCert.cfg caEncUserCert.cfg 1c1 < desc=This certificate profile is for enrolling user ECC encryption certificates. It works only with latest Firefox. --- > desc=This certificate profile is for enrolling user encryption certificates with option to archive keys. 5c5 < name=Manual User Encryption ECC Certificates Enrollment --- > name=Manual User Encryption Certificates Enrollment 7,8c7,10 < input.list=i1 < input.i1.class_id=encKeyGenInputImpl --- > input.list=i1,i2,i3 > input.i1.class_id=certReqInputImpl > input.i2.class_id=subjectNameInputImpl > input.i3.class_id=submitterInfoInputImpl 31,32c33,34 < policyset.encryptionCertSet.3.constraint.params.keyType=EC < policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 --- > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 93a96 > In theory (I have not tested this) you should be able to change the lines for 'policyset.encryptionCertSet.3.constraint.params.keyType' and 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match the caEncUserCert.cfg profile and keep everything else the same. If you have the KRA installed and configured to work with your CA, the encryption keys should automatically be archived in the KRA. -- Dave On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < marcinmierzejewski1024 at gmail.com> wrote: > there is a caEncECUserCert that works as I expect but generates Eliptic > curve certificate. Is there any eqiuvalent for RSA? And next question is: > could I use this profile to generate enduser certificate remote by calling > REST service? > > 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < > marcinmierzejewski1024 at gmail.com>: > >> Hi All, >> >> What I want is simple profile for requesting encryption(not sign) >> personal certificate that will private key be stored in KRA/DRM. I check >> existing profiles and found profile that name and description meet the >> goals I want to achieve. >> >> *CaEncUserCert.cfg* >> >> this profile was not visible I change that. I opened this profile in end >> user CA application >> >> >> *Certificate Profile - Manual User Encryption Certificates Enrollment * >> >> This certificate profile is for enrolling user encryption certificates >> with option to archive keys. >> *Certificate Request Input * >> - Certificate Request Type list ( pcks10 or crmf) >> - Certificate Request (text area for request) >> * Subject Name * -fields with info about user(propably should be same >> values that were in certificate request) >> >> *Requestor Information *- info about requestor >> >> How it's possible to store private key without even sending it to CA? can >> be private key enclosed into "Certificate Request"? If answer is no - as I >> think why there is a "option to archieve keys"? >> >> >> >> Marcin >> >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Tue Oct 13 18:21:41 2015 From: jmagne at redhat.com (John Magne) Date: Tue, 13 Oct 2015 14:21:41 -0400 (EDT) Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: References: Message-ID: <1437024918.71031578.1444760501244.JavaMail.zimbra@redhat.com> Marcin: What Dave said , but also we have another profile that is RSA for this: caEncUserCert.cfg Also, you can use the pki CLI issue a request against such a profile: The following is approx set of commands to experiment with RSA cert request CRMFPopClient -d ~/.dogtag/nssdb/ -p password -o csr -a rsa -l 2048 -n "UID=username" -f caEncUserCert -b transport.pem transport.pem is the KRA's transport cert, which can be found in the CA's CS.cfg Download the profile RSA: pki cert-request-profile-show caUserCert --output testuser.xml Edit testuser.xml to add the csr you just created. cert_request= your csr cert_request_type = crmf Submit Request pki cert-request-submit testuser.xml Use the agent interface to approve the request. More info: http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI ----- Original Message ----- > From: "Dave Sirrine" > To: "Marcin Mierzejewski" > Cc: pki-users at redhat.com > Sent: Tuesday, October 13, 2015 10:27:10 AM > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA > > Marcin, > > Not sure what exactly you're looking for here, but the beauty of profiles is > you can create your own. If the ECC profile works as you would expect, you > can always create a copy with a new name and change the appropriate lines. A > quick diff of the two profiles you mention shows that there's not a lot > that's different between the two: > > diff caEncECUserCert.cfg caEncUserCert.cfg > 1c1 > < desc=This certificate profile is for enrolling user ECC encryption > certificates. It works only with latest Firefox. > --- > > desc=This certificate profile is for enrolling user encryption certificates > > with option to archive keys. > 5c5 > < name=Manual User Encryption ECC Certificates Enrollment > --- > > name=Manual User Encryption Certificates Enrollment > 7,8c7,10 > < input.list=i1 > < input.i1.class_id=encKeyGenInputImpl > --- > > input.list=i1,i2,i3 > > input.i1.class_id=certReqInputImpl > > input.i2.class_id=subjectNameInputImpl > > input.i3.class_id=submitterInfoInputImpl > 31,32c33,34 > < policyset.encryptionCertSet.3.constraint.params.keyType=EC > < > policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > --- > > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > 93a96 > > > > In theory (I have not tested this) you should be able to change the lines for > 'policyset.encryptionCertSet.3.constraint.params.keyType' and > 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match the > caEncUserCert.cfg profile and keep everything else the same. If you have the > KRA installed and configured to work with your CA, the encryption keys > should automatically be archived in the KRA. > > -- Dave > > On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > marcinmierzejewski1024 at gmail.com > wrote: > > > > there is a caEncECUserCert that works as I expect but generates Eliptic curve > certificate. Is there any eqiuvalent for RSA? And next question is: could I > use this profile to generate enduser certificate remote by calling REST > service? > > 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < > marcinmierzejewski1024 at gmail.com > : > > > > Hi All, > > What I want is simple profile for requesting encryption(not sign) personal > certificate that will private key be stored in KRA/DRM. I check existing > profiles and found profile that name and description meet the goals I want > to achieve. > > CaEncUserCert.cfg > > this profile was not visible I change that. I opened this profile in end user > CA application > > > Certificate Profile - Manual User Encryption Certificates Enrollment > > This certificate profile is for enrolling user encryption certificates with > option to archive keys. Certificate Request Input > * Certificate Request Type list ( pcks10 or crmf) > > * Certificate Request (text area for request) > Subject Name > -fields with info about user(propably should be same values that were in > certificate request) > Requestor Information > - info about requestor > > How it's possible to store private key without even sending it to CA? can be > private key enclosed into "Certificate Request"? If answer is no - as I > think why there is a "option to archieve keys"? > > > > > > > Marcin > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From marcinmierzejewski1024 at gmail.com Wed Oct 14 09:29:05 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Wed, 14 Oct 2015 11:29:05 +0200 Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: References: Message-ID: Thanks for solution Dave, but changing this 2 lines exits the firefox while browser try to generate/send keys to dogtag. I am using firefox 17.0 (in newer versions I got error that crypto objects are not supported in this versions). I don't get any stacktrace or something to paste : / I thought this class: *encKeyGenInputImpl* does not support generating RSA pair so replaced it with *keyGenInputImpl* And then it is working! 2015-10-13 19:27 GMT+02:00 Dave Sirrine : > Marcin, > > Not sure what exactly you're looking for here, but the beauty of profiles > is you can create your own. If the ECC profile works as you would expect, > you can always create a copy with a new name and change the appropriate > lines. A quick diff of the two profiles you mention shows that there's not > a lot that's different between the two: > > diff caEncECUserCert.cfg caEncUserCert.cfg > 1c1 > < desc=This certificate profile is for enrolling user ECC encryption > certificates. It works only with latest Firefox. > --- > > desc=This certificate profile is for enrolling user encryption > certificates with option to archive keys. > 5c5 > < name=Manual User Encryption ECC Certificates Enrollment > --- > > name=Manual User Encryption Certificates Enrollment > 7,8c7,10 > < input.list=i1 > < input.i1.class_id=encKeyGenInputImpl > --- > > input.list=i1,i2,i3 > > input.i1.class_id=certReqInputImpl > > input.i2.class_id=subjectNameInputImpl > > input.i3.class_id=submitterInfoInputImpl > 31,32c33,34 > < policyset.encryptionCertSet.3.constraint.params.keyType=EC > < > policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > --- > > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > > > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > 93a96 > > > > In theory (I have not tested this) you should be able to change the lines > for 'policyset.encryptionCertSet.3.constraint.params.keyType' and > 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match > the caEncUserCert.cfg profile and keep everything else the same. If you > have the KRA installed and configured to work with your CA, the encryption > keys should automatically be archived in the KRA. > > -- Dave > > On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > marcinmierzejewski1024 at gmail.com> wrote: > >> there is a caEncECUserCert that works as I expect but generates Eliptic >> curve certificate. Is there any eqiuvalent for RSA? And next question is: >> could I use this profile to generate enduser certificate remote by calling >> REST service? >> >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < >> marcinmierzejewski1024 at gmail.com>: >> >>> Hi All, >>> >>> What I want is simple profile for requesting encryption(not sign) >>> personal certificate that will private key be stored in KRA/DRM. I check >>> existing profiles and found profile that name and description meet the >>> goals I want to achieve. >>> >>> *CaEncUserCert.cfg* >>> >>> this profile was not visible I change that. I opened this profile in end >>> user CA application >>> >>> >>> *Certificate Profile - Manual User Encryption Certificates Enrollment * >>> >>> This certificate profile is for enrolling user encryption certificates >>> with option to archive keys. >>> *Certificate Request Input * >>> - Certificate Request Type list ( pcks10 or crmf) >>> - Certificate Request (text area for request) >>> * Subject Name * -fields with info about user(propably should be same >>> values that were in certificate request) >>> >>> *Requestor Information *- info about requestor >>> >>> How it's possible to store private key without even sending it to CA? >>> can be private key enclosed into "Certificate Request"? If answer is no - >>> as I think why there is a "option to archieve keys"? >>> >>> >>> >>> Marcin >>> >>> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Wed Oct 14 09:35:00 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Wed, 14 Oct 2015 11:35:00 +0200 Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: References: Message-ID: But after this change it is not adding private key to DRM: / 2015-10-13 19:27 GMT+02:00 Dave Sirrine : > Marcin, > > Not sure what exactly you're looking for here, but the beauty of profiles > is you can create your own. If the ECC profile works as you would expect, > you can always create a copy with a new name and change the appropriate > lines. A quick diff of the two profiles you mention shows that there's not > a lot that's different between the two: > > diff caEncECUserCert.cfg caEncUserCert.cfg > 1c1 > < desc=This certificate profile is for enrolling user ECC encryption > certificates. It works only with latest Firefox. > --- > > desc=This certificate profile is for enrolling user encryption > certificates with option to archive keys. > 5c5 > < name=Manual User Encryption ECC Certificates Enrollment > --- > > name=Manual User Encryption Certificates Enrollment > 7,8c7,10 > < input.list=i1 > < input.i1.class_id=encKeyGenInputImpl > --- > > input.list=i1,i2,i3 > > input.i1.class_id=certReqInputImpl > > input.i2.class_id=subjectNameInputImpl > > input.i3.class_id=submitterInfoInputImpl > 31,32c33,34 > < policyset.encryptionCertSet.3.constraint.params.keyType=EC > < > policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > --- > > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > > > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > 93a96 > > > > In theory (I have not tested this) you should be able to change the lines > for 'policyset.encryptionCertSet.3.constraint.params.keyType' and > 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match > the caEncUserCert.cfg profile and keep everything else the same. If you > have the KRA installed and configured to work with your CA, the encryption > keys should automatically be archived in the KRA. > > -- Dave > > On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > marcinmierzejewski1024 at gmail.com> wrote: > >> there is a caEncECUserCert that works as I expect but generates Eliptic >> curve certificate. Is there any eqiuvalent for RSA? And next question is: >> could I use this profile to generate enduser certificate remote by calling >> REST service? >> >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < >> marcinmierzejewski1024 at gmail.com>: >> >>> Hi All, >>> >>> What I want is simple profile for requesting encryption(not sign) >>> personal certificate that will private key be stored in KRA/DRM. I check >>> existing profiles and found profile that name and description meet the >>> goals I want to achieve. >>> >>> *CaEncUserCert.cfg* >>> >>> this profile was not visible I change that. I opened this profile in end >>> user CA application >>> >>> >>> *Certificate Profile - Manual User Encryption Certificates Enrollment * >>> >>> This certificate profile is for enrolling user encryption certificates >>> with option to archive keys. >>> *Certificate Request Input * >>> - Certificate Request Type list ( pcks10 or crmf) >>> - Certificate Request (text area for request) >>> * Subject Name * -fields with info about user(propably should be same >>> values that were in certificate request) >>> >>> *Requestor Information *- info about requestor >>> >>> How it's possible to store private key without even sending it to CA? >>> can be private key enclosed into "Certificate Request"? If answer is no - >>> as I think why there is a "option to archieve keys"? >>> >>> >>> >>> Marcin >>> >>> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Wed Oct 14 12:27:25 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Wed, 14 Oct 2015 14:27:25 +0200 Subject: [Pki-users] Dogtag jss4 dependency version Message-ID: I' m trying to build dogtag rest client but after adding jars I found in system: here is the list: pki-ca.jar pki-certsrv.jar pki-cms.jar pki-cmscore.jar pki-cmsutil.jar pki-console.jar pki-kra.jar pki-nsutil.jar pki-ocsp.jar pki-tks.jar pki-tomcat.jar pki-tools.jar pki-tps.jar I got some problem with dependencies with them(resteasy was missing) so I resolved them with maven pom. Now i have problem with mozilla JSS lib. In mozilla ftp(https://ftp.mozilla.org/pub/security/jss/releases/) i found .jar and .so packages for difrent versions(from 3.0 to 4.3 ) but after checking all of them none of them have inner class SSLVersionRange in SSLSocket(check stacktrace bellow). So i checked what is dogtag source package dependecies and all i found in CMakeLists.txt is that dogtag is build with jss4.jar *So, my question is what exact version of JSS is dogtag using and where I can get it? * Exception in thread "main" java.lang.NoClassDefFoundError: org/mozilla/jss/ssl/SSLSocket$SSLVersionRange at com.netscape.certsrv.client.PKIConnection$JSSProtocolSocketFactory.connectSocket(PKIConnection.java:333) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) at com.sun.proxy.$Proxy37.listProfiles(Unknown Source) at com.netscape.certsrv.profile.ProfileClient.listProfiles(ProfileClient.java:59) at com.company.CATest.test(CATest.java:93) at com.company.Main.main(Main.java:15) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140) -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Wed Oct 14 12:52:13 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Wed, 14 Oct 2015 14:52:13 +0200 Subject: [Pki-users] Dogtag jss4 dependency version In-Reply-To: References: Message-ID: Update, problem solved with jss version from fedora: /usr/lib64/jss 2015-10-14 14:27 GMT+02:00 Marcin Mierzejewski < marcinmierzejewski1024 at gmail.com>: > I' m trying to build dogtag rest client but after adding jars I found in > system: > here is the list: > pki-ca.jar > pki-certsrv.jar > pki-cms.jar > pki-cmscore.jar > pki-cmsutil.jar > pki-console.jar > pki-kra.jar > pki-nsutil.jar > pki-ocsp.jar > pki-tks.jar > pki-tomcat.jar > pki-tools.jar > pki-tps.jar > I got some problem with dependencies with them(resteasy was missing) so I > resolved them with maven pom. Now i have problem with mozilla JSS lib. In > mozilla ftp(https://ftp.mozilla.org/pub/security/jss/releases/) i found > .jar and .so packages for difrent versions(from 3.0 to 4.3 ) but after > checking all of them none of them have inner class SSLVersionRange in > SSLSocket(check stacktrace bellow). > So i checked what is dogtag source package dependecies and all i found in > CMakeLists.txt is that dogtag is build with jss4.jar > *So, my question is what exact version of JSS is dogtag using and where I > can get it? * > > > > > Exception in thread "main" java.lang.NoClassDefFoundError: > org/mozilla/jss/ssl/SSLSocket$SSLVersionRange > at > com.netscape.certsrv.client.PKIConnection$JSSProtocolSocketFactory.connectSocket(PKIConnection.java:333) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) > at > org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) > at > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283) > at > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436) > at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) > at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) > at com.sun.proxy.