[Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA

Marcin Mierzejewski marcinmierzejewski1024 at gmail.com
Mon Oct 19 10:38:25 UTC 2015 

The CRMFPopClient generates the key pair on its own, it does not get it
from the KRA.

I know and understand that. I wonder how to get private key without before
CRMFPopClient pack it to BLOB request.

2015-10-16 20:05 GMT+02:00 John Magne <jmagne at redhat.com>:

> Hi:
>
> The CRMFPopClient generates the key pair on its own, it does not get it
> from the KRA.
> It uses the transport cert to essentially wrap the data for transit.
>
> And that private key gets sent to the kra.
>
> Also that line of code I believe is in some test driver program.
> It gets the same transport cert using some rest call.
>
>
>
> ----- Original Message -----
> > From: "Marcin Mierzejewski" <marcinmierzejewski1024 at gmail.com>
> > To: "John Magne" <jmagne at redhat.com>
> > Cc: "Dave Sirrine" <dsirrine at redhat.com>, pki-users at redhat.com
> > Sent: Friday, October 16, 2015 5:03:48 AM
> > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with
> storing private key in DRM/KRA
> >
> > That helps a lot. It's actually working in CLI(now I'm figuring out how
> to
> > use this in application) but I don't understand one aspect of this.
> > CRMFPopClient generates RSA key pair and put it in crmf request. Question
> > is how to get keypair for client without retriving it from KRA? Could
> > CRMFPopClient used with existing keypair?
> >
> > T
> > ransport.cert it is the same certicate that can be accessed with that
> line?
>
>
> >
> > // Test 1: Get transport certificate from DRM
> > transportCert = systemCertClient.getTransportCert().getEncoded();
> >
> >
> >
> > 2015-10-15 19:39 GMT+02:00 John Magne <jmagne at redhat.com>:
> >
> > >
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Marcin Mierzejewski" <marcinmierzejewski1024 at gmail.com>
> > > > To: "John Magne" <jmagne at redhat.com>
> > > > Cc: "Dave Sirrine" <dsirrine at redhat.com>, pki-users at redhat.com
> > > > Sent: Thursday, October 15, 2015 2:26:33 AM
> > > > Subject: Re: [Pki-users] Dogtag profile for encryption certificate
> with
> > > storing private key in DRM/KRA
> > > >
> > > > Ok, after futher reading this symmetric key is encypted with CA
> public
> > > key
> > > > in wrapSessionKey(...) method.
> > > > Question I still have is how to user in rest client?
> > >
> > >
> > > I believe in one of the previous emails, I put in a list of steps.
> > > After the request is created by CRMFPopClient, we put that blob
> > > in the xml file generated for the enrollment profile chosen.
> > >
> > >
> > > Once that xml file is filled out , that is used in issuing the proper
> > > "pki" cli command to do the enrollment. This is in fact hitting the
> rest
> > > servlets responsible for performing a cert enrollment.
> > >
> > > Hope this helps,
> > > thanks,
> > > jack
> > >
> > >
> > >
> > >
> > >
> > > >
> > > > 2015-10-15 10:59 GMT+02:00 Marcin Mierzejewski <
> > > > marcinmierzejewski1024 at gmail.com>:
> > > >
> > > > > Thanks fo clue. RMFPopClientTool is a cli tool. I check
> implementation
> > > and
> > > > > I found this method wrapPrivateKey(...).
> > > > > Can it be used to wrap private key which could be added to
> > > > > CertEnrollRequest to request certificate from my rest client?
> > > > > And do You have ideas how to get symmetric key for that? I think
> better
> > > > > solution would be use CA public key to encrypt it but I don't have
> that
> > > > > much knowlege in PKI and Dogtag architecture.
> > > > >
> > > > > 2015-10-14 19:25 GMT+02:00 John Magne <jmagne at redhat.com>:
> > > > >
> > > > >> If you see the email I sent the other day,
> > > > >> we make use of the CRMFPopClient tool that uses the transport key
> to
> > > wrap
> > > > >> the private key.
> > > > >>
> > > > >>
> > > > >>
> > > > >> ----- Original Message -----
> > > > >> From: "Marcin Mierzejewski" <marcinmierzejewski1024 at gmail.com>
> > > > >> To: "Dave Sirrine" <dsirrine at redhat.com>
> > > > >> Cc: pki-users at redhat.com
> > > > >> Sent: Wednesday, October 14, 2015 2:35:00 AM
> > > > >> Subject: Re: [Pki-users] Dogtag profile for encryption certificate
> > > with
> > > > >> storing private key in DRM/KRA
> > > > >>
> > > > >> But after this change it is not adding private key to DRM: /
> > > > >>
> > > > >> 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > :
> > > > >>
> > > > >>
> > > > >>
> > > > >> Marcin,
> > > > >>
> > > > >> Not sure what exactly you're looking for here, but the beauty of
> > > profiles
> > > > >> is you can create your own. If the ECC profile works as you would
