[Pki-users] Dogtag profile for encryption certificate with storing private key in DRM/KRA

Wed Oct 21 15:37:59 UTC 2015

I have question that propably should be in new thread but it' s related
with all this storing private keys in DRM. How to handle certificate
renewal?
In renewal request for other profiles I found that the renewal request has
a new public key which is diffrent, that means private key has been changed
as well.
After administrator approve on renewal request, the DRM will store not
valid private key. I have some ideas how to fix that, if You have any
better please give me a hint.
solution A) In reneval request put generated put crmf request generated by
CRMFPopClient
solution B) revoke old certificate, create new one with same key pair and
subject values(except notvalidafter date)

Or maybe is there option to renewal certificate without changing keys? from
some reading(
http://security.stackexchange.com/questions/27810/should-i-change-the-private-key-when-renewing-a-certificate)
propably SSL certificates renewals does not require that.

2015-10-16 20:05 GMT+02:00 John Magne <jmagne at redhat.com>:

> Hi:
>
> The CRMFPopClient generates the key pair on its own, it does not get it
> from the KRA.
> It uses the transport cert to essentially wrap the data for transit.
>
> And that private key gets sent to the kra.
>
> Also that line of code I believe is in some test driver program.
> It gets the same transport cert using some rest call.
>
>
>
> ----- Original Message -----
> > From: "Marcin Mierzejewski" <marcinmierzejewski1024 at gmail.com>
> > To: "John Magne" <jmagne at redhat.com>
> > Cc: "Dave Sirrine" <dsirrine at redhat.com>, pki-users at redhat.com
> > Sent: Friday, October 16, 2015 5:03:48 AM
> > Subject: Re: [Pki-users] Dogtag profile for encryption certificate with
> storing private key in DRM/KRA
> >
> > That helps a lot. It's actually working in CLI(now I'm figuring out how
> to
> > use this in application) but I don't understand one aspect of this.
> > CRMFPopClient generates RSA key pair and put it in crmf request. Question
> > is how to get keypair for client without retriving it from KRA? Could
> > CRMFPopClient used with existing keypair?
> >
> > T
> > ransport.cert it is the same certicate that can be accessed with that
> line?
>
>
> >
> > // Test 1: Get transport certificate from DRM
> > transportCert = systemCertClient.getTransportCert().getEncoded();
> >
> >
> >
> > 2015-10-15 19:39 GMT+02:00 John Magne <jmagne at redhat.com>:
> >
> > >
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Marcin Mierzejewski" <marcinmierzejewski1024 at gmail.com>
> > > > To: "John Magne" <jmagne at redhat.com>
> > > > Cc: "Dave Sirrine" <dsirrine at redhat.com>, pki-users at redhat.com
> > > > Sent: Thursday, October 15, 2015 2:26:33 AM
> > > > Subject: Re: [Pki-users] Dogtag profile for encryption certificate
> with
> > > storing private key in DRM/KRA
> > > >
> > > > Ok, after futher reading this symmetric key is encypted with CA
> public
> > > key
> > > > in wrapSessionKey(...) method.
> > > > Question I still have is how to user in rest client?
> > >
> > >
> > > I believe in one of the previous emails, I put in a list of steps.
> > > After the request is created by CRMFPopClient, we put that blob
> > > in the xml file generated for the enrollment profile chosen.
> > >
> > >
> > > Once that xml file is filled out , that is used in issuing the proper
> > > "pki" cli command to do the enrollment. This is in fact hitting the
> rest
> > > servlets responsible for performing a cert enrollment.
> > >
> > > Hope this helps,
> > > thanks,
> > > jack
> > >
> > >
> > >
> > >
> > >
> > > >
> > > > 2015-10-15 10:59 GMT+02:00 Marcin Mierzejewski <
> > > > marcinmierzejewski1024 at gmail.com>:
> > > >
> > > > > Thanks fo clue. RMFPopClientTool is a cli tool. I check
> implementation
> > > and
> > > > > I found this method wrapPrivateKey(...).
> > > > > Can it be used to wrap private key which could be added to
> > > > > CertEnrollRequest to request certificate from my rest client?
> > > > > And do You have ideas how to get symmetric key for that? I think
> better
> > > > > solution would be use CA public key to encrypt it but I don't have
> that
> > > > > much knowlege in PKI and Dogtag architecture.
> > > > >
> > > > > 2015-10-14 19:25 GMT+02:00 John Magne <jmagne at redhat.com>:
> > > > >
> > > > >> If you see the email I sent the other day,
> > > > >> we make use of the CRMFPopClient tool that uses the transport key
> to
> > > wrap
> > > > >> the private key.
> > > > >>
> > > > >>
> > > > >>
> > > > >> ----- Original Message -----
> > > > >> From: "Marcin Mierzejewski" <marcinmierzejewski1024 at gmail.com>
> > > > >> To: "Dave Sirrine" <dsirrine at redhat.com>
> > > > >> Cc: pki-users at redhat.com
> > > > >> Sent: Wednesday, October 14, 2015 2:35:00 AM
> > > > >> Subject: Re: [Pki-users] Dogtag profile for encryption certificate
> > > with
> > > > >> storing private key in DRM/KRA