$Proxy37.listProfiles(Unknown Source) > at > com.netscape.certsrv.profile.ProfileClient.listProfiles(ProfileClient.java:59) > at com.company.CATest.test(CATest.java:93) > at com.company.Main.main(Main.java:15) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140) > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed Oct 14 12:56:20 2015 From: alee at redhat.com (Ade Lee) Date: Wed, 14 Oct 2015 08:56:20 -0400 Subject: [Pki-users] Dogtag jss4 dependency version In-Reply-To: References: Message-ID: <1444827380.11564.5.camel@redhat.com> Great - glad it was resolved. I'm curious though - can you explain what it is you are trying to do? What platform and what version of Dogtag are you building all these on? Ade On Wed, 2015-10-14 at 14:52 +0200, Marcin Mierzejewski wrote: > Update, problem solved with jss version from fedora: /usr/lib64/jss > > 2015-10-14 14:27 GMT+02:00 Marcin Mierzejewski < > marcinmierzejewski1024 at gmail.com>: > > I' m trying to build dogtag rest client but after adding jars I > > found in system: > > here is the list: > > pki-ca.jar > > pki-certsrv.jar > > pki-cms.jar > > pki-cmscore.jar > > pki-cmsutil.jar > > pki-console.jar > > pki-kra.jar > > pki-nsutil.jar > > pki-ocsp.jar > > pki-tks.jar > > pki-tomcat.jar > > pki-tools.jar > > pki-tps.jar > > I got some problem with dependencies with them(resteasy was > > missing) so I resolved them with maven pom. Now i have problem with > > mozilla JSS lib. In mozilla ftp( > > https://ftp.mozilla.org/pub/security/jss/releases/) i found .jar > > and .so packages for difrent versions(from 3.0 to 4.3 ) but after > > checking all of them none of them have inner class SSLVersionRange > > in SSLSocket(check stacktrace bellow). > > So i checked what is dogtag source package dependecies and all i > > found in CMakeLists.txt is that dogtag is build with jss4.jar > > So, my question is what exact version of JSS is dogtag using and > > where I can get it? > > > > > > > > > > Exception in thread "main" java.lang.NoClassDefFoundError: > > org/mozilla/jss/ssl/SSLSocket$SSLVersionRange > > at > > com.netscape.certsrv.client.PKIConnection$JSSProtocolSocketFactory. > > connectSocket(PKIConnection.java:333) > > at > > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConne > > ction(DefaultClientConnectionOperator.java:177) > > at > > org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedC > > lientConnectionImpl.java:304) > > at > > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(Defau > > ltRequestDirector.java:611) > > at > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultR > > equestDirector.java:446) > > at > > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHt > > tpClient.java:882) > > at > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHt > > tpClient.java:82) > > at > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHt > > tpClient.java:55) > > at > > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.inv > > oke(ApacheHttpClient4Engine.java:283) > > at > > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(Cl > > ientInvocation.java:436) > > at > > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke > > (ClientInvoker.java:102) > > at > > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(C > > lientProxy.java:64) > > at com.sun.proxy.$Proxy37.listProfiles(Unknown Source) > > at > > com.netscape.certsrv.profile.ProfileClient.listProfiles(ProfileClie > > nt.java:59) > > at com.company.CATest.test(CATest.java:93) > > at com.company.Main.main(Main.java:15) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImp > > l.java:62) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcc > > essorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at > > com.intellij.rt.execution.application.AppMain.main(AppMain.java:140 > > ) > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Wed Oct 14 13:13:52 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Wed, 14 Oct 2015 15:13:52 +0200 Subject: [Pki-users] Dogtag jss4 dependency version In-Reply-To: <1444827380.11564.5.camel@redhat.com> References: <1444827380.11564.5.camel@redhat.com> Message-ID: Dogtag 10.2.6 on Fedora 22 And what I'm trying to do is module to some bigger application to use dogtag as CA/KRA via rests. What is a part I'm working now? request new personal certs for encrypting data with option to retrive it when user lost own private key. I have a lots of problem with Dogtag and Fedora, becouse linux is not my first option but I kinda liked it (: I'm new with mailing lists so sorry for repeating myself, this time i hit reply to all. 2015-10-14 14:56 GMT+02:00 Ade Lee : > Great - glad it was resolved. I'm curious though - can you explain what > it is you are trying to do? > What platform and what version of Dogtag are you building all these on? > > Ade > > On Wed, 2015-10-14 at 14:52 +0200, Marcin Mierzejewski wrote: > > Update, problem solved with jss version from fedora: /usr/lib64/jss > > 2015-10-14 14:27 GMT+02:00 Marcin Mierzejewski < > marcinmierzejewski1024 at gmail.com>: > > I' m trying to build dogtag rest client but after adding jars I found in > system: > here is the list: > pki-ca.jar > pki-certsrv.jar > pki-cms.jar > pki-cmscore.jar > pki-cmsutil.jar > pki-console.jar > pki-kra.jar > pki-nsutil.jar > pki-ocsp.jar > pki-tks.jar > pki-tomcat.jar > pki-tools.jar > pki-tps.jar > I got some problem with dependencies with them(resteasy was missing) so I > resolved them with maven pom. Now i have problem with mozilla JSS lib. In > mozilla ftp(https://ftp.mozilla.org/pub/security/jss/releases/) i found > .jar and .so packages for difrent versions(from 3.0 to 4.3 ) but after > checking all of them none of them have inner class SSLVersionRange in > SSLSocket(check stacktrace bellow). > So i checked what is dogtag source package dependecies and all i found in > CMakeLists.txt is that dogtag is build with jss4.jar > *So, my question is what exact version of JSS is dogtag using and where I > can get it? * > > > > > Exception in thread "main" java.lang.NoClassDefFoundError: > org/mozilla/jss/ssl/SSLSocket$SSLVersionRange > at > com.netscape.certsrv.client.PKIConnection$JSSProtocolSocketFactory.connectSocket(PKIConnection.java:333) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) > at > org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) > at > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283) > at > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436) > at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) > at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) > at com.sun.proxy.$Proxy37.listProfiles(Unknown Source) > at > com.netscape.certsrv.profile.ProfileClient.listProfiles(ProfileClient.java:59) > at com.company.CATest.test(CATest.java:93) > at com.company.Main.main(Main.java:15) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140) > > > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed Oct 14 13:39:28 2015 From: alee at redhat.com (Ade Lee) Date: Wed, 14 Oct 2015 09:39:28 -0400 Subject: [Pki-users] Dogtag jss4 dependency version In-Reply-To: References: <1444827380.11564.5.camel@redhat.com> Message-ID: <1444829968.11564.12.camel@redhat.com> Interesting. I thought you were trying to build on some different platform. Fedora though is a platform on which we regularly do builds - in fact, its the first place we do builds. http://koji.fedoraproject.org/koji/buildinfo?buildID=689385 is the latest F22 build of 10.2.6 That build contains both server and client side RPMs. For client side only, you want pki-base - which should pull in all the necessary packages (jss, resteasy client libs etc.) If there are missing dependencies, its a bug. Ade On Wed, 2015-10-14 at 15:13 +0200, Marcin Mierzejewski wrote: > Dogtag 10.2.6 on Fedora 22 > And what I'm trying to do is module to some bigger application to use > dogtag as CA/KRA via rests. > What is a part I'm working now? > request new personal certs for encrypting data with option to retrive > it when user lost own private key. > > I have a lots of problem with Dogtag and Fedora, becouse linux is not > my first option but I kinda liked it (: > I'm new with mailing lists so sorry for repeating myself, this time i > hit reply to all. > > 2015-10-14 14:56 GMT+02:00 Ade Lee : > > Great - glad it was resolved. I'm curious though - can you > > explain what it is you are trying to do? > > What platform and what version of Dogtag are you building all these > > on? > > > > Ade > > > > On Wed, 2015-10-14 at 14:52 +0200, Marcin Mierzejewski wrote: > > > Update, problem solved with jss version from fedora: > > > /usr/lib64/jss > > > > > > 2015-10-14 14:27 GMT+02:00 Marcin Mierzejewski < > > > marcinmierzejewski1024 at gmail.com>: > > > > I' m trying to build dogtag rest client but after adding jars I > > > > found in system: > > > > here is the list: > > > > pki-ca.jar > > > > pki-certsrv.jar > > > > pki-cms.jar > > > > pki-cmscore.jar > > > > pki-cmsutil.jar > > > > pki-console.jar > > > > pki-kra.jar > > > > pki-nsutil.jar > > > > pki-ocsp.jar > > > > pki-tks.jar > > > > pki-tomcat.jar > > > > pki-tools.jar > > > > pki-tps.jar > > > > I got some problem with dependencies with them(resteasy was > > > > missing) so I resolved them with maven pom. Now i have problem > > > > with mozilla JSS lib. In mozilla ftp( > > > > https://ftp.mozilla.org/pub/security/jss/releases/) i found > > > > .jar and .so packages for difrent versions(from 3.0 to 4.3 ) > > > > but after checking all of them none of them have inner class > > > > SSLVersionRange in SSLSocket(check stacktrace bellow). > > > > So i checked what is dogtag source package dependecies and all > > > > i found in CMakeLists.txt is that dogtag is build with jss4.jar > > > > So, my question is what exact version of JSS is dogtag using > > > > and where I can get it? > > > > > > > > > > > > > > > > > > > > Exception in thread "main" java.lang.NoClassDefFoundError: > > > > org/mozilla/jss/ssl/SSLSocket$SSLVersionRange > > > > at > > > > com.netscape.certsrv.client.PKIConnection$JSSProtocolSocketFact > > > > ory.connectSocket(PKIConnection.java:333) > > > > at > > > > org.apache.http.impl.conn.DefaultClientConnectionOperator.openC > > > > onnection(DefaultClientConnectionOperator.java:177) > > > > at > > > > org.apache.http.impl.conn.ManagedClientConnectionImpl.open(Mana > > > > gedClientConnectionImpl.java:304) > > > > at > > > > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(D > > > > efaultRequestDirector.java:611) > > > > at > > > > org.apache.http.impl.client.DefaultRequestDirector.execute(Defa > > > > ultRequestDirector.java:446) > > > > at > > > > org.apache.http.impl.client.AbstractHttpClient.doExecute(Abstra > > > > ctHttpClient.java:882) > > > > at > > > > org.apache.http.impl.client.CloseableHttpClient.execute(Closeab > > > > leHttpClient.java:82) > > > > at > > > > org.apache.http.impl.client.CloseableHttpClient.execute(Closeab > > > > leHttpClient.java:55) > > > > at > > > > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine > > > > .invoke(ApacheHttpClient4Engine.java:283) > > > > at > > > > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invok > > > > e(ClientInvocation.java:436) > > > > at > > > > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.in > > > > voke(ClientInvoker.java:102) > > > > at > > > > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invo > > > > ke(ClientProxy.java:64) > > > > at com.sun.proxy.$Proxy37.listProfiles(Unknown Source) > > > > at > > > > com.netscape.certsrv.profile.ProfileClient.listProfiles(Profile > > > > Client.java:59) > > > > at com.company.CATest.test(CATest.java:93) > > > > at com.company.Main.main(Main.java:15) > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > > > Method) > > > > at > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccesso > > > > rImpl.java:62) > > > > at > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMetho > > > > dAccessorImpl.java:43) > > > > at java.lang.reflect.Method.invoke(Method.java:497) > > > > at > > > > com.intellij.rt.execution.application.AppMain.main(AppMain.java > > > > :140) > > > > > > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Wed Oct 14 17:25:25 2015 From: jmagne at redhat.com (John Magne) Date: Wed, 14 Oct 2015 13:25:25 -0400 (EDT) Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: References: Message-ID: <1402557714.72473498.1444843525742.JavaMail.zimbra@redhat.com> If you see the email I sent the other day, we make use of the CRMFPopClient tool that uses the transport key to wrap the private key. ----- Original Message ----- From: "Marcin Mierzejewski" To: "Dave Sirrine" Cc: pki-users at redhat.com Sent: Wednesday, October 14, 2015 2:35:00 AM Subject: Re: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA But after this change it is not adding private key to DRM: / 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > : Marcin, Not sure what exactly you're looking for here, but the beauty of profiles is you can create your own. If the ECC profile works as you would expect, you can always create a copy with a new name and change the appropriate lines. A quick diff of the two profiles you mention shows that there's not a lot that's different between the two: diff caEncECUserCert.cfg caEncUserCert.cfg 1c1 < desc=This certificate profile is for enrolling user ECC encryption certificates. It works only with latest Firefox. --- > desc=This certificate profile is for enrolling user encryption certificates with option to archive keys. 5c5 < name=Manual User Encryption ECC Certificates Enrollment --- > name=Manual User Encryption Certificates Enrollment 7,8c7,10 < input.list=i1 < input.i1.class_id=encKeyGenInputImpl --- > input.list=i1,i2,i3 > input.i1.class_id=certReqInputImpl > input.i2.class_id=subjectNameInputImpl > input.i3.class_id=submitterInfoInputImpl 31,32c33,34 < policyset.encryptionCertSet.3.constraint.params.keyType=EC < policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 --- > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 93a96 > In theory (I have not tested this) you should be able to change the lines for 'policyset.encryptionCertSet.3.constraint.params.keyType' and 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match the caEncUserCert.cfg profile and keep everything else the same. If you have the KRA installed and configured to work with your CA, the encryption keys should automatically be archived in the KRA. -- Dave On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < marcinmierzejewski1024 at gmail.com > wrote: there is a caEncECUserCert that works as I expect but generates Eliptic curve certificate. Is there any eqiuvalent for RSA? And next question is: could I use this profile to generate enduser certificate remote by calling REST service? 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < marcinmierzejewski1024 at gmail.com > : Hi All, What I want is simple profile for requesting encryption(not sign) personal certificate that will private key be stored in KRA/DRM. I check existing profiles and found profile that name and description meet the goals I want to achieve. CaEncUserCert.cfg this profile was not visible I change that. I opened this profile in end user CA application Certificate Profile - Manual User Encryption Certificates Enrollment This certificate profile is for enrolling user encryption certificates with option to archive keys. Certificate Request Input * Certificate Request Type list ( pcks10 or crmf) * Certificate Request (text area for request) Subject Name -fields with info about user(propably should be same values that were in certificate request) Requestor Information - info about requestor How it's possible to store private key without even sending it to CA? can be private key enclosed into "Certificate Request"? If answer is no - as I think why there is a "option to archieve keys"? Marcin _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From p.pan48711 at gmail.com Wed Oct 14 18:17:49 2015 From: p.pan48711 at gmail.com (Peter P.) Date: Wed, 14 Oct 2015 14:17:49 -0400 Subject: [Pki-users] Revoking all certificates issued by Dogtag at once Message-ID: Hi, I have an instance of Dogtag installed on my Fedora 22 server and I wanted to know if there is a way to revoke all the certificates ever issued by my Dogtag CA in one shot. Also, is there any bound/limit to the amount of valid certificates that can be issued by an instance of Dogtag? Thank you, Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Thu Oct 15 00:56:44 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 15 Oct 2015 10:56:44 +1000 Subject: [Pki-users] Revoking all certificates issued by Dogtag at once In-Reply-To: References: Message-ID: <20151015005644.GN11271@dhcp-40-8.bne.redhat.com> On Wed, Oct 14, 2015 at 02:17:49PM -0400, Peter P. wrote: > Hi, > > I have an instance of Dogtag installed on my Fedora 22 server and I wanted > to know if there is a way to revoke all the certificates ever issued by my > Dogtag CA in one shot. > The web interface does give you a way to revoke many certs at once. Whether it can do "all" depends on how many certs you've issued :) You could also script this using the CLI. But what is it you are actually trying to achieve? Would it be sufficient to revoke the issuer certificate instead? > Also, is there any bound/limit to the amount of valid certificates that can > be issued by an instance of Dogtag? > Conceptually no. In reality, you could run out of disk or, on operations that involve many certificates (e.g. generate a CRL with a huge number of non-expired revoked certs) then possibly hit memory limits. Cheers, Fraser > Thank you, > > Peter > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From marcinmierzejewski1024 at gmail.com Thu Oct 15 08:59:39 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Thu, 15 Oct 2015 10:59:39 +0200 Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: <1402557714.72473498.1444843525742.JavaMail.zimbra@redhat.com> References: <1402557714.72473498.1444843525742.JavaMail.zimbra@redhat.com> Message-ID: Thanks fo clue. RMFPopClientTool is a cli tool. I check implementation and I found this method wrapPrivateKey(...). Can it be used to wrap private key which could be added to CertEnrollRequest to request certificate from my rest client? And do You have ideas how to get symmetric key for that? I think better solution would be use CA public key to encrypt it but I don't have that much knowlege in PKI and Dogtag architecture. 