> > > expect,
> > > > >> you can always create a copy with a new name and change the
> > > appropriate
> > > > >> lines. A quick diff of the two profiles you mention shows that
> > > there's not
> > > > >> a lot that's different between the two:
> > > > >>
> > > > >> diff caEncECUserCert.cfg caEncUserCert.cfg
> > > > >> 1c1
> > > > >> < desc=This certificate profile is for enrolling user ECC
> encryption
> > > > >> certificates. It works only with latest Firefox.
> > > > >> ---
> > > > >> > desc=This certificate profile is for enrolling user encryption
> > > > >> certificates with option to archive keys.
> > > > >> 5c5
> > > > >> < name=Manual User Encryption ECC Certificates Enrollment
> > > > >> ---
> > > > >> > name=Manual User Encryption Certificates Enrollment
> > > > >> 7,8c7,10
> > > > >> < input.list=i1
> > > > >> < input.i1.class_id=encKeyGenInputImpl
> > > > >> ---
> > > > >> > input.list=i1,i2,i3
> > > > >> > input.i1.class_id=certReqInputImpl
> > > > >> > input.i2.class_id=subjectNameInputImpl
> > > > >> > input.i3.class_id=submitterInfoInputImpl
> > > > >> 31,32c33,34
> > > > >> < policyset.encryptionCertSet.3.constraint.params.keyType=EC
> > > > >> <
> > > > >>
> > >
> policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521
> > > > >> ---
> > > > >> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA
> > > > >> >
> > > > >>
> > >
> policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
> > > > >> 93a96
> > > > >> >
> > > > >>
> > > > >> In theory (I have not tested this) you should be able to change
> the
> > > lines
> > > > >> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and
> > > > >> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to
> > > match
> > > > >> the caEncUserCert.cfg profile and keep everything else the same.
> If
> > > you
> > > > >> have the KRA installed and configured to work with your CA, the
> > > encryption
> > > > >> keys should automatically be archived in the KRA.
> > > > >>
> > > > >> -- Dave
> > > > >>
> > > > >> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski <
> > > > >> marcinmierzejewski1024 at gmail.com > wrote:
> > > > >>
> > > > >>
> > > > >>
> > > > >> there is a caEncECUserCert that works as I expect but generates
> > > Eliptic
> > > > >> curve certificate. Is there any eqiuvalent for RSA? And next
> question
> > > is:
> > > > >> could I use this profile to generate enduser certificate remote by
> > > calling
> > > > >> REST service?
> > > > >>
> > > > >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski <
> > > > >> marcinmierzejewski1024 at gmail.com > :
> > > > >>
> > > > >>
> > > > >>
> > > > >> Hi All,
> > > > >>
> > > > >> What I want is simple profile for requesting encryption(not sign)
> > > > >> personal certificate that will private key be stored in KRA/DRM. I
> > > check
> > > > >> existing profiles and found profile that name and description
> meet the
> > > > >> goals I want to achieve.
> > > > >>
> > > > >> CaEncUserCert.cfg
> > > > >>
> > > > >> this profile was not visible I change that. I opened this profile
> in
> > > end
> > > > >> user CA application
> > > > >>
> > > > >>
> > > > >> Certificate Profile - Manual User Encryption Certificates
> Enrollment
> > > > >>
> > > > >> This certificate profile is for enrolling user encryption
> certificates
> > > > >> with option to archive keys. Certificate Request Input
> > > > >>         * Certificate Request Type list ( pcks10 or crmf)
> > > > >>
> > > > >>         * Certificate Request (text area for request)
> > > > >> Subject Name
> > > > >> -fields with info about user(propably should be same values that
> were
> > > in
> > > > >> certificate request)
> > > > >> Requestor Information
> > > > >> - info about requestor
> > > > >>
> > > > >> How it's possible to store private key without even sending it to
> CA?
> > > can
> > > > >> be private key enclosed into "Certificate Request"? If answer is
> no -
> > > as I
> > > > >> think why there is a "option to archieve keys"?
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >> Marcin
> > > > >>
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Pki-users mailing list
> > > > >> Pki-users at redhat.com
> > > > >> https://www.redhat.com/mailman/listinfo/pki-users
> > > > >>
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Pki-users mailing list
> > > > >> Pki-users at redhat.com
> > > > >> https://www.redhat.com/mailman/listinfo/pki-users
> > > > >>
> > > > >
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20151019/8ba5f0de/attachment.htm>

More information about the Pki-users mailing list