> > > > >>
> > > > >> But after this change it is not adding private key to DRM: /
> > > > >>
> > > > >> 2015-10-13 19:27 GMT+02:00 Dave Sirrine < dsirrine at redhat.com > :
> > > > >>
> > > > >>
> > > > >>
> > > > >> Marcin,
> > > > >>
> > > > >> Not sure what exactly you're looking for here, but the beauty of
> > > profiles
> > > > >> is you can create your own. If the ECC profile works as you would
> > > expect,
> > > > >> you can always create a copy with a new name and change the
> > > appropriate
> > > > >> lines. A quick diff of the two profiles you mention shows that
> > > there's not
> > > > >> a lot that's different between the two:
> > > > >>
> > > > >> diff caEncECUserCert.cfg caEncUserCert.cfg
> > > > >> 1c1
> > > > >> < desc=This certificate profile is for enrolling user ECC
> encryption
> > > > >> certificates. It works only with latest Firefox.
> > > > >> ---
> > > > >> > desc=This certificate profile is for enrolling user encryption
> > > > >> certificates with option to archive keys.
> > > > >> 5c5
> > > > >> < name=Manual User Encryption ECC Certificates Enrollment
> > > > >> ---
> > > > >> > name=Manual User Encryption Certificates Enrollment
> > > > >> 7,8c7,10
> > > > >> < input.list=i1
> > > > >> < input.i1.class_id=encKeyGenInputImpl
> > > > >> ---
> > > > >> > input.list=i1,i2,i3
> > > > >> > input.i1.class_id=certReqInputImpl
> > > > >> > input.i2.class_id=subjectNameInputImpl
> > > > >> > input.i3.class_id=submitterInfoInputImpl
> > > > >> 31,32c33,34
> > > > >> < policyset.encryptionCertSet.3.constraint.params.keyType=EC
> > > > >> <
> > > > >>
> > >
> policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521
> > > > >> ---
> > > > >> > policyset.encryptionCertSet.3.constraint.params.keyType=RSA
> > > > >> >
> > > > >>
> > >
> policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
> > > > >> 93a96
> > > > >> >
> > > > >>
> > > > >> In theory (I have not tested this) you should be able to change
> the
> > > lines
> > > > >> for 'policyset.encryptionCertSet.3.constraint.params.keyType' and
> > > > >> 'policyset.encryptionCertSet.3.constraint.params.keyParameters' to
> > > match
> > > > >> the caEncUserCert.cfg profile and keep everything else the same.
> If
> > > you
> > > > >> have the KRA installed and configured to work with your CA, the
> > > encryption
> > > > >> keys should automatically be archived in the KRA.
> > > > >>
> > > > >> -- Dave
> > > > >>
> > > > >> On Tue, Oct 13, 2015 at 10:36 AM, Marcin Mierzejewski <
> > > > >> marcinmierzejewski1024 at gmail.com > wrote:
> > > > >>
> > > > >>
> > > > >>
> > > > >> there is a caEncECUserCert that works as I expect but generates
> > > Eliptic
> > > > >> curve certificate. Is there any eqiuvalent for RSA? And next
> question
> > > is:
> > > > >> could I use this profile to generate enduser certificate remote by
> > > calling
> > > > >> REST service?
> > > > >>
> > > > >> 2015-10-13 15:51 GMT+02:00 Marcin Mierzejewski <
> > > > >> marcinmierzejewski1024 at gmail.com > :
> > > > >>
> > > > >>
> > > > >>
> > > > >> Hi All,
> > > > >>
> > > > >> What I want is simple profile for requesting encryption(not sign)
> > > > >> personal certificate that will private key be stored in KRA/DRM. I
> > > check
> > > > >> existing profiles and found profile that name and description
> meet the
> > > > >> goals I want to achieve.
> > > > >>
> > > > >> CaEncUserCert.cfg
> > > > >>
> > > > >> this profile was not visible I change that. I opened this profile
> in
> > > end
> > > > >> user CA application
> > > > >>
> > > > >>
> > > > >> Certificate Profile - Manual User Encryption Certificates
> Enrollment
> > > > >>
> > > > >> This certificate profile is for enrolling user encryption
> certificates
> > > > >> with option to archive keys. Certificate Request Input
> > > > >>         * Certificate Request Type list ( pcks10 or crmf)
> > > > >>
> > > > >>         * Certificate Request (text area for request)
> > > > >> Subject Name
> > > > >> -fields with info about user(propably should be same values that
> were
> > > in
> > > > >> certificate request)
> > > > >> Requestor Information
> > > > >> - info about requestor
> > > > >>
> > > > >> How it's possible to store private key without even sending it to
> CA?
> > > can
> > > > >> be private key enclosed into "Certificate Request"? If answer is
> no -
> > > as I
> > > > >> think why there is a "option to archieve keys"?
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >> Marcin
> > > > >>
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Pki-users mailing list
> > > > >> Pki-users at redhat.com
> > > > >> https://www.redhat.com/mailman/listinfo/pki-users
> > > > >>
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Pki-users mailing list
> > > > >> Pki-users at redhat.com
> > > > >> https://www.redhat.com/mailman/listinfo/pki-users
> > > > >>
> > > > >
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20151021/5875a9ad/attachment.htm>