2015-10-14 19:25 GMT+02:00 John Magne : > If you see the email I sent the other day, > we make use of the CRMFPopClient tool that uses the transport key to wrap > the private key. > > > > ----- Original Message ----- > From: "Marcin Mierzejewski" > To: "Dave Sirrine" > Cc: pki-users at redhat.com > Sent: Wednesday, October 14, 2015 2:35:00 AM > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with > storing private key in DRM/KRA > > But after this change it is not adding private key to DRM: / > > 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > : > > > > Marcin, > > Not sure what exactly you're looking for here, but the beauty of profiles > is you can create your own. If the ECC profile works as you would expect, > you can always create a copy with a new name and change the appropriate > lines. A quick diff of the two profiles you mention shows that there's not > a lot that's different between the two: > > diff caEncECUserCert.cfg caEncUserCert.cfg > 1c1 > < desc=This certificate profile is for enrolling user ECC encryption > certificates. It works only with latest Firefox. > --- > > desc=This certificate profile is for enrolling user encryption > certificates with option to archive keys. > 5c5 > < name=Manual User Encryption ECC Certificates Enrollment > --- > > name=Manual User Encryption Certificates Enrollment > 7,8c7,10 > < input.list=i1 > < input.i1.class_id=encKeyGenInputImpl > --- > > input.list=i1,i2,i3 > > input.i1.class_id=certReqInputImpl > > input.i2.class_id=subjectNameInputImpl > > input.i3.class_id=submitterInfoInputImpl > 31,32c33,34 > < policyset.encryptionCertSet.3.constraint.params.keyType=EC > < > policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > --- > > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > > > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > 93a96 > > > > In theory (I have not tested this) you should be able to change the lines > for 'policyset.encryptionCertSet.3.constraint.params.keyType' and > 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match > the caEncUserCert.cfg profile and keep everything else the same. If you > have the KRA installed and configured to work with your CA, the encryption > keys should automatically be archived in the KRA. > > -- Dave > > On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > marcinmierzejewski1024 at gmail.com > wrote: > > > > there is a caEncECUserCert that works as I expect but generates Eliptic > curve certificate. Is there any eqiuvalent for RSA? And next question is: > could I use this profile to generate enduser certificate remote by calling > REST service? > > 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < > marcinmierzejewski1024 at gmail.com > : > > > > Hi All, > > What I want is simple profile for requesting encryption(not sign) personal > certificate that will private key be stored in KRA/DRM. I check existing > profiles and found profile that name and description meet the goals I want > to achieve. > > CaEncUserCert.cfg > > this profile was not visible I change that. I opened this profile in end > user CA application > > > Certificate Profile - Manual User Encryption Certificates Enrollment > > This certificate profile is for enrolling user encryption certificates > with option to archive keys. Certificate Request Input > * Certificate Request Type list ( pcks10 or crmf) > > * Certificate Request (text area for request) > Subject Name > -fields with info about user(propably should be same values that were in > certificate request) > Requestor Information > - info about requestor > > How it's possible to store private key without even sending it to CA? can > be private key enclosed into "Certificate Request"? If answer is no - as I > think why there is a "option to archieve keys"? > > > > > > > Marcin > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Thu Oct 15 09:26:33 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Thu, 15 Oct 2015 11:26:33 +0200 Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: References: <1402557714.72473498.1444843525742.JavaMail.zimbra@redhat.com> Message-ID: Ok, after futher reading this symmetric key is encypted with CA public key in wrapSessionKey(...) method. Question I still have is how to user in rest client? 2015-10-15 10:59 GMT+02:00 Marcin Mierzejewski < marcinmierzejewski1024 at gmail.com>: > Thanks fo clue. RMFPopClientTool is a cli tool. I check implementation and > I found this method wrapPrivateKey(...). > Can it be used to wrap private key which could be added to > CertEnrollRequest to request certificate from my rest client? > And do You have ideas how to get symmetric key for that? I think better > solution would be use CA public key to encrypt it but I don't have that > much knowlege in PKI and Dogtag architecture. > > 2015-10-14 19:25 GMT+02:00 John Magne : > >> If you see the email I sent the other day, >> we make use of the CRMFPopClient tool that uses the transport key to wrap >> the private key. >> >> >> >> ----- Original Message ----- >> From: "Marcin Mierzejewski" >> To: "Dave Sirrine" >> Cc: pki-users at redhat.com >> Sent: Wednesday, October 14, 2015 2:35:00 AM >> Subject: Re: [Pki-users] Dogtag profile for encryption certificate with >> storing private key in DRM/KRA >> >> But after this change it is not adding private key to DRM: / >> >> 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > : >> >> >> >> Marcin, >> >> Not sure what exactly you're looking for here, but the beauty of profiles >> is you can create your own. If the ECC profile works as you would expect, >> you can always create a copy with a new name and change the appropriate >> lines. A quick diff of the two profiles you mention shows that there's not >> a lot that's different between the two: >> >> diff caEncECUserCert.cfg caEncUserCert.cfg >> 1c1 >> < desc=This certificate profile is for enrolling user ECC encryption >> certificates. It works only with latest Firefox. >> --- >> > desc=This certificate profile is for enrolling user encryption >> certificates with option to archive keys. >> 5c5 >> < name=Manual User Encryption ECC Certificates Enrollment >> --- >> > name=Manual User Encryption Certificates Enrollment >> 7,8c7,10 >> < input.list=i1 >> < input.i1.class_id=encKeyGenInputImpl >> --- >> > input.list=i1,i2,i3 >> > input.i1.class_id=certReqInputImpl >> > input.i2.class_id=subjectNameInputImpl >> > input.i3.class_id=submitterInfoInputImpl >> 31,32c33,34 >> < policyset.encryptionCertSet.3.constraint.params.keyType=EC >> < >> policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 >> --- >> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA >> > >> policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 >> 93a96 >> > >> >> In theory (I have not tested this) you should be able to change the lines >> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and >> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match >> the caEncUserCert.cfg profile and keep everything else the same. If you >> have the KRA installed and configured to work with your CA, the encryption >> keys should automatically be archived in the KRA. >> >> -- Dave >> >> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < >> marcinmierzejewski1024 at gmail.com > wrote: >> >> >> >> there is a caEncECUserCert that works as I expect but generates Eliptic >> curve certificate. Is there any eqiuvalent for RSA? And next question is: >> could I use this profile to generate enduser certificate remote by calling >> REST service? >> >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < >> marcinmierzejewski1024 at gmail.com > : >> >> >> >> Hi All, >> >> What I want is simple profile for requesting encryption(not sign) >> personal certificate that will private key be stored in KRA/DRM. I check >> existing profiles and found profile that name and description meet the >> goals I want to achieve. >> >> CaEncUserCert.cfg >> >> this profile was not visible I change that. I opened this profile in end >> user CA application >> >> >> Certificate Profile - Manual User Encryption Certificates Enrollment >> >> This certificate profile is for enrolling user encryption certificates >> with option to archive keys. Certificate Request Input >> * Certificate Request Type list ( pcks10 or crmf) >> >> * Certificate Request (text area for request) >> Subject Name >> -fields with info about user(propably should be same values that were in >> certificate request) >> Requestor Information >> - info about requestor >> >> How it's possible to store private key without even sending it to CA? can >> be private key enclosed into "Certificate Request"? If answer is no - as I >> think why there is a "option to archieve keys"? >> >> >> >> >> >> >> Marcin >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Thu Oct 15 17:39:35 2015 From: jmagne at redhat.com (John Magne) Date: Thu, 15 Oct 2015 13:39:35 -0400 (EDT) Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: References: <1402557714.72473498.1444843525742.JavaMail.zimbra@redhat.com> Message-ID: <2008701440.74172351.1444930775936.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Marcin Mierzejewski" > To: "John Magne" > Cc: "Dave Sirrine" , pki-users at redhat.com > Sent: Thursday, October 15, 2015 2:26:33 AM > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA > > Ok, after futher reading this symmetric key is encypted with CA public key > in wrapSessionKey(...) method. > Question I still have is how to user in rest client? I believe in one of the previous emails, I put in a list of steps. After the request is created by CRMFPopClient, we put that blob in the xml file generated for the enrollment profile chosen. Once that xml file is filled out , that is used in issuing the proper "pki" cli command to do the enrollment. This is in fact hitting the rest servlets responsible for performing a cert enrollment. Hope this helps, thanks, jack > > 2015-10-15 10:59 GMT+02:00 Marcin Mierzejewski < > marcinmierzejewski1024 at gmail.com>: > > > Thanks fo clue. RMFPopClientTool is a cli tool. I check implementation and > > I found this method wrapPrivateKey(...). > > Can it be used to wrap private key which could be added to > > CertEnrollRequest to request certificate from my rest client? > > And do You have ideas how to get symmetric key for that? I think better > > solution would be use CA public key to encrypt it but I don't have that > > much knowlege in PKI and Dogtag architecture. > > > > 2015-10-14 19:25 GMT+02:00 John Magne : > > > >> If you see the email I sent the other day, > >> we make use of the CRMFPopClient tool that uses the transport key to wrap > >> the private key. > >> > >> > >> > >> ----- Original Message ----- > >> From: "Marcin Mierzejewski" > >> To: "Dave Sirrine" > >> Cc: pki-users at redhat.com > >> Sent: Wednesday, October 14, 2015 2:35:00 AM > >> Subject: Re: [Pki-users] Dogtag profile for encryption certificate with > >> storing private key in DRM/KRA > >> > >> But after this change it is not adding private key to DRM: / > >> > >> 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > : > >> > >> > >> > >> Marcin, > >> > >> Not sure what exactly you're looking for here, but the beauty of profiles > >> is you can create your own. If the ECC profile works as you would expect, > >> you can always create a copy with a new name and change the appropriate > >> lines. A quick diff of the two profiles you mention shows that there's not > >> a lot that's different between the two: > >> > >> diff caEncECUserCert.cfg caEncUserCert.cfg > >> 1c1 > >> < desc=This certificate profile is for enrolling user ECC encryption > >> certificates. It works only with latest Firefox. > >> --- > >> > desc=This certificate profile is for enrolling user encryption > >> certificates with option to archive keys. > >> 5c5 > >> < name=Manual User Encryption ECC Certificates Enrollment > >> --- > >> > name=Manual User Encryption Certificates Enrollment > >> 7,8c7,10 > >> < input.list=i1 > >> < input.i1.class_id=encKeyGenInputImpl > >> --- > >> > input.list=i1,i2,i3 > >> > input.i1.class_id=certReqInputImpl > >> > input.i2.class_id=subjectNameInputImpl > >> > input.i3.class_id=submitterInfoInputImpl > >> 31,32c33,34 > >> < policyset.encryptionCertSet.3.constraint.params.keyType=EC > >> < > >> policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > >> --- > >> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > >> > > >> policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > >> 93a96 > >> > > >> > >> In theory (I have not tested this) you should be able to change the lines > >> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and > >> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to match > >> the caEncUserCert.cfg profile and keep everything else the same. If you > >> have the KRA installed and configured to work with your CA, the encryption > >> keys should automatically be archived in the KRA. > >> > >> -- Dave > >> > >> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > >> marcinmierzejewski1024 at gmail.com > wrote: > >> > >> > >> > >> there is a caEncECUserCert that works as I expect but generates Eliptic > >> curve certificate. Is there any eqiuvalent for RSA? And next question is: > >> could I use this profile to generate enduser certificate remote by calling > >> REST service? > >> > >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < > >> marcinmierzejewski1024 at gmail.com > : > >> > >> > >> > >> Hi All, > >> > >> What I want is simple profile for requesting encryption(not sign) > >> personal certificate that will private key be stored in KRA/DRM. I check > >> existing profiles and found profile that name and description meet the > >> goals I want to achieve. > >> > >> CaEncUserCert.cfg > >> > >> this profile was not visible I change that. I opened this profile in end > >> user CA application > >> > >> > >> Certificate Profile - Manual User Encryption Certificates Enrollment > >> > >> This certificate profile is for enrolling user encryption certificates > >> with option to archive keys. Certificate Request Input > >> * Certificate Request Type list ( pcks10 or crmf) > >> > >> * Certificate Request (text area for request) > >> Subject Name > >> -fields with info about user(propably should be same values that were in > >> certificate request) > >> Requestor Information > >> - info about requestor > >> > >> How it's possible to store private key without even sending it to CA? can > >> be private key enclosed into "Certificate Request"? If answer is no - as I > >> think why there is a "option to archieve keys"? > >> > >> > >> > >> > >> > >> > >> Marcin > >> > >> > >> > >> _______________________________________________ > >> Pki-users mailing list > >> Pki-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-users > >> > >> > >> > >> _______________________________________________ > >> Pki-users mailing list > >> Pki-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-users > >> > > > > > From Florian.Supper at s-itsolutions.at Fri Oct 16 08:38:06 2015 From: Florian.Supper at s-itsolutions.at (Supper Florian OSS sIT) Date: Fri, 16 Oct 2015 08:38:06 +0000 Subject: [Pki-users] Automatic enrollment of certificate with different profiles on Dogtag 9 Message-ID: Hi, 1) I'm searching for a better solution to automate our enrollment process. We'r using dogtag 9. We would like to use 10, but some features we need are not implemented at the moment. At the moment we'r using cmc requests for enrollment. Works pretty god, but the problem is, that you just can use one profile for this type of enrollment. So I tried to find a better solution, but I can't find one. At the moment i'm playing around with browser automation, but no luck till now.... Has anyone a better solution ( for dogtag 9 ) to enroll certificates with different profiles? 2) Has anyone a valid link for downloading the windows auto enrollment proxy exe file? Br Florian -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Fri Oct 16 12:03:48 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Fri, 16 Oct 2015 14:03:48 +0200 Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: <2008701440.74172351.1444930775936.JavaMail.zimbra@redhat.com> References: <1402557714.72473498.1444843525742.JavaMail.zimbra@redhat.com> <2008701440.74172351.1444930775936.JavaMail.zimbra@redhat.com> Message-ID: That helps a lot. It's actually working in CLI(now I'm figuring out how to use this in application) but I don't understand one aspect of this. CRMFPopClient generates RSA key pair and put it in crmf request. Question is how to get keypair for client without retriving it from KRA? Could CRMFPopClient used with existing keypair? T ransport.cert it is the same certicate that can be accessed with that line? // Test 1: Get transport certificate from DRM transportCert = systemCertClient.getTransportCert().getEncoded(); 2015-10-15 19:39 GMT+02:00 John Magne : > > > > > ----- Original Message ----- > > From: "Marcin Mierzejewski" > > To: "John Magne" > > Cc: "Dave Sirrine" , pki-users at redhat.com > > Sent: Thursday, October 15, 2015 2:26:33 AM > > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with > storing private key in DRM/KRA > > > > Ok, after futher reading this symmetric key is encypted with CA public > key > > in wrapSessionKey(...) method. > > Question I still have is how to user in rest client? > > > I believe in one of the previous emails, I put in a list of steps. > After the request is created by CRMFPopClient, we put that blob > in the xml file generated for the enrollment profile chosen. > > > Once that xml file is filled out , that is used in issuing the proper > "pki" cli command to do the enrollment. This is in fact hitting the rest > servlets responsible for performing a cert enrollment. > > Hope this helps, > thanks, > jack > > > > > > > > > 2015-10-15 10:59 GMT+02:00 Marcin Mierzejewski < > > marcinmierzejewski1024 at gmail.com>: > > > > > Thanks fo clue. RMFPopClientTool is a cli tool. I check implementation > and > > > I found this method wrapPrivateKey(...). > > > Can it be used to wrap private key which could be added to > > > CertEnrollRequest to request certificate from my rest client? > > > And do You have ideas how to get symmetric key for that? I think better > > > solution would be use CA public key to encrypt it but I don't have that > > > much knowlege in PKI and Dogtag architecture. > > > > > > 2015-10-14 19:25 GMT+02:00 John Magne : > > > > > >> If you see the email I sent the other day, > > >> we make use of the CRMFPopClient tool that uses the transport key to > wrap > > >> the private key. > > >> > > >> > > >> > > >> ----- Original Message ----- > > >> From: "Marcin Mierzejewski" > > >> To: "Dave Sirrine" > > >> Cc: pki-users at redhat.com > > >> Sent: Wednesday, October 14, 2015 2:35:00 AM > > >> Subject: Re: [Pki-users] Dogtag profile for encryption certificate > with > > >> storing private key in DRM/KRA > > >> > > >> But after this change it is not adding private key to DRM: / > > >> > > >> 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > : > > >> > > >> > > >> > > >> Marcin, > > >> > > >> Not sure what exactly you're looking for here, but the beauty of > profiles > > >> is you can create your own. If the ECC profile works as you would > expect, > > >> you can always create a copy with a new name and change the > appropriate > > >> lines. A quick diff of the two profiles you mention shows that > there's not > > >> a lot that's different between the two: > > >> > > >> diff caEncECUserCert.cfg caEncUserCert.cfg > > >> 1c1 > > >> < desc=This certificate profile is for enrolling user ECC encryption > > >> certificates. It works only with latest Firefox. > > >> --- > > >> > desc=This certificate profile is for enrolling user encryption > > >> certificates with option to archive keys. > > >> 5c5 > > >> < name=Manual User Encryption ECC Certificates Enrollment > > >> --- > > >> > name=Manual User Encryption Certificates Enrollment > > >> 7,8c7,10 > > >> < input.list=i1 > > >> < input.i1.class_id=encKeyGenInputImpl > > >> --- > > >> > input.list=i1,i2,i3 > > >> > input.i1.class_id=certReqInputImpl > > >> > input.i2.class_id=subjectNameInputImpl > > >> > input.i3.class_id=submitterInfoInputImpl > > >> 31,32c33,34 > > >> < policyset.encryptionCertSet.3.constraint.params.keyType=EC > > >> < > > >> > policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > > >> --- > > >> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > > >> > > > >> > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > > >> 93a96 > > >> > > > >> > > >> In theory (I have not tested this) you should be able to change the > lines > > >> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and > > >> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to > match > > >> the caEncUserCert.cfg profile and keep everything else the same. If > you > > >> have the KRA installed and configured to work with your CA, the > encryption > > >> keys should automatically be archived in the KRA. > > >> > > >> -- Dave > > >> > > >> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > > >> marcinmierzejewski1024 at gmail.com > wrote: > > >> > > >> > > >> > > >> there is a caEncECUserCert that works as I expect but generates > Eliptic > > >> curve certificate. Is there any eqiuvalent for RSA? And next question > is: > > >> could I use this profile to generate enduser certificate remote by > calling > > >> REST service? > > >> > > >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < > > >> marcinmierzejewski1024 at gmail.com > : > > >> > > >> > > >> > > >> Hi All, > > >> > > >> What I want is simple profile for requesting encryption(not sign) > > >> personal certificate that will private key be stored in KRA/DRM. I > check > > >> existing profiles and found profile that name and description meet the > > >> goals I want to achieve. > > >> > > >> CaEncUserCert.cfg > > >> > > >> this profile was not visible I change that. I opened this profile in > end > > >> user CA application > > >> > > >> > > >> Certificate Profile - Manual User Encryption Certificates Enrollment > > >> > > >> This certificate profile is for enrolling user encryption certificates > > >> with option to archive keys. Certificate Request Input > > >> * Certificate Request Type list ( pcks10 or crmf) > > >> > > >> * Certificate Request (text area for request) > > >> Subject Name > > >> -fields with info about user(propably should be same values that were > in > > >> certificate request) > > >> Requestor Information > > >> - info about requestor > > >> > > >> How it's possible to store private key without even sending it to CA? > can > > >> be private key enclosed into "Certificate Request"? If answer is no - > as I > > >> think why there is a "option to archieve keys"? > > >> > > >> > > >> > > >> > > >> > > >> > > >> Marcin > > >> > > >> > > >> > > >> _______________________________________________ > > >> Pki-users mailing list > > >> Pki-users at redhat.com > > >> https://www.redhat.com/mailman/listinfo/pki-users > > >> > > >> > > >> > > >> _______________________________________________ > > >> Pki-users mailing list > > >> Pki-users at redhat.com > > >> https://www.redhat.com/mailman/listinfo/pki-users > > >> > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Fri Oct 16 18:05:56 2015 From: jmagne at redhat.com (John Magne) Date: Fri, 16 Oct 2015 14:05:56 -0400 (EDT) Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: References: <1402557714.72473498.1444843525742.JavaMail.zimbra@redhat.com> <2008701440.74172351.1444930775936.JavaMail.zimbra@redhat.com> Message-ID: <1082536815.75054274.1445018756714.JavaMail.zimbra@redhat.com> Hi: The CRMFPopClient generates the key pair on its own, it does not get it from the KRA. It uses the transport cert to essentially wrap the data for transit. And that private key gets sent to the kra. Also that line of code I believe is in some test driver program. It gets the same transport cert using some rest call. ----- Original Message ----- > From: "Marcin Mierzejewski" > To: "John Magne" > Cc: "Dave Sirrine" , pki-users at redhat.com > Sent: Friday, October 16, 2015 5:03:48 AM > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA > > That helps a lot. It's actually working in CLI(now I'm figuring out how to > use this in application) but I don't understand one aspect of this. > CRMFPopClient generates RSA key pair and put it in crmf request. Question > is how to get keypair for client without retriving it from KRA? Could > CRMFPopClient used with existing keypair? > > T > ransport.cert it is the same certicate that can be accessed with that line? > > // Test 1: Get transport certificate from DRM > transportCert = systemCertClient.getTransportCert().getEncoded(); > > > > 2015-10-15 19:39 GMT+02:00 John Magne : > > > > > > > > > > > ----- Original Message ----- > > > From: "Marcin Mierzejewski" > > > To: "John Magne" > > > Cc: "Dave Sirrine" , pki-users at redhat.com > > > Sent: Thursday, October 15, 2015 2:26:33 AM > > > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with > > storing private key in DRM/KRA > > > > > > Ok, after futher reading this symmetric key is encypted with CA public > > key > > > in wrapSessionKey(...) method. > > > Question I still have is how to user in rest client? > > > > > > I believe in one of the previous emails, I put in a list of steps. > > After the request is created by CRMFPopClient, we put that blob > > in the xml file generated for the enrollment profile chosen. > > > > > > Once that xml file is filled out , that is used in issuing the proper > > "pki" cli command to do the enrollment. This is in fact hitting the rest > > servlets responsible for performing a cert enrollment. > > > > Hope this helps, > > thanks, > > jack > > > > > > > > > > > > > > > > 2015-10-15 10:59 GMT+02:00 Marcin Mierzejewski < > > > marcinmierzejewski1024 at gmail.com>: > > > > > > > Thanks fo clue. RMFPopClientTool is a cli tool. I check implementation > > and > > > > I found this method wrapPrivateKey(...). > > > > Can it be used to wrap private key which could be added to > > > > CertEnrollRequest to request certificate from my rest client? > > > > And do You have ideas how to get symmetric key for that? I think better > > > > solution would be use CA public key to encrypt it but I don't have that > > > > much knowlege in PKI and Dogtag architecture. > > > > > > > > 2015-10-14 19:25 GMT+02:00 John Magne : > > > > > > > >> If you see the email I sent the other day, > > > >> we make use of the CRMFPopClient tool that uses the transport key to > > wrap > > > >> the private key. > > > >> > > > >> > > > >> > > > >> ----- Original Message ----- > > > >> From: "Marcin Mierzejewski" > > > >> To: "Dave Sirrine" > > > >> Cc: pki-users at redhat.com > > > >> Sent: Wednesday, October 14, 2015 2:35:00 AM > > > >> Subject: Re: [Pki-users] Dogtag profile for encryption certificate > > with > > > >> storing private key in DRM/KRA > > > >> > > > >> But after this change it is not adding private key to DRM: / > > > >> > > > >> 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > : > > > >> > > > >> > > > >> > > > >> Marcin, > > > >> > > > >> Not sure what exactly you're looking for here, but the beauty of > > profiles > > > >> is you can create your own. If the ECC profile works as you would > > expect, > > > >> you can always create a copy with a new name and change the > > appropriate > > > >> lines. A quick diff of the two profiles you mention shows that > > there's not > > > >> a lot that's different between the two: > > > >> > > > >> diff caEncECUserCert.cfg caEncUserCert.cfg > > > >> 1c1 > > > >> < desc=This certificate profile is for enrolling user ECC encryption > > > >> certificates. It works only with latest Firefox. > > > >> --- > > > >> > desc=This certificate profile is for enrolling user encryption > > > >> certificates with option to archive keys. > > > >> 5c5 > > > >> < name=Manual User Encryption ECC Certificates Enrollment > > > >> --- > > > >> > name=Manual User Encryption Certificates Enrollment > > > >> 7,8c7,10 > > > >> < input.list=i1 > > > >> < input.i1.class_id=encKeyGenInputImpl > > > >> --- > > > >> > input.list=i1,i2,i3 > > > >> > input.i1.class_id=certReqInputImpl > > > >> > input.i2.class_id=subjectNameInputImpl > > > >> > input.i3.class_id=submitterInfoInputImpl > > > >> 31,32c33,34 > > > >> < policyset.encryptionCertSet.3.constraint.params.keyType=EC > > > >> < > > > >> > > policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > > > >> --- > > > >> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > > > >> > > > > >> > > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > > > >> 93a96 > > > >> > > > > >> > > > >> In theory (I have not tested this) you should be able to change the > > lines > > > >> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and > > > >> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to > > match > > > >> the caEncUserCert.cfg profile and keep everything else the same. If > > you > > > >> have the KRA installed and configured to work with your CA, the > > encryption > > > >> keys should automatically be archived in the KRA. > > > >> > > > >> -- Dave > > > >> > > > >> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > > > >> marcinmierzejewski1024 at gmail.com > wrote: > > > >> > > > >> > > > >> > > > >> there is a caEncECUserCert that works as I expect but generates > > Eliptic > > > >> curve certificate. Is there any eqiuvalent for RSA? And next question > > is: > > > >> could I use this profile to generate enduser certificate remote by > > calling > > > >> REST service? > > > >> > > > >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < > > > >> marcinmierzejewski1024 at gmail.com > : > > > >> > > > >> > > > >> > > > >> Hi All, > > > >> > > > >> What I want is simple profile for requesting encryption(not sign) > > > >> personal certificate that will private key be stored in KRA/DRM. I > > check > > > >> existing profiles and found profile that name and description meet the > > > >> goals I want to achieve. > > > >> > > > >> CaEncUserCert.cfg > > > >> > > > >> this profile was not visible I change that. I opened this profile in > > end > > > >> user CA application > > > >> > > > >> > > > >> Certificate Profile - Manual User Encryption Certificates Enrollment > > > >> > > > >> This certificate profile is for enrolling user encryption certificates > > > >> with option to archive keys. Certificate Request Input > > > >> * Certificate Request Type list ( pcks10 or crmf) > > > >> > > > >> * Certificate Request (text area for request) > > > >> Subject Name > > > >> -fields with info about user(propably should be same values that were > > in > > > >> certificate request) > > > >> Requestor Information > > > >> - info about requestor > > > >> > > > >> How it's possible to store private key without even sending it to CA? > > can > > > >> be private key enclosed into "Certificate Request"? If answer is no - > > as I > > > >> think why there is a "option to archieve keys"? > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> Marcin > > > >> > > > >> > > > >> > > > >> _______________________________________________ > > > >> Pki-users mailing list > > > >> Pki-users at redhat.com > > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > >> > > > >> > > > >> > > > >> _______________________________________________ > > > >> Pki-users mailing list > > > >> Pki-users at redhat.com > > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > >> > > > > > > > > > > > > > > From jmagne at redhat.com Fri Oct 16 18:43:44 2015 From: jmagne at redhat.com (John Magne) Date: Fri, 16 Oct 2015 14:43:44 -0400 (EDT) Subject: [Pki-users] Automatic enrollment of certificate with different profiles on Dogtag 9 In-Reply-To: References: Message-ID: <1420055027.75070168.1445021024438.JavaMail.zimbra@redhat.com> I'm assuming you are using HttpClient to send the CMC requests. Looking around it appears that the caProfileSubmitCMCFull servlet. The servlet config for this has a profileID field. So you COULD create a new profile based on mods to the caFullCMCUserCert profile and set it in the web.xml. Unless of course if you need to send individual requests to different profiles this would not help. ----- Original Message ----- From: "Supper Florian OSS sIT" To: pki-users at redhat.com Sent: Friday, October 16, 2015 1:38:06 AM Subject: [Pki-users] Automatic enrollment of certificate with different profiles on Dogtag 9 Hi, 1) I?m searching for a better solution to automate our enrollment process. We?r using dogtag 9. We would like to use 10, but some features we need are not implemented at the moment. At the moment we?r using cmc requests for enrollment. Works pretty god, but the problem is, that you just can use one profile for this type of enrollment. So I tried to find a better solution, but I can?t find one. At the moment i?m playing around with browser automation, but no luck till now?. Has anyone a better solution ( for dogtag 9 ) to enroll certificates with different profiles? 2) Has anyone a valid link for downloading the windows auto enrollment proxy exe file? Br Florian _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From p.pan48711 at gmail.com Mon Oct 19 15:25:49 2015 From: p.pan48711 at gmail.com (Peter P.) Date: Mon, 19 Oct 2015 11:25:49 -0400 Subject: [Pki-users] Revoking all certificates issued by Dogtag at once In-Reply-To: <20151015005644.GN11271@dhcp-40-8.bne.redhat.com> References: <20151015005644.GN11271@dhcp-40-8.bne.redhat.com> Message-ID: Hi Fraser, Thank you for your reply. I am trying to revoke certificates in bulk quantities because I'm using my instance of Dogtag for internal testing of an application that over time enrolls a large amount of certificates. I figured it be a good idea to clear them out periodically. If there is no issue with letting the issued certificates accumulate then I won't worry about needing to clear them out. Thank you, Peter On Wed, Oct 14, 2015 at 8:56 PM, Fraser Tweedale wrote: > On Wed, Oct 14, 2015 at 02:17:49PM -0400, Peter P. wrote: > > Hi, > > > > I have an instance of Dogtag installed on my Fedora 22 server and I > wanted > > to know if there is a way to revoke all the certificates ever issued by > my > > Dogtag CA in one shot. > > > The web interface does give you a way to revoke many certs at once. > Whether it can do "all" depends on how many certs you've issued :) > You could also script this using the CLI. But what is it you are > actually trying to achieve? Would it be sufficient to revoke the > issuer certificate instead? > > > Also, is there any bound/limit to the amount of valid certificates that > can > > be issued by an instance of Dogtag? > > > Conceptually no. In reality, you could run out of disk or, on > operations that involve many certificates (e.g. generate a CRL with > a huge number of non-expired revoked certs) then possibly hit memory > limits. > > Cheers, > Fraser > > > Thank you, > > > > Peter > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Mon Oct 19 10:38:25 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Mon, 19 Oct 2015 12:38:25 +0200 Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: <1082536815.75054274.1445018756714.JavaMail.zimbra@redhat.com> References: <1402557714.72473498.1444843525742.JavaMail.zimbra@redhat.com> <2008701440.74172351.1444930775936.JavaMail.zimbra@redhat.com> <1082536815.75054274.1445018756714.JavaMail.zimbra@redhat.com> Message-ID: The CRMFPopClient generates the key pair on its own, it does not get it from the KRA. I know and understand that. I wonder how to get private key without before CRMFPopClient pack it to BLOB request. 2015-10-16 20:05 GMT+02:00 John Magne : > Hi: > > The CRMFPopClient generates the key pair on its own, it does not get it > from the KRA. > It uses the transport cert to essentially wrap the data for transit. > > And that private key gets sent to the kra. > > Also that line of code I believe is in some test driver program. > It gets the same transport cert using some rest call. > > > > ----- Original Message ----- > > From: "Marcin Mierzejewski" > > To: "John Magne" > > Cc: "Dave Sirrine" , pki-users at redhat.com > > Sent: Friday, October 16, 2015 5:03:48 AM > > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with > storing private key in DRM/KRA > > > > That helps a lot. It's actually working in CLI(now I'm figuring out how > to > > use this in application) but I don't understand one aspect of this. > > CRMFPopClient generates RSA key pair and put it in crmf request. Question > > is how to get keypair for client without retriving it from KRA? Could > > CRMFPopClient used with existing keypair? > > > > T > > ransport.cert it is the same certicate that can be accessed with that > line? > > > > > > // Test 1: Get transport certificate from DRM > > transportCert = systemCertClient.getTransportCert().getEncoded(); > > > > > > > > 2015-10-15 19:39 GMT+02:00 John Magne : > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Marcin Mierzejewski" > > > > To: "John Magne" > > > > Cc: "Dave Sirrine" , pki-users at redhat.com > > > > Sent: Thursday, October 15, 2015 2:26:33 AM > > > > Subject: Re: [Pki-users] Dogtag profile for encryption certificate > with > > > storing private key in DRM/KRA > > > > > > > > Ok, after futher reading this symmetric key is encypted with CA > public > > > key > > > > in wrapSessionKey(...) method. > > > > Question I still have is how to user in rest client? > > > > > > > > > I believe in one of the previous emails, I put in a list of steps. > > > After the request is created by CRMFPopClient, we put that blob > > > in the xml file generated for the enrollment profile chosen. > > > > > > > > > Once that xml file is filled out , that is used in issuing the proper > > > "pki" cli command to do the enrollment. This is in fact hitting the > rest > > > servlets responsible for performing a cert enrollment. > > > > > > Hope this helps, > > > thanks, > > > jack > > > > > > > > > > > > > > > > > > > > > > > 2015-10-15 10:59 GMT+02:00 Marcin Mierzejewski < > > > > marcinmierzejewski1024 at gmail.com>: > > > > > > > > > Thanks fo clue. RMFPopClientTool is a cli tool. I check > implementation > > > and > > > > > I found this method wrapPrivateKey(...). > > > > > Can it be used to wrap private key which could be added to > > > > > CertEnrollRequest to request certificate from my rest client? > > > > > And do You have ideas how to get symmetric key for that? I think > better > > > > > solution would be use CA public key to encrypt it but I don't have > that > > > > > much knowlege in PKI and Dogtag architecture. > > > > > > > > > > 2015-10-14 19:25 GMT+02:00 John Magne : > > > > > > > > > >> If you see the email I sent the other day, > > > > >> we make use of the CRMFPopClient tool that uses the transport key > to > > > wrap > > > > >> the private key. > > > > >> > > > > >> > > > > >> > > > > >> ----- Original Message ----- > > > > >> From: "Marcin Mierzejewski" > > > > >> To: "Dave Sirrine" > > > > >> Cc: pki-users at redhat.com > > > > >> Sent: Wednesday, October 14, 2015 2:35:00 AM > > > > >> Subject: Re: [Pki-users] Dogtag profile for encryption certificate > > > with > > > > >> storing private key in DRM/KRA > > > > >> > > > > >> But after this change it is not adding private key to DRM: / > > > > >> > > > > >> 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > : > > > > >> > > > > >> > > > > >> > > > > >> Marcin, > > > > >> > > > > >> Not sure what exactly you're looking for here, but the beauty of > > > profiles > > > > >> is you can create your own. If the ECC profile works as you would > > > expect, > > > > >> you can always create a copy with a new name and change the > > > appropriate > > > > >> lines. A quick diff of the two profiles you mention shows that > > > there's not > > > > >> a lot that's different between the two: > > > > >> > > > > >> diff caEncECUserCert.cfg caEncUserCert.cfg > > > > >> 1c1 > > > > >> < desc=This certificate profile is for enrolling user ECC > encryption > > > > >> certificates. It works only with latest Firefox. > > > > >> --- > > > > >> > desc=This certificate profile is for enrolling user encryption > > > > >> certificates with option to archive keys. > > > > >> 5c5 > > > > >> < name=Manual User Encryption ECC Certificates Enrollment > > > > >> --- > > > > >> > name=Manual User Encryption Certificates Enrollment > > > > >> 7,8c7,10 > > > > >> < input.list=i1 > > > > >> < input.i1.class_id=encKeyGenInputImpl > > > > >> --- > > > > >> > input.list=i1,i2,i3 > > > > >> > input.i1.class_id=certReqInputImpl > > > > >> > input.i2.class_id=subjectNameInputImpl > > > > >> > input.i3.class_id=submitterInfoInputImpl > > > > >> 31,32c33,34 > > > > >> < policyset.encryptionCertSet.3.constraint.params.keyType=EC > > > > >> < > > > > >> > > > > policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > > > > >> --- > > > > >> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > > > > >> > > > > > >> > > > > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > > > > >> 93a96 > > > > >> > > > > > >> > > > > >> In theory (I have not tested this) you should be able to change > the > > > lines > > > > >> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and > > > > >> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to > > > match > > > > >> the caEncUserCert.cfg profile and keep everything else the same. > If > > > you > > > > >> have the KRA installed and configured to work with your CA, the > > > encryption > > > > >> keys should automatically be archived in the KRA. > > > > >> > > > > >> -- Dave > > > > >> > > > > >> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > > > > >> marcinmierzejewski1024 at gmail.com > wrote: > > > > >> > > > > >> > > > > >> > > > > >> there is a caEncECUserCert that works as I expect but generates > > > Eliptic > > > > >> curve certificate. Is there any eqiuvalent for RSA? And next > question > > > is: > > > > >> could I use this profile to generate enduser certificate remote by > > > calling > > > > >> REST service? > > > > >> > > > > >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < > > > > >> marcinmierzejewski1024 at gmail.com > : > > > > >> > > > > >> > > > > >> > > > > >> Hi All, > > > > >> > > > > >> What I want is simple profile for requesting encryption(not sign) > > > > >> personal certificate that will private key be stored in KRA/DRM. I > > > check > > > > >> existing profiles and found profile that name and description > meet the > > > > >> goals I want to achieve. > > > > >> > > > > >> CaEncUserCert.cfg > > > > >> > > > > >> this profile was not visible I change that. I opened this profile > in > > > end > > > > >> user CA application > > > > >> > > > > >> > > > > >> Certificate Profile - Manual User Encryption Certificates > Enrollment > > > > >> > > > > >> This certificate profile is for enrolling user encryption > certificates > > > > >> with option to archive keys. Certificate Request Input > > > > >> * Certificate Request Type list ( pcks10 or crmf) > > > > >> > > > > >> * Certificate Request (text area for request) > > > > >> Subject Name > > > > >> -fields with info about user(propably should be same values that > were > > > in > > > > >> certificate request) > > > > >> Requestor Information > > > > >> - info about requestor > > > > >> > > > > >> How it's possible to store private key without even sending it to > CA? > > > can > > > > >> be private key enclosed into "Certificate Request"? If answer is > no - > > > as I > > > > >> think why there is a "option to archieve keys"? > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> Marcin > > > > >> > > > > >> > > > > >> > > > > >> _______________________________________________ > > > > >> Pki-users mailing list > > > > >> Pki-users at redhat.com > > > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > > >> > > > > >> > > > > >> > > > > >> _______________________________________________ > > > > >> Pki-users mailing list > > > > >> Pki-users at redhat.com > > > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > > >> > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Oct 19 21:27:57 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 20 Oct 2015 07:27:57 +1000 Subject: [Pki-users] Revoking all certificates issued by Dogtag at once In-Reply-To: References: <20151015005644.GN11271@dhcp-40-8.bne.redhat.com> Message-ID: <20151019212757.GU11271@dhcp-40-8.bne.redhat.com> On Mon, Oct 19, 2015 at 11:25:49AM -0400, Peter P. wrote: > Hi Fraser, > > Thank you for your reply. I am trying to revoke certificates in bulk > quantities because I'm using my instance of Dogtag for internal testing of > an application that over time enrolls a large amount of certificates. I > figured it be a good idea to clear them out periodically. If there is no > issue with letting the issued certificates accumulate then I won't worry > about needing to clear them out. > Revoking would not help in that regard anyway - revoked certificates are still kept in database. Indeed, they must be, so that CRLs and OCSP responses can contain the correct information about the certificate. Regards, Fraser > Thank you, > > Peter > > On Wed, Oct 14, 2015 at 8:56 PM, Fraser Tweedale > wrote: > > > On Wed, Oct 14, 2015 at 02:17:49PM -0400, Peter P. wrote: > > > Hi, > > > > > > I have an instance of Dogtag installed on my Fedora 22 server and I > > wanted > > > to know if there is a way to revoke all the certificates ever issued by > > my > > > Dogtag CA in one shot. > > > > > The web interface does give you a way to revoke many certs at once. > > Whether it can do "all" depends on how many certs you've issued :) > > You could also script this using the CLI. But what is it you are > > actually trying to achieve? Would it be sufficient to revoke the > > issuer certificate instead? > > > > > Also, is there any bound/limit to the amount of valid certificates that > > can > > > be issued by an instance of Dogtag? > > > > > Conceptually no. In reality, you could run out of disk or, on > > operations that involve many certificates (e.g. generate a CRL with > > a huge number of non-expired revoked certs) then possibly hit memory > > limits. > > > > Cheers, > > Fraser > > > > > Thank you, > > > > > > Peter > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > From marcinmierzejewski1024 at gmail.com Wed Oct 21 09:57:40 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Wed, 21 Oct 2015 11:57:40 +0200 Subject: [Pki-users] Possible bug or at least weird behaviour while listing DRM recovery request Message-ID: after requests a key recovery with: > public RequestId requestRecoveryPrivateKey(KeyId keyID,String base64Certificate) throws Exception > { > //trim header and footer from cert > if(base64Certificate.contains(CertData.HEADER)) { > base64Certificate = base64Certificate.substring(CertData.HEADER.length(), > base64Certificate.indexOf(CertData.FOOTER)); > } > > log("Requesting X509 key recovery." + keyID); > KeyRequestResponse response = keyClient.recoverKey(keyID, null, null, null, base64Certificate); > RequestId requestId = response.getRequestId(); > log("ask kra admins to approve request "+requestId); > > > KeyRequestInfo info = keyClient.getRequestInfo(requestId); > log("info about request to approve"); > printRequestInfo(info); > > return requestId; > } > > when I try to find request by keyId public List findRecoveryRequest(KeyId keyid) { // String requestState, // String requestType, // String clientID, // RequestId start, // Integer pageSize, // Integer maxResults, // Integer maxTime) ArrayList result = new ArrayList(); KeyRequestInfoCollection requests = keyClient.listRequests(null, "recovery", null, null, 99999, Integer.MAX_VALUE, 99999); for (KeyRequestInfo keyRequestInfo : requests.getEntries()) { KeyId reqKeyId = keyRequestInfo.getKeyId(); printRequestInfo(keyRequestInfo); log("req "+keyRequestInfo.getRequestId()+" "+reqKeyId+"==" +keyid); if(keyid.equals(keyRequestInfo.getKeyId())) { result.add(keyRequestInfo); } } log("found " + result.size() + " requests"); return result; } keyClient.listRequests(null, "recovery", null, null, 99999, Integer.MAX_VALUE, 99999); returns collection with null KeyUrl so getKeyId returns also a null but when I open requests with some null in KeyUrl in agent (https://localhost.localdomain:8443/kra/agent/kra/processReq?op=processReq&seqNum=113) I got all informations I need: Request 113 > > Request Status:pending Type:recovery Created on:21/10/2015, 11:25:41 Updated > by:kraagent Updated on:21/10/2015, 11:25:41 Recovery Information Key > identifier:42 Recovery Initiating Agent:kraagent Recovery Approving > Agents: Action Asynchronous Key Recovery: Grant > How to get Key Identiver from keyClient? -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Wed Oct 21 15:37:59 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Wed, 21 Oct 2015 17:37:59 +0200 Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: <1082536815.75054274.1445018756714.JavaMail.zimbra@redhat.com> References: <1402557714.72473498.1444843525742.JavaMail.zimbra@redhat.com> <2008701440.74172351.1444930775936.JavaMail.zimbra@redhat.com> <1082536815.75054274.1445018756714.JavaMail.zimbra@redhat.com> Message-ID: I have question that propably should be in new thread but it' s related with all this storing private keys in DRM. How to handle certificate renewal? In renewal request for other profiles I found that the renewal request has a new public key which is diffrent, that means private key has been changed as well. After administrator approve on renewal request, the DRM will store not valid private key. I have some ideas how to fix that, if You have any better please give me a hint. solution A) In reneval request put generated put crmf request generated by CRMFPopClient solution B) revoke old certificate, create new one with same key pair and subject values(except notvalidafter date) Or maybe is there option to renewal certificate without changing keys? from some reading( http://security.stackexchange.com/questions/27810/should-i-change-the-private-key-when-renewing-a-certificate) propably SSL certificates renewals does not require that. 2015-10-16 20:05 GMT+02:00 John Magne : > Hi: > > The CRMFPopClient generates the key pair on its own, it does not get it > from the KRA. > It uses the transport cert to essentially wrap the data for transit. > > And that private key gets sent to the kra. > > Also that line of code I believe is in some test driver program. > It gets the same transport cert using some rest call. > > > > ----- Original Message ----- > > From: "Marcin Mierzejewski" > > To: "John Magne" > > Cc: "Dave Sirrine" , pki-users at redhat.com > > Sent: Friday, October 16, 2015 5:03:48 AM > > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with > storing private key in DRM/KRA > > > > That helps a lot. It's actually working in CLI(now I'm figuring out how > to > > use this in application) but I don't understand one aspect of this. > > CRMFPopClient generates RSA key pair and put it in crmf request. Question > > is how to get keypair for client without retriving it from KRA? Could > > CRMFPopClient used with existing keypair? > > > > T > > ransport.cert it is the same certicate that can be accessed with that > line? > > > > > > // Test 1: Get transport certificate from DRM > > transportCert = systemCertClient.getTransportCert().getEncoded(); > > > > > > > > 2015-10-15 19:39 GMT+02:00 John Magne : > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Marcin Mierzejewski" > > > > To: "John Magne" > > > > Cc: "Dave Sirrine" , pki-users at redhat.com > > > > Sent: Thursday, October 15, 2015 2:26:33 AM > > > > Subject: Re: [Pki-users] Dogtag profile for encryption certificate > with > > > storing private key in DRM/KRA > > > > > > > > Ok, after futher reading this symmetric key is encypted with CA > public > > > key > > > > in wrapSessionKey(...) method. > > > > Question I still have is how to user in rest client? > > > > > > > > > I believe in one of the previous emails, I put in a list of steps. > > > After the request is created by CRMFPopClient, we put that blob > > > in the xml file generated for the enrollment profile chosen. > > > > > > > > > Once that xml file is filled out , that is used in issuing the proper > > > "pki" cli command to do the enrollment. This is in fact hitting the > rest > > > servlets responsible for performing a cert enrollment. > > > > > > Hope this helps, > > > thanks, > > > jack > > > > > > > > > > > > > > > > > > > > > > > 2015-10-15 10:59 GMT+02:00 Marcin Mierzejewski < > > > > marcinmierzejewski1024 at gmail.com>: > > > > > > > > > Thanks fo clue. RMFPopClientTool is a cli tool. I check > implementation > > > and > > > > > I found this method wrapPrivateKey(...). > > > > > Can it be used to wrap private key which could be added to > > > > > CertEnrollRequest to request certificate from my rest client? > > > > > And do You have ideas how to get symmetric key for that? I think > better > > > > > solution would be use CA public key to encrypt it but I don't have > that > > > > > much knowlege in PKI and Dogtag architecture. > > > > > > > > > > 2015-10-14 19:25 GMT+02:00 John Magne : > > > > > > > > > >> If you see the email I sent the other day, > > > > >> we make use of the CRMFPopClient tool that uses the transport key > to > > > wrap > > > > >> the private key. > > > > >> > > > > >> > > > > >> > > > > >> ----- Original Message ----- > > > > >> From: "Marcin Mierzejewski" > > > > >> To: "Dave Sirrine" > > > > >> Cc: pki-users at redhat.com > > > > >> Sent: Wednesday, October 14, 2015 2:35:00 AM > > > > >> Subject: Re: [Pki-users] Dogtag profile for encryption certificate > > > with > > > > >> storing private key in DRM/KRA > > > > >> > > > > >> But after this change it is not adding private key to DRM: / > > > > >> > > > > >> 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > : > > > > >> > > > > >> > > > > >> > > > > >> Marcin, > > > > >> > > > > >> Not sure what exactly you're looking for here, but the beauty of > > > profiles > > > > >> is you can create your own. If the ECC profile works as you would > > > expect, > > > > >> you can always create a copy with a new name and change the > > > appropriate > > > > >> lines. A quick diff of the two profiles you mention shows that > > > there's not > > > > >> a lot that's different between the two: > > > > >> > > > > >> diff caEncECUserCert.cfg caEncUserCert.cfg > > > > >> 1c1 > > > > >> < desc=This certificate profile is for enrolling user ECC > encryption > > > > >> certificates. It works only with latest Firefox. > > > > >> --- > > > > >> > desc=This certificate profile is for enrolling user encryption > > > > >> certificates with option to archive keys. > > > > >> 5c5 > > > > >> < name=Manual User Encryption ECC Certificates Enrollment > > > > >> --- > > > > >> > name=Manual User Encryption Certificates Enrollment > > > > >> 7,8c7,10 > > > > >> < input.list=i1 > > > > >> < input.i1.class_id=encKeyGenInputImpl > > > > >> --- > > > > >> > input.list=i1,i2,i3 > > > > >> > input.i1.class_id=certReqInputImpl > > > > >> > input.i2.class_id=subjectNameInputImpl > > > > >> > input.i3.class_id=submitterInfoInputImpl > > > > >> 31,32c33,34 > > > > >> < policyset.encryptionCertSet.3.constraint.params.keyType=EC > > > > >> < > > > > >> > > > > policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > > > > >> --- > > > > >> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > > > > >> > > > > > >> > > > > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > > > > >> 93a96 > > > > >> > > > > > >> > > > > >> In theory (I have not tested this) you should be able to change > the > > > lines > > > > >> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and > > > > >> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to > > > match > > > > >> the caEncUserCert.cfg profile and keep everything else the same. > If > > > you > > > > >> have the KRA installed and configured to work with your CA, the > > > encryption > > > > >> keys should automatically be archived in the KRA. > > > > >> > > > > >> -- Dave > > > > >> > > > > >> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > > > > >> marcinmierzejewski1024 at gmail.com > wrote: > > > > >> > > > > >> > > > > >> > > > > >> there is a caEncECUserCert that works as I expect but generates > > > Eliptic > > > > >> curve certificate. Is there any eqiuvalent for RSA? And next > question > > > is: > > > > >> could I use this profile to generate enduser certificate remote by > > > calling > > > > >> REST service? > > > > >> > > > > >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < > > > > >> marcinmierzejewski1024 at gmail.com > : > > > > >> > > > > >> > > > > >> > > > > >> Hi All, > > > > >> > > > > >> What I want is simple profile for requesting encryption(not sign) > > > > >> personal certificate that will private key be stored in KRA/DRM. I > > > check > > > > >> existing profiles and found profile that name and description > meet the > > > > >> goals I want to achieve. > > > > >> > > > > >> CaEncUserCert.cfg > > > > >> > > > > >> this profile was not visible I change that. I opened this profile > in > > > end > > > > >> user CA application > > > > >> > > > > >> > > > > >> Certificate Profile - Manual User Encryption Certificates > Enrollment > > > > >> > > > > >> This certificate profile is for enrolling user encryption > certificates > > > > >> with option to archive keys. Certificate Request Input > > > > >> * Certificate Request Type list ( pcks10 or crmf) > > > > >> > > > > >> * Certificate Request (text area for request) > > > > >> Subject Name > > > > >> -fields with info about user(propably should be same values that > were > > > in > > > > >> certificate request) > > > > >> Requestor Information > > > > >> - info about requestor > > > > >> > > > > >> How it's possible to store private key without even sending it to > CA? > > > can > > > > >> be private key enclosed into "Certificate Request"? If answer is > no - > > > as I > > > > >> think why there is a "option to archieve keys"? > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> Marcin > > > > >> > > > > >> > > > > >> > > > > >> _______________________________________________ > > > > >> Pki-users mailing list > > > > >> Pki-users at redhat.com > > > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > > >> > > > > >> > > > > >> > > > > >> _______________________________________________ > > > > >> Pki-users mailing list > > > > >> Pki-users at redhat.com > > > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > > >> > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Wed Oct 21 20:29:34 2015 From: jmagne at redhat.com (John Magne) Date: Wed, 21 Oct 2015 16:29:34 -0400 (EDT) Subject: [Pki-users] Possible bug or at least weird behaviour while listing DRM recovery request In-Reply-To: References: Message-ID: <101697374.78934175.1445459374128.JavaMail.zimbra@redhat.com> Try something like this: pki -d ./ -c Secret123 -n "PKI Administrator for localdomain" key-find This will list the keys and have the id like: Key ID: 0xe Client Key ID: UUID: 123-45-6789 RKEK Wed Sep 16 14:16:07 PDT 2015 Status: active Owner: kraadmin Key ID: 0xf Client Key ID: Symmetric Key #1234f Wed Sep 16 14:16:08 PDT 2015 Status: active Algorithm: AES Size: 128 Owner: kraadmin Key ID: 0x10 Client Key ID: UUID: 123-45-6789 VEK Wed Sep 16 14:16:08 PDT 2015 Status: inactive Algorithm: AES Size: 128 Owner: kraadmin ----- Original Message ----- From: "Marcin Mierzejewski" To: pki-users at redhat.com Sent: Wednesday, October 21, 2015 2:57:40 AM Subject: [Pki-users] Possible bug or at least weird behaviour while listing DRM recovery request after requests a key recovery with: public RequestId requestRecoveryPrivateKey(KeyId keyID,String base64Certificate ) throws Exception { //trim header and footer from cert if ( base64Certificate .contains(CertData. HEADER )) { base64Certificate = base64Certificate .substring(CertData. HEADER .length(), base64Certificate .indexOf(CertData. FOOTER )); } log ( "Requesting X509 key recovery." + keyID); KeyRequestResponse response = keyClient .recoverKey(keyID, null , null , null , base64Certificate ); RequestId requestId = response.getRequestId(); log ( "ask kra admins to approve request " +requestId); KeyRequestInfo info = keyClient .getRequestInfo(requestId); log ( "info about request to approve" ); printRequestInfo (info); return requestId; } when I try to find request by keyId public List findRecoveryRequest(KeyId keyid) { // String requestState, // String requestType, // String clientID, // RequestId start, // Integer pageSize, // Integer maxResults, // Integer maxTime) ArrayList result = new ArrayList(); KeyRequestInfoCollection requests = keyClient .listRequests( null , "recovery" , null , null , 99999 , Integer. MAX_VALUE , 99999 ); for (KeyRequestInfo keyRequestInfo : requests.getEntries()) { KeyId reqKeyId = keyRequestInfo.getKeyId(); printRequestInfo (keyRequestInfo); log ( "req " +keyRequestInfo.getRequestId()+ " " +reqKeyId+ "==" +keyid); if (keyid.equals(keyRequestInfo.getKeyId())) { result.add(keyRequestInfo); } } log ( "found " + result.size() + " requests" ); return result; } keyClient .listRequests( null , "recovery" , null , null , 99999 , Integer. MAX_VALUE , 99999 ); returns collection with null KeyUrl so getKeyId returns also a null but when I open requests with some null in KeyUrl in agent ( https://localhost.localdomain:8443/kra/agent/kra/processReq?op=processReq&seqNum=113 ) I got all informations I need: Request 113 Request Status: pending Type: recovery Created on: 21/10/2015, 11:25:41 Updated by: kraagent Updated on: 21/10/2015, 11:25:41 Recovery Information Key identifier: 42 Recovery Initiating Agent: kraagent Recovery Approving Agents: Action Asynchronous Key Recovery: Grant How to get Key Identiver from keyClient? _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From jmagne at redhat.com Wed Oct 21 20:31:28 2015 From: jmagne at redhat.com (John Magne) Date: Wed, 21 Oct 2015 16:31:28 -0400 (EDT) Subject: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA In-Reply-To: References: <1402557714.72473498.1444843525742.JavaMail.zimbra@redhat.com> <2008701440.74172351.1444930775936.JavaMail.zimbra@redhat.com> <1082536815.75054274.1445018756714.JavaMail.zimbra@redhat.com> Message-ID: <1695911540.78934846.1445459488473.JavaMail.zimbra@redhat.com> Some info in your doc about renewal profiles: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html ----- Original Message ----- From: "Marcin Mierzejewski" To: "John Magne" Cc: "Dave Sirrine" , pki-users at redhat.com Sent: Wednesday, October 21, 2015 8:37:59 AM Subject: Re: [Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA I have question that propably should be in new thread but it' s related with all this storing private keys in DRM. How to handle certificate renewal? In renewal request for other profiles I found that the renewal request has a new public key which is diffrent, that means private key has been changed as well. After administrator approve on renewal request, the DRM will store not valid private key. I have some ideas how to fix that, if You have any better please give me a hint. solution A) In reneval request put generated put crmf request generated by CRMFPopClient solution B) revoke old certificate, create new one with same key pair and subject values(except notvalidafter date) Or maybe is there option to renewal certificate without changing keys? from some reading( http://security.stackexchange.com/questions/27810/should-i-change-the-private-key-when-renewing-a-certificate) propably SSL certificates renewals does not require that. 2015-10-16 20:05 GMT+02:00 John Magne : > Hi: > > The CRMFPopClient generates the key pair on its own, it does not get it > from the KRA. > It uses the transport cert to essentially wrap the data for transit. > > And that private key gets sent to the kra. > > Also that line of code I believe is in some test driver program. > It gets the same transport cert using some rest call. > > > > ----- Original Message ----- > > From: "Marcin Mierzejewski" > > To: "John Magne" > > Cc: "Dave Sirrine" , pki-users at redhat.com > > Sent: Friday, October 16, 2015 5:03:48 AM > > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with > storing private key in DRM/KRA > > > > That helps a lot. It's actually working in CLI(now I'm figuring out how > to > > use this in application) but I don't understand one aspect of this. > > CRMFPopClient generates RSA key pair and put it in crmf request. Question > > is how to get keypair for client without retriving it from KRA? Could > > CRMFPopClient used with existing keypair? > > > > T > > ransport.cert it is the same certicate that can be accessed with that > line? > > > > > > // Test 1: Get transport certificate from DRM > > transportCert = systemCertClient.getTransportCert().getEncoded(); > > > > > > > > 2015-10-15 19:39 GMT+02:00 John Magne : > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Marcin Mierzejewski" > > > > To: "John Magne" > > > > Cc: "Dave Sirrine" , pki-users at redhat.com > > > > Sent: Thursday, October 15, 2015 2:26:33 AM > > > > Subject: Re: [Pki-users] Dogtag profile for encryption certificate > with > > > storing private key in DRM/KRA > > > > > > > > Ok, after futher reading this symmetric key is encypted with CA > public > > > key > > > > in wrapSessionKey(...) method. > > > > Question I still have is how to user in rest client? > > > > > > > > > I believe in one of the previous emails, I put in a list of steps. > > > After the request is created by CRMFPopClient, we put that blob > > > in the xml file generated for the enrollment profile chosen. > > > > > > > > > Once that xml file is filled out , that is used in issuing the proper > > > "pki" cli command to do the enrollment. This is in fact hitting the > rest > > > servlets responsible for performing a cert enrollment. > > > > > > Hope this helps, > > > thanks, > > > jack > > > > > > > > > > > > > > > > > > > > > > > 2015-10-15 10:59 GMT+02:00 Marcin Mierzejewski < > > > > marcinmierzejewski1024 at gmail.com>: > > > > > > > > > Thanks fo clue. RMFPopClientTool is a cli tool. I check > implementation > > > and > > > > > I found this method wrapPrivateKey(...). > > > > > Can it be used to wrap private key which could be added to > > > > > CertEnrollRequest to request certificate from my rest client? > > > > > And do You have ideas how to get symmetric key for that? I think > better > > > > > solution would be use CA public key to encrypt it but I don't have > that > > > > > much knowlege in PKI and Dogtag architecture. > > > > > > > > > > 2015-10-14 19:25 GMT+02:00 John Magne : > > > > > > > > > >> If you see the email I sent the other day, > > > > >> we make use of the CRMFPopClient tool that uses the transport key > to > > > wrap > > > > >> the private key. > > > > >> > > > > >> > > > > >> > > > > >> ----- Original Message ----- > > > > >> From: "Marcin Mierzejewski" > > > > >> To: "Dave Sirrine" > > > > >> Cc: pki-users at redhat.com > > > > >> Sent: Wednesday, October 14, 2015 2:35:00 AM > > > > >> Subject: Re: [Pki-users] Dogtag profile for encryption certificate > > > with > > > > >> storing private key in DRM/KRA > > > > >> > > > > >> But after this change it is not adding private key to DRM: / > > > > >> > > > > >> 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > : > > > > >> > > > > >> > > > > >> > > > > >> Marcin, > > > > >> > > > > >> Not sure what exactly you're looking for here, but the beauty of > > > profiles > > > > >> is you can create your own. If the ECC profile works as you would > > > expect, > > > > >> you can always create a copy with a new name and change the > > > appropriate > > > > >> lines. A quick diff of the two profiles you mention shows that > > > there's not > > > > >> a lot that's different between the two: > > > > >> > > > > >> diff caEncECUserCert.cfg caEncUserCert.cfg > > > > >> 1c1 > > > > >> < desc=This certificate profile is for enrolling user ECC > encryption > > > > >> certificates. It works only with latest Firefox. > > > > >> --- > > > > >> > desc=This certificate profile is for enrolling user encryption > > > > >> certificates with option to archive keys. > > > > >> 5c5 > > > > >> < name=Manual User Encryption ECC Certificates Enrollment > > > > >> --- > > > > >> > name=Manual User Encryption Certificates Enrollment > > > > >> 7,8c7,10 > > > > >> < input.list=i1 > > > > >> < input.i1.class_id=encKeyGenInputImpl > > > > >> --- > > > > >> > input.list=i1,i2,i3 > > > > >> > input.i1.class_id=certReqInputImpl > > > > >> > input.i2.class_id=subjectNameInputImpl > > > > >> > input.i3.class_id=submitterInfoInputImpl > > > > >> 31,32c33,34 > > > > >> < policyset.encryptionCertSet.3.constraint.params.keyType=EC > > > > >> < > > > > >> > > > > policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 > > > > >> --- > > > > >> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA > > > > >> > > > > > >> > > > > policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 > > > > >> 93a96 > > > > >> > > > > > >> > > > > >> In theory (I have not tested this) you should be able to change > the > > > lines > > > > >> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and > > > > >> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to > > > match > > > > >> the caEncUserCert.cfg profile and keep everything else the same. > If > > > you > > > > >> have the KRA installed and configured to work with your CA, the > > > encryption > > > > >> keys should automatically be archived in the KRA. > > > > >> > > > > >> -- Dave > > > > >> > > > > >> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski < > > > > >> marcinmierzejewski1024 at gmail.com > wrote: > > > > >> > > > > >> > > > > >> > > > > >> there is a caEncECUserCert that works as I expect but generates > > > Eliptic > > > > >> curve certificate. Is there any eqiuvalent for RSA? And next > question > > > is: > > > > >> could I use this profile to generate enduser certificate remote by > > > calling > > > > >> REST service? > > > > >> > > > > >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski < > > > > >> marcinmierzejewski1024 at gmail.com > : > > > > >> > > > > >> > > > > >> > > > > >> Hi All, > > > > >> > > > > >> What I want is simple profile for requesting encryption(not sign) > > > > >> personal certificate that will private key be stored in KRA/DRM. I > > > check > > > > >> existing profiles and found profile that name and description > meet the > > > > >> goals I want to achieve. > > > > >> > > > > >> CaEncUserCert.cfg > > > > >> > > > > >> this profile was not visible I change that. I opened this profile > in > > > end > > > > >> user CA application > > > > >> > > > > >> > > > > >> Certificate Profile - Manual User Encryption Certificates > Enrollment > > > > >> > > > > >> This certificate profile is for enrolling user encryption > certificates > > > > >> with option to archive keys. Certificate Request Input > > > > >> * Certificate Request Type list ( pcks10 or crmf) > > > > >> > > > > >> * Certificate Request (text area for request) > > > > >> Subject Name > > > > >> -fields with info about user(propably should be same values that > were > > > in > > > > >> certificate request) > > > > >> Requestor Information > > > > >> - info about requestor > > > > >> > > > > >> How it's possible to store private key without even sending it to > CA? > > > can > > > > >> be private key enclosed into "Certificate Request"? If answer is > no - > > > as I > > > > >> think why there is a "option to archieve keys"? > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> Marcin > > > > >> > > > > >> > > > > >> > > > > >> _______________________________________________ > > > > >> Pki-users mailing list > > > > >> Pki-users at redhat.com > > > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > > >> > > > > >> > > > > >> > > > > >> _______________________________________________ > > > > >> Pki-users mailing list > > > > >> Pki-users at redhat.com > > > > >> https://www.redhat.com/mailman/listinfo/pki-users > > > > >> > > > > > > > > > > > > > > > > > > > > From marcinmierzejewski1024 at gmail.com Thu Oct 22 09:30:20 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Thu, 22 Oct 2015 11:30:20 +0200 Subject: [Pki-users] Possible bug or at least weird behaviour while listing DRM recovery request In-Reply-To: <101697374.78934175.1445459374128.JavaMail.zimbra@redhat.com> References: <101697374.78934175.1445459374128.JavaMail.zimbra@redhat.com> Message-ID: that's even weirder becouse when I type: # pki -c pass -n "PKI Administrator for localdomain" key-find --start 0 --size 100 I get list of all keys stored in DRM but this which keys were not filed with keyUrl and keyId(when i list them with java code from start post) are on the list with keyId, but without status. ... Key ID: 0x2d Algorithm: 1.2.840.113549.1.1.1 Size: 2048 Owner: UID=cachebroker... Key ID: 0x2e Algorithm: 1.2.840.113549.1.1.1 Size: 2048 Owner: UID=cachebroker6... ----------------------------- Number of entries returned 46 2015-10-21 22:29 GMT+02:00 John Magne : > Try something like this: > > pki -d ./ -c Secret123 -n "PKI Administrator for localdomain" key-find > > This will list the keys and have the id like: > > Key ID: 0xe > Client Key ID: UUID: 123-45-6789 RKEK Wed Sep 16 14:16:07 PDT 2015 > Status: active > Owner: kraadmin > > Key ID: 0xf > Client Key ID: Symmetric Key #1234f Wed Sep 16 14:16:08 PDT 2015 > Status: active > Algorithm: AES > Size: 128 > Owner: kraadmin > > Key ID: 0x10 > Client Key ID: UUID: 123-45-6789 VEK Wed Sep 16 14:16:08 PDT 2015 > Status: inactive > Algorithm: AES > Size: 128 > Owner: kraadmin > > > ----- Original Message ----- > From: "Marcin Mierzejewski" > To: pki-users at redhat.com > Sent: Wednesday, October 21, 2015 2:57:40 AM > Subject: [Pki-users] Possible bug or at least weird behaviour while > listing DRM recovery request > > after requests a key recovery with: > > > > public RequestId requestRecoveryPrivateKey(KeyId keyID,String > base64Certificate ) throws Exception > { > //trim header and footer from cert > if ( base64Certificate .contains(CertData. HEADER )) { > base64Certificate = base64Certificate .substring(CertData. HEADER > .length(), > base64Certificate .indexOf(CertData. FOOTER )); > } > > log ( "Requesting X509 key recovery." + keyID); > KeyRequestResponse response = keyClient .recoverKey(keyID, null , null , > null , base64Certificate ); > RequestId requestId = response.getRequestId(); > log ( "ask kra admins to approve request " +requestId); > > > KeyRequestInfo info = keyClient .getRequestInfo(requestId); > log ( "info about request to approve" ); > printRequestInfo (info); > > return requestId; > } > > when I try to find request by keyId > public List findRecoveryRequest(KeyId keyid) > { > // String requestState, > // String requestType, > // String clientID, > // RequestId start, > // Integer pageSize, > // Integer maxResults, > // Integer maxTime) > ArrayList result = new ArrayList(); > KeyRequestInfoCollection requests = keyClient .listRequests( null , > "recovery" , null , null , 99999 , Integer. MAX_VALUE , 99999 ); > for (KeyRequestInfo keyRequestInfo : requests.getEntries()) { > KeyId reqKeyId = keyRequestInfo.getKeyId(); > printRequestInfo (keyRequestInfo); > > log ( "req " +keyRequestInfo.getRequestId()+ " " +reqKeyId+ "==" +keyid); > if (keyid.equals(keyRequestInfo.getKeyId())) > { > result.add(keyRequestInfo); > } > } > log ( "found " + result.size() + " requests" ); > return result; > } > > keyClient .listRequests( null , "recovery" , null , null , 99999 , > Integer. MAX_VALUE , 99999 ); > returns collection with null KeyUrl so getKeyId returns also a null > > but when I open requests with some null in KeyUrl in agent ( > https://localhost.localdomain:8443/kra/agent/kra/processReq?op=processReq&seqNum=113 > ) > I got all informations I need: > > > Request 113 Request Status: pending Type: recovery Created on: 21/10/2015, > 11:25:41 Updated by: kraagent Updated on: 21/10/2015, 11:25:41 Recovery > Information Key identifier: 42 Recovery Initiating Agent: kraagent Recovery > Approving Agents: Action Asynchronous Key Recovery: Grant > > How to get Key Identiver from keyClient? > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Thu Oct 22 17:39:08 2015 From: jmagne at redhat.com (John Magne) Date: Thu, 22 Oct 2015 13:39:08 -0400 (EDT) Subject: [Pki-users] Possible bug or at least weird behaviour while listing DRM recovery request In-Reply-To: References: <101697374.78934175.1445459374128.JavaMail.zimbra@redhat.com> Message-ID: <525809539.79945940.1445535548100.JavaMail.zimbra@redhat.com> I think this is because the symmetric type keys have the status exposed in the rest interface but not for the RSA / asym type keys: Take a look at this url , which will show the xml output of your keys: https://localhost.localdomain:8443/kra/rest/agent/keys Off the top of my head, I"m not sure if this was the original intent, thus it may be a bug. ----- Original Message ----- From: "Marcin Mierzejewski" To: "John Magne" Cc: pki-users at redhat.com Sent: Thursday, 22 October, 2015 2:30:20 AM Subject: Re: [Pki-users] Possible bug or at least weird behaviour while listing DRM recovery request that's even weirder becouse when I type: # pki -c pass -n "PKI Administrator for localdomain" key-find --start 0 --size 100 I get list of all keys stored in DRM but this which keys were not filed with keyUrl and keyId(when i list them with java code from start post) are on the list with keyId, but without status. ... Key ID: 0x2d Algorithm: 1.2.840.113549.1.1.1 Size: 2048 Owner: UID=cachebroker... Key ID: 0x2e Algorithm: 1.2.840.113549.1.1.1 Size: 2048 Owner: UID=cachebroker6... ----------------------------- Number of entries returned 46 2015-10-21 22:29 GMT+02:00 John Magne : > Try something like this: > > pki -d ./ -c Secret123 -n "PKI Administrator for localdomain" key-find > > This will list the keys and have the id like: > > Key ID: 0xe > Client Key ID: UUID: 123-45-6789 RKEK Wed Sep 16 14:16:07 PDT 2015 > Status: active > Owner: kraadmin > > Key ID: 0xf > Client Key ID: Symmetric Key #1234f Wed Sep 16 14:16:08 PDT 2015 > Status: active > Algorithm: AES > Size: 128 > Owner: kraadmin > > Key ID: 0x10 > Client Key ID: UUID: 123-45-6789 VEK Wed Sep 16 14:16:08 PDT 2015 > Status: inactive > Algorithm: AES > Size: 128 > Owner: kraadmin > > > ----- Original Message ----- > From: "Marcin Mierzejewski" > To: pki-users at redhat.com > Sent: Wednesday, October 21, 2015 2:57:40 AM > Subject: [Pki-users] Possible bug or at least weird behaviour while > listing DRM recovery request > > after requests a key recovery with: > > > > public RequestId requestRecoveryPrivateKey(KeyId keyID,String > base64Certificate ) throws Exception > { > //trim header and footer from cert > if ( base64Certificate .contains(CertData. HEADER )) { > base64Certificate = base64Certificate .substring(CertData. HEADER > .length(), > base64Certificate .indexOf(CertData. FOOTER )); > } > > log ( "Requesting X509 key recovery." + keyID); > KeyRequestResponse response = keyClient .recoverKey(keyID, null , null , > null , base64Certificate ); > RequestId requestId = response.getRequestId(); > log ( "ask kra admins to approve request " +requestId); > > > KeyRequestInfo info = keyClient .getRequestInfo(requestId); > log ( "info about request to approve" ); > printRequestInfo (info); > > return requestId; > } > > when I try to find request by keyId > public List findRecoveryRequest(KeyId keyid) > { > // String requestState, > // String requestType, > // String clientID, > // RequestId start, > // Integer pageSize, > // Integer maxResults, > // Integer maxTime) > ArrayList result = new ArrayList(); > KeyRequestInfoCollection requests = keyClient .listRequests( null , > "recovery" , null , null , 99999 , Integer. MAX_VALUE , 99999 ); > for (KeyRequestInfo keyRequestInfo : requests.getEntries()) { > KeyId reqKeyId = keyRequestInfo.getKeyId(); > printRequestInfo (keyRequestInfo); > > log ( "req " +keyRequestInfo.getRequestId()+ " " +reqKeyId+ "==" +keyid); > if (keyid.equals(keyRequestInfo.getKeyId())) > { > result.add(keyRequestInfo); > } > } > log ( "found " + result.size() + " requests" ); > return result; > } > > keyClient .listRequests( null , "recovery" , null , null , 99999 , > Integer. MAX_VALUE , 99999 ); > returns collection with null KeyUrl so getKeyId returns also a null > > but when I open requests with some null in KeyUrl in agent ( > https://localhost.localdomain:8443/kra/agent/kra/processReq?op=processReq&seqNum=113 > ) > I got all informations I need: > > > Request 113 Request Status: pending Type: recovery Created on: 21/10/2015, > 11:25:41 Updated by: kraagent Updated on: 21/10/2015, 11:25:41 Recovery > Information Key identifier: 42 Recovery Initiating Agent: kraagent Recovery > Approving Agents: Action Asynchronous Key Recovery: Grant > > How to get Key Identiver from keyClient? > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From marcinmierzejewski1024 at gmail.com Fri Oct 23 15:34:45 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Fri, 23 Oct 2015 17:34:45 +0200 Subject: [Pki-users] Cannot revoke user certificate becouse of nonce Message-ID: I try to revoke certificate from code I got exception with info about nonce. public void revokeAndApprove(int certificateId) { CertId certId = new CertId(certificateId); long nonce = new Random().nextLong(); CertRevokeRequest revokeRequest = new CertRevokeRequest(); revokeRequest.setReason(RevocationReason.KEY_COMPROMISE); revokeRequest.setComments("user request revoke"); revokeRequest.setNonce(nonce); *CertRequestInfo revokeInfo = certClient.revokeCert(certId, revokeRequest);// here comes an exception* CertReviewResponse reviewData = certClient .reviewRequest(revokeInfo.getRequestId()); reviewData.setNonce(""+nonce); log(reviewData.toString()); reviewData.setRequestNotes("revoke approved"); certClient.approveRequest(reviewData.getRequestId(), reviewData); } when I use this I get exception on line(certClient.revokeCert(...)) > > com.netscape.certsrv.base.BadRequestException: Nonce for cert-revoke 64 does not exist. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) at com.company.CAManager.revokeAndApprove(CAManager.java:186) and few other options I'v tried 1. Long nonce = transportCert.getNonce(); // null > > 2. Long nonce = certClient.getCert(certId).getNonce() //also a null > > puting null to setNonce, or not setting it at all give me: com.netscape.certsrv.base.BadRequestException: Missing nonce. > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) > at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) > at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) > at com.company.CAManager.revokeAndApprove(CAManager.java:187) > at com.company.Main.main(Main.java:21) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140) > I check browser form from enduser entity and nonce value looks like this:"certId:someLongRandomNumber" Am I not understanding usage of nonce or something in my code is wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Fri Oct 23 17:49:36 2015 From: jmagne at redhat.com (John Magne) Date: Fri, 23 Oct 2015 13:49:36 -0400 (EDT) Subject: [Pki-users] Cannot revoke user certificate becouse of nonce In-Reply-To: References: Message-ID: <2098476289.81227823.1445622576369.JavaMail.zimbra@redhat.com> See CertHoldCLI.java Which has an example of doing what you are trying to do. ----- Original Message ----- From: "Marcin Mierzejewski" To: pki-users at redhat.com, pki-devel at redhat.com Sent: Friday, October 23, 2015 8:34:45 AM Subject: [Pki-users] Cannot revoke user certificate becouse of nonce I try to revoke certificate from code I got exception with info about nonce. public void revokeAndApprove( int certificateId) { CertId certId = new CertId(certificateId); long nonce = new Random().nextLong(); CertRevokeRequest revokeRequest = new CertRevokeRequest(); revokeRequest.setReason(RevocationReason. KEY_COMPROMISE ); revokeRequest.setComments( "user request revoke" ); revokeRequest.setNonce(nonce); CertRequestInfo revokeInfo = certClient .revokeCert(certId, revokeRequest);// here comes an exception CertReviewResponse reviewData = certClient .reviewRequest(revokeInfo.getRequestId()); reviewData.setNonce( "" +nonce); log (reviewData.toString()); reviewData.setRequestNotes( "revoke approved" ); certClient .approveRequest(reviewData.getRequestId(), reviewData); } when I use this I get exception on line(certClient.revokeCert(...)) com.netscape.certsrv.base.BadRequestException: Nonce for cert-revoke 64 does not exist. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) at com.company.CAManager.revokeAndApprove(CAManager.java:186) and few other options I'v tried 1. Long nonce = transportCert.getNonce(); // null 2. Long nonce = certClient .getCert(certId).getNonce() //also a null puting null to setNonce, or not setting it at all give me: com.netscape.certsrv.base.BadRequestException: Missing nonce. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) at com.company.CAManager.revokeAndApprove(CAManager.java:187) at com.company.Main.main(Main.java:21) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140) I check browser form from enduser entity and nonce value looks like this:"certId:someLongRandomNumber" Am I not understanding usage of nonce or something in my code is wrong? _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From marcinmierzejewski1024 at gmail.com Sat Oct 24 07:38:43 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Sat, 24 Oct 2015 09:38:43 +0200 Subject: [Pki-users] Cannot revoke user certificate becouse of nonce In-Reply-To: <2098476289.81227823.1445622576369.JavaMail.zimbra@redhat.com> References: <2098476289.81227823.1445622576369.JavaMail.zimbra@redhat.com> Message-ID: problem was using certClient.getCert() instead of certClient.reviewCert(). What is diffrence between those methods, and when use first and when second? I check javadoc, nothing found. 2015-10-23 19:49 GMT+02:00 John Magne : > See CertHoldCLI.java > > Which has an example of doing what you are trying to do. > > ----- Original Message ----- > From: "Marcin Mierzejewski" > To: pki-users at redhat.com, pki-devel at redhat.com > Sent: Friday, October 23, 2015 8:34:45 AM > Subject: [Pki-users] Cannot revoke user certificate becouse of nonce > > I try to revoke certificate from code I got exception with info about > nonce. > > > public void revokeAndApprove( int certificateId) { > > CertId certId = new CertId(certificateId); > long nonce = new Random().nextLong(); > CertRevokeRequest revokeRequest = new CertRevokeRequest(); > revokeRequest.setReason(RevocationReason. KEY_COMPROMISE ); > revokeRequest.setComments( "user request revoke" ); > revokeRequest.setNonce(nonce); > > CertRequestInfo revokeInfo = certClient .revokeCert(certId, > revokeRequest);// here comes an exception > > CertReviewResponse reviewData = certClient > .reviewRequest(revokeInfo.getRequestId()); > reviewData.setNonce( "" +nonce); > log (reviewData.toString()); > reviewData.setRequestNotes( "revoke approved" ); > certClient .approveRequest(reviewData.getRequestId(), reviewData); > } > > > > > when I use this I get exception on line(certClient.revokeCert(...)) > > > > com.netscape.certsrv.base.BadRequestException: Nonce for cert-revoke 64 > does not exist. > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) > at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) > at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) > at com.company.CAManager.revokeAndApprove(CAManager.java:186) > > and few other options I'v tried > > > > 1. Long nonce = transportCert.getNonce(); // null > > > > 2. Long nonce = certClient .getCert(certId).getNonce() //also a null > > puting null to setNonce, or not setting it at all give me: > > > com.netscape.certsrv.base.BadRequestException: Missing nonce. > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) > at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) > at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) > at com.company.CAManager.revokeAndApprove(CAManager.java:187) > at com.company.Main.main(Main.java:21) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140) > > I check browser form from enduser entity and nonce value looks like > this:"certId:someLongRandomNumber" > Am I not understanding usage of nonce or something in my code is wrong? > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Sat Oct 24 17:49:15 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Sat, 24 Oct 2015 19:49:15 +0200 Subject: [Pki-users] Export keyPair and certificate to .p12 (private key with certificate) and .der (public key and certificate) Message-ID: After creation certficate in application I have to return a certificate with private key. That file could be in .p12 format, am I right? Can I found example of create that file in existing code? there is a PKCS12Export command line tool but it propably works with existing creditentials on nssdatabase. Eventually I can get code from PKCS12Export and make addKeyBag() and few other methods public. Ok soo i have first part. And second part .der file is the same as certificate.getEncoded() if yes, thats allready done^^ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Oct 26 17:20:35 2015 From: jmagne at redhat.com (John Magne) Date: Mon, 26 Oct 2015 13:20:35 -0400 (EDT) Subject: [Pki-users] Cannot revoke user certificate becouse of nonce In-Reply-To: References: <2098476289.81227823.1445622576369.JavaMail.zimbra@redhat.com> Message-ID: <1671729674.83214932.1445880035108.JavaMail.zimbra@redhat.com> Looks like the "reviewCert" sets off a chain of events that includes the nonce in the return data. For some reason getCert does no such thing. ----- Original Message ----- From: "Marcin Mierzejewski" To: "John Magne" Cc: pki-users at redhat.com, pki-devel at redhat.com Sent: Saturday, October 24, 2015 12:38:43 AM Subject: Re: [Pki-users] Cannot revoke user certificate becouse of nonce problem was using certClient.getCert() instead of certClient.reviewCert(). What is diffrence between those methods, and when use first and when second? I check javadoc, nothing found. 2015-10-23 19:49 GMT+02:00 John Magne : > See CertHoldCLI.java > > Which has an example of doing what you are trying to do. > > ----- Original Message ----- > From: "Marcin Mierzejewski" > To: pki-users at redhat.com, pki-devel at redhat.com > Sent: Friday, October 23, 2015 8:34:45 AM > Subject: [Pki-users] Cannot revoke user certificate becouse of nonce > > I try to revoke certificate from code I got exception with info about > nonce. > > > public void revokeAndApprove( int certificateId) { > > CertId certId = new CertId(certificateId); > long nonce = new Random().nextLong(); > CertRevokeRequest revokeRequest = new CertRevokeRequest(); > revokeRequest.setReason(RevocationReason. KEY_COMPROMISE ); > revokeRequest.setComments( "user request revoke" ); > revokeRequest.setNonce(nonce); > > CertRequestInfo revokeInfo = certClient .revokeCert(certId, > revokeRequest);// here comes an exception > > CertReviewResponse reviewData = certClient > .reviewRequest(revokeInfo.getRequestId()); > reviewData.setNonce( "" +nonce); > log (reviewData.toString()); > reviewData.setRequestNotes( "revoke approved" ); > certClient .approveRequest(reviewData.getRequestId(), reviewData); > } > > > > > when I use this I get exception on line(certClient.revokeCert(...)) > > > > com.netscape.certsrv.base.BadRequestException: Nonce for cert-revoke 64 > does not exist. > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) > at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) > at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) > at com.company.CAManager.revokeAndApprove(CAManager.java:186) > > and few other options I'v tried > > > > 1. Long nonce = transportCert.getNonce(); // null > > > > 2. Long nonce = certClient .getCert(certId).getNonce() //also a null > > puting null to setNonce, or not setting it at all give me: > > > com.netscape.certsrv.base.BadRequestException: Missing nonce. > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) > at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) > at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) > at com.company.CAManager.revokeAndApprove(CAManager.java:187) > at com.company.Main.main(Main.java:21) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140) > > I check browser form from enduser entity and nonce value looks like > this:"certId:someLongRandomNumber" > Am I not understanding usage of nonce or something in my code is wrong? > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From jmagne at redhat.com Mon Oct 26 17:21:28 2015 From: jmagne at redhat.com (John Magne) Date: Mon, 26 Oct 2015 13:21:28 -0400 (EDT) Subject: [Pki-users] Export keyPair and certificate to .p12 (private key with certificate) and .der (public key and certificate) In-Reply-To: References: Message-ID: <1559902998.83215709.1445880088701.JavaMail.zimbra@redhat.com> Take a look in the KRA code, which does this when recovering keys back to the user. ----- Original Message ----- From: "Marcin Mierzejewski" To: pki-users at redhat.com Sent: Saturday, October 24, 2015 10:49:15 AM Subject: [Pki-users] Export keyPair and certificate to .p12 (private key with certificate) and .der (public key and certificate) After creation certficate in application I have to return a certificate with private key. That file could be in .p12 format, am I right? Can I found example of create that file in existing code? there is a PKCS12Export command line tool but it propably works with existing creditentials on nssdatabase. Eventually I can get code from PKCS12Export and make addKeyBag() and few other methods public. Ok soo i have first part. And second part .der file is the same as certificate.getEncoded() if yes, thats allready done^^ _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From marcinmierzejewski1024 at gmail.com Mon Oct 26 17:40:53 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Mon, 26 Oct 2015 18:40:53 +0100 Subject: [Pki-users] Export keyPair and certificate to .p12 (private key with certificate) and .der (public key and certificate) In-Reply-To: <1559902998.83215709.1445880088701.JavaMail.zimbra@redhat.com> References: <1559902998.83215709.1445880088701.JavaMail.zimbra@redhat.com> Message-ID: All I found in KraClient is a KeyClient which role in retriving process is limited to returning some generic "Key" object. I would love some "find usages" that works across group of jars to find out where that recovering is. In meantime I refactor PKCS12Export to get that working, but propably it could be done better. Now what is the problem, how to change the "Key" object to some object that implements org.mozzlila.PrivateKey ? I checked all this privatekey classes and any of this had a public constructor or builder with rawdata(byte[]) and mozilla jss documentation sucks. 2015-10-26 18:21 GMT+01:00 John Magne : > Take a look in the KRA code, which does this when recovering keys back to > the user. > > ----- Original Message ----- > From: "Marcin Mierzejewski" > To: pki-users at redhat.com > Sent: Saturday, October 24, 2015 10:49:15 AM > Subject: [Pki-users] Export keyPair and certificate to .p12 (private key > with certificate) and .der (public key and certificate) > > After creation certficate in application I have to return a certificate > with private key. That file could be in .p12 format, am I right? Can I > found example of create that file in existing code? > there is a PKCS12Export command line tool but it propably works with > existing creditentials on nssdatabase. Eventually I can get code from > PKCS12Export and make addKeyBag() and few other methods public. Ok soo i > have first part. > And second part .der file is the same as certificate.getEncoded() if yes, > thats allready done^^ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Oct 26 21:02:17 2015 From: jmagne at redhat.com (John Magne) Date: Mon, 26 Oct 2015 17:02:17 -0400 (EDT) Subject: [Pki-users] Export keyPair and certificate to .p12 (private key with certificate) and .der (public key and certificate) In-Reply-To: References: <1559902998.83215709.1445880088701.JavaMail.zimbra@redhat.com> Message-ID: <1968740362.83805231.1445893337159.JavaMail.zimbra@redhat.com> Look in RecoveryService.java , method something like createPFX if still want to pursue that angle. As for the PrivateKeyObject I will have to look around to refresh memory, but have tried casting? ----- Original Message ----- > From: "Marcin Mierzejewski" > To: "John Magne" > Cc: pki-users at redhat.com > Sent: Monday, 26 October, 2015 10:40:53 AM > Subject: Re: [Pki-users] Export keyPair and certificate to .p12 (private key with certificate) and .der (public key > and certificate) > > All I found in KraClient is a KeyClient which role in retriving process is > limited to returning some generic "Key" object. I would love some "find > usages" that works across group of jars to find out where that recovering > is. > In meantime I refactor PKCS12Export to get that working, but propably it > could be done better. Now what is the problem, how to change the "Key" > object to some object that implements org.mozzlila.PrivateKey ? I checked > all this privatekey classes and any of this had a public constructor or > builder with rawdata(byte[]) and mozilla jss documentation sucks. > > > > 2015-10-26 18:21 GMT+01:00 John Magne : > > > Take a look in the KRA code, which does this when recovering keys back to > > the user. > > > > ----- Original Message ----- > > From: "Marcin Mierzejewski" > > To: pki-users at redhat.com > > Sent: Saturday, October 24, 2015 10:49:15 AM > > Subject: [Pki-users] Export keyPair and certificate to .p12 (private key > > with certificate) and .der (public key and certificate) > > > > After creation certficate in application I have to return a certificate > > with private key. That file could be in .p12 format, am I right? Can I > > found example of create that file in existing code? > > there is a PKCS12Export command line tool but it propably works with > > existing creditentials on nssdatabase. Eventually I can get code from > > PKCS12Export and make addKeyBag() and few other methods public. Ok soo i > > have first part. > > And second part .der file is the same as certificate.getEncoded() if yes, > > thats allready done^^ > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > From marcinmierzejewski1024 at gmail.com Mon Oct 26 21:13:12 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Mon, 26 Oct 2015 22:13:12 +0100 Subject: [Pki-users] Export keyPair and certificate to .p12 (private key with certificate) and .der (public key and certificate) In-Reply-To: <1968740362.83805231.1445893337159.JavaMail.zimbra@redhat.com> References: <1559902998.83215709.1445880088701.JavaMail.zimbra@redhat.com> <1968740362.83805231.1445893337159.JavaMail.zimbra@redhat.com> Message-ID: Yup I tried casting but those two are from diffrent packages. Key is from Dogtag and privateKey is from Mozilla. Anyway i found solution using pkcs11 crypto token from jss and getBytes from Key object( I don't have access to code, and don't remember method name) Really appreciate Your help John On Monday, 26 October 2015, John Magne wrote: > Look in RecoveryService.java , method something like createPFX if still > want to pursue that angle. > As for the PrivateKeyObject I will have to look around to refresh memory, > but have tried casting? > > > > ----- Original Message ----- > > From: "Marcin Mierzejewski" > > > To: "John Magne" > > > Cc: pki-users at redhat.com > > Sent: Monday, 26 October, 2015 10:40:53 AM > > Subject: Re: [Pki-users] Export keyPair and certificate to .p12 (private > key with certificate) and .der (public key > > and certificate) > > > > All I found in KraClient is a KeyClient which role in retriving process > is > > limited to returning some generic "Key" object. I would love some "find > > usages" that works across group of jars to find out where that recovering > > is. > > In meantime I refactor PKCS12Export to get that working, but propably it > > could be done better. Now what is the problem, how to change the "Key" > > object to some object that implements org.mozzlila.PrivateKey ? I checked > > all this privatekey classes and any of this had a public constructor or > > builder with rawdata(byte[]) and mozilla jss documentation sucks. > > > > > > > > 2015-10-26 18:21 GMT+01:00 John Magne > >: > > > > > Take a look in the KRA code, which does this when recovering keys back > to > > > the user. > > > > > > ----- Original Message ----- > > > From: "Marcin Mierzejewski" > > > > To: pki-users at redhat.com > > > Sent: Saturday, October 24, 2015 10:49:15 AM > > > Subject: [Pki-users] Export keyPair and certificate to .p12 (private > key > > > with certificate) and .der (public key and certificate) > > > > > > After creation certficate in application I have to return a certificate > > > with private key. That file could be in .p12 format, am I right? Can I > > > found example of create that file in existing code? > > > there is a PKCS12Export command line tool but it propably works with > > > existing creditentials on nssdatabase. Eventually I can get code from > > > PKCS12Export and make addKeyBag() and few other methods public. Ok soo > i > > > have first part. > > > And second part .der file is the same as certificate.getEncoded() if > yes, > > > thats allready done^^ > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Tue Oct 27 09:27:49 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Tue, 27 Oct 2015 10:27:49 +0100 Subject: [Pki-users] Creating recovery privatekey(asymetric key) in DRM Message-ID: Which certificate should be given for last argument of function from KeyClient.java public KeyRequestResponse recoverKey(KeyId keyId, byte[] sessionWrappedPassphrase, byte[] transWrappedSessionKey, byte[] nonceData, java.lang.String b64Certificate) a. Transport cert b. Subject which key belongs to cert c. Agent who is actually logged in via CryptoManager cert d. Person who should be able to retrieve this key cert ? And another question, can user add some message for Kra agents with this request? -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcinmierzejewski1024 at gmail.com Tue Oct 27 11:20:49 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Tue, 27 Oct 2015 12:20:49 +0100 Subject: [Pki-users] CRMF aka CMP format reader or howto get private key from crmf with proof of possesion Message-ID: I'm trying to generate new .p12 file for renewed certificate, becouse old version p12 file after that renewation has private key linked to certificate which is not the latest one(however keypair and all subject data are the same) What is my idea? - create "caManualRenewal" enrollment - read crmf from enrollment - get private key from crmf - approve renewal request - return new p12 file with new cert and this privkey to user It's even possible to do something like this? It makes sense to recreate that file or user can use old p12 file even after renewal? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Tue Oct 27 17:27:21 2015 From: jmagne at redhat.com (John Magne) Date: Tue, 27 Oct 2015 13:27:21 -0400 (EDT) Subject: [Pki-users] Creating recovery privatekey(asymetric key) in DRM In-Reply-To: References: Message-ID: <812969610.84496643.1445966841254.JavaMail.zimbra@redhat.com> This is the cert for which the key is associated. See DRMTest.java for sample, if desired. Your request for a message is probably something for a future version. ----- Original Message ----- From: "Marcin Mierzejewski" To: pki-users at redhat.com Sent: Tuesday, October 27, 2015 2:27:49 AM Subject: [Pki-users] Creating recovery privatekey(asymetric key) in DRM Which certificate should be given for last argument of function from KeyClient.java public KeyRequestResponse recoverKey( KeyId keyId, byte[]?sessionWrappedPassphrase, byte[]?transWrappedSessionKey, byte[]?nonceData, java.lang.String?b64Certificate) a. Transport cert b. Subject which key belongs to cert c. Agent who is actually logged in via CryptoManager cert d. Person who should be able to retrieve this key cert ? And another question, can user add some message for Kra agents with this request? _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From jmagne at redhat.com Tue Oct 27 17:30:40 2015 From: jmagne at redhat.com (John Magne) Date: Tue, 27 Oct 2015 13:30:40 -0400 (EDT) Subject: [Pki-users] CRMF aka CMP format reader or howto get private key from crmf with proof of possesion In-Reply-To: References: Message-ID: <1486306529.84498560.1445967040656.JavaMail.zimbra@redhat.com> Hopefully someone might know this one off the top of their head. I am spacing on this now. ----- Original Message ----- From: "Marcin Mierzejewski" To: pki-users at redhat.com Sent: Tuesday, October 27, 2015 4:20:49 AM Subject: [Pki-users] CRMF aka CMP format reader or howto get private key from crmf with proof of possesion I'm trying to generate new .p12 file for renewed certificate, becouse old version p12 file after that renewation has private key linked to certificate which is not the latest one(however keypair and all subject data are the same) What is my idea? - create "caManualRenewal" enrollment - read crmf from enrollment - get private key from crmf - approve renewal request - return new p12 file with new cert and this privkey to user It's even possible to do something like this? It makes sense to recreate that file or user can use old p12 file even after renewal? _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From cfu at redhat.com Wed Oct 28 00:12:45 2015 From: cfu at redhat.com (Christina Fu) Date: Tue, 27 Oct 2015 17:12:45 -0700 Subject: [Pki-users] CRMF aka CMP format reader or howto get private key from crmf with proof of possesion In-Reply-To: References: Message-ID: <563012FD.2060100@redhat.com> I read and reread your email a few times but am still not sure why you want the CA to be responsible for giving you the p12, especially the CA has no idea what password was used for enveloping. And why does the user need the private key if the user is supposed to already have the private key? The KRA does allow you to recover keys if you lost your keys, but it requires agent approval. Could the user not just get the renewed cert, import it into the nss db, and then export the cert and its keys into a p12 themselves? Why use an old p12? Christina On 10/27/2015 04:20 AM, Marcin Mierzejewski wrote: > I'm trying to generate new .p12 file for renewed certificate, becouse > old version p12 file after that renewation has private key linked to > certificate which is not the latest one(however keypair and all > subject data are the same) > What is my idea? > - create "caManualRenewal" enrollment > - read crmf from enrollment > - get private key from crmf > - approve renewal request > - return new p12 file with new cert and this privkey to user > > It's even possible to do something like this? It makes sense to > recreate that file or user can use old p12 file even after renewal? > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Florian.Supper at s-itsolutions.at Wed Oct 28 08:41:39 2015 From: Florian.Supper at s-itsolutions.at (Supper Florian OSS sIT) Date: Wed, 28 Oct 2015 08:41:39 +0000 Subject: [Pki-users] Automatic enrollment of certificate with different profiles on Dogtag 9 References: <1420055027.75070168.1445021024438.JavaMail.zimbra@redhat.com> Message-ID: Dear John, thanks for reply. Is there a way to use different profiles for enrollment.. I tried to duplicate the default cmc profile and all entries belong to this profile (web.xml). If I start a request with HttpClient I get an Authentication error. Here my config.. # /var/lib/pki-test/profiles/ca/caFullCMCWebCert.cfg -------------------------------------------------- desc=Bla bla enable=true enableBy=admin name=Signed CMC-Authenticated Webserver Certificate Enrollment visible=true auth.instance_id=CMCAuth input.list=i1,i2 input.i1.class_id=cmcCertReqInputImpl input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcWebserverCertSet -------------------------------------------------- # /etc/pki-test/CS.conf -------------------------------------------------- profile.caFullCMCWebCert.class_id=caEnrollImpl profile.caFullCMCWebCert.config=/var/lib/pki-test/profiles/ca/caFullCMCWebCert.cfg -------------------------------------------------- # web.xml -------------------------------------------------- caProfileSubmitCMCWeb /ee/ca/profileSubmitCMCWeb caProfileSubmitCMCWeb com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet GetClientCert false cert_request_type cmc profileId caFullCMCWebCert AuthzMgr BasicAclAuthz authorityId ca ID caProfileSubmitCMCWeb templatePath /ee/ca/ProfileSubmit.template resourceID certServer.ee.profile interface ee -------------------------------------------------- Any ideas? Thanks Br Florian -----Urspr?ngliche Nachricht----- Von: John Magne [mailto:jmagne at redhat.com] Gesendet: Freitag, 16. Oktober 2015 20:44 An: Supper Florian OSS sIT Cc: pki-users at redhat.com Betreff: Re: [Pki-users] Automatic enrollment of certificate with different profiles on Dogtag 9 I'm assuming you are using HttpClient to send the CMC requests. Looking around it appears that the caProfileSubmitCMCFull servlet. The servlet config for this has a profileID field. So you COULD create a new profile based on mods to the caFullCMCUserCert profile and set it in the web.xml. Unless of course if you need to send individual requests to different profiles this would not help. ----- Original Message ----- From: "Supper Florian OSS sIT" To: pki-users at redhat.com Sent: Friday, October 16, 2015 1:38:06 AM Subject: [Pki-users] Automatic enrollment of certificate with different profiles on Dogtag 9 Hi, 1) I?m searching for a better solution to automate our enrollment process. We?r using dogtag 9. We would like to use 10, but some features we need are not implemented at the moment. At the moment we?r using cmc requests for enrollment. Works pretty god, but the problem is, that you just can use one profile for this type of enrollment. So I tried to find a better solution, but I can?t find one. At the moment i?m playing around with browser automation, but no luck till now?. Has anyone a better solution ( for dogtag 9 ) to enroll certificates with different profiles? 2) Has anyone a valid link for downloading the windows auto enrollment proxy exe file? Br Florian _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From marcinmierzejewski1024 at gmail.com Wed Oct 28 16:53:23 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Wed, 28 Oct 2015 17:53:23 +0100 Subject: [Pki-users] CRMF aka CMP format reader or howto get private key from crmf with proof of possesion In-Reply-To: <563012FD.2060100@redhat.com> References: <563012FD.2060100@redhat.com> Message-ID: Hi Christina I read and reread your email a few times but am still not sure why you want > the CA to be responsible for giving you the p12, especially the CA has no > idea what password was used for enveloping envolope password may be empty, or defined by user in renewal request to my application. Could the user not just get the renewed cert, import it into the nss db, > and then export the cert and its keys into a p12 themselves? Why use an > old p12? My users can't do that kind of thing like repacking private key to new certificate. They just want new private key without asking for it from kra and waiting for approval. 2015-10-28 1:12 GMT+01:00 Christina Fu : > I read and reread your email a few times but am still not sure why you > want the CA to be responsible for giving you the p12, especially the CA has > no idea what password was used for enveloping. And why does the user need > the private key if the user is supposed to already have the private key? > The KRA does allow you to recover keys if you lost your keys, but it > requires agent approval. > > Could the user not just get the renewed cert, import it into the nss db, > and then export the cert and its keys into a p12 themselves? Why use an > old p12? > > Christina > > > > On 10/27/2015 04:20 AM, Marcin Mierzejewski wrote: > > I'm trying to generate new .p12 file for renewed certificate, becouse old > version p12 file after that renewation has private key linked to > certificate which is not the latest one(however keypair and all subject > data are the same) > What is my idea? > - create "caManualRenewal" enrollment > - read crmf from enrollment > - get private key from crmf > - approve renewal request > - return new p12 file with new cert and this privkey to user > > It's even possible to do something like this? It makes sense to recreate > that file or user can use old p12 file even after renewal? > > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janina777kg at o2.pl Thu Oct 29 09:32:35 2015 From: janina777kg at o2.pl (=?UTF-8?Q?janina777kg?=) Date: Thu, 29 Oct 2015 10:32:35 +0100 Subject: [Pki-users] =?utf-8?q?Is_secret_sharing_used_in_DRM_to_store_keys?= =?utf-8?q?=3F?= Message-ID: <3bc72903.3918c178.5631e7b3.c10c0@o2.pl> I am wondering what is usage of secret sharing in dogtag. I found that key restore operations may be approved by few admins/agents (found that option in pki-console for /kra). It's no secret what algorithm is used to share this secret to encode keys in drm??Is secret sharing used in DRM to store keys? -------------- next part -------------- An HTML attachment was scrubbed... URL: From pascal.jakobi at gmail.com Fri Oct 30 22:09:20 2015 From: pascal.jakobi at gmail.com (Pascal Jakobi) Date: Fri, 30 Oct 2015 23:09:20 +0100 Subject: [Pki-users] X.509 preauth Message-ID: <5633EA90.4040308@gmail.com> Hi there I am trying to run pkinit/X.509 with the standard MIT rpms delivered on CentOS/Fedora/RHEL. I have created the certificates with OpenSSL, everything looks fine - I have a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and the corresponding KDC cert and CA cert have been checked. I also modified the principal with kadmin : "modprinc +requires_preauth toto". I run kinit for the "toto" principal with KRB5_TRACE set. I can see that the KDC sends the following to the client : [6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133 PA-PK-AS-REQ (16), which I understand is for X.509 certificate preauthentication, is not in the list. I guess something is therefore wrong on my KDC configuration, but I cannot see what. Can someone enlight me ? Thanks in advance -- Pascal Jakobi 116 rue de Stalingrad, 93100 Montreuil France Tel : +33 6 87 47 58 19 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log kdc = SYSLOG:DEBUG:LOCAL1 admin_server = FILE:/var/log/kerberos/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = THALES.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] THALES.COM = { kdc = kdc.jakobi.fr admin_server = kdc.jakobi.fr pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem } [domain_realm] .jakobi.fr = THALES.COM jakobi.fr = THALES.COM From marcinmierzejewski1024 at gmail.com Sat Oct 31 17:05:28 2015 From: marcinmierzejewski1024 at gmail.com (Marcin Mierzejewski) Date: Sat, 31 Oct 2015 18:05:28 +0100 Subject: [Pki-users] Dogtag is changing my renewal request after enrollment Message-ID: I got method which creates renewal request for given certificate > private CertEnrollmentRequest createUserEncryptionArchivedCertRenewalEnrollment(int oldCertificateId) { > > CertEnrollmentRequest data = new CertEnrollmentRequest(); > data.setProfileId("caManualRenewal"); > data.setRenewal(true); > > ProfileInput certReq = data.createInput("Serial Number of Certificate to Renew"); > certReq.addAttribute(new ProfileAttribute("serial_num", Integer.toString(oldCertificateId), null)); > > return data; > } > > but after enroll this request I get request for renewal of PKI Administrator for localdomain. If I choose not to loging in as PKI Admin, there is a error telling me that I don't have any certificates to renewal or certificate is corupted.That's weird becouse it works via dogtag enduser entity, even without loggin in. -------------- next part -------------- An HTML attachment was scrubbed... URL: