[Pki-users] Automatic enrollment of certificate with different profiles on Dogtag 9

Supper Florian OSS sIT Florian.Supper at s-itsolutions.at
Wed Oct 28 08:41:39 UTC 2015 

Dear John,

thanks for reply.
Is there a way to use different profiles for enrollment..
I tried to duplicate the default cmc profile and all entries belong to this profile (web.xml).
If I start a request with HttpClient I get an Authentication error.

Here my config..

# /var/lib/pki-test/profiles/ca/caFullCMCWebCert.cfg
--------------------------------------------------
desc=Bla bla
enable=true
enableBy=admin
name=Signed CMC-Authenticated Webserver Certificate Enrollment
visible=true
auth.instance_id=CMCAuth
input.list=i1,i2
input.i1.class_id=cmcCertReqInputImpl
input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcWebserverCertSet
--------------------------------------------------


# /etc/pki-test/CS.conf
--------------------------------------------------
profile.caFullCMCWebCert.class_id=caEnrollImpl
profile.caFullCMCWebCert.config=/var/lib/pki-test/profiles/ca/caFullCMCWebCert.cfg
--------------------------------------------------


# web.xml
--------------------------------------------------
   <servlet-mapping>
      <servlet-name>  caProfileSubmitCMCWeb  </servlet-name>
      <url-pattern>   /ee/ca/profileSubmitCMCWeb  </url-pattern>
   </servlet-mapping>

  <servlet>
      <servlet-name>  caProfileSubmitCMCWeb  </servlet-name>
      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
             <init-param><param-name>  GetClientCert  </param-name>
                         <param-value> false       </param-value> </init-param>
             <init-param><param-name>  cert_request_type  </param-name>
                         <param-value> cmc         </param-value> </init-param>
             <init-param><param-name>  profileId   </param-name>
                         <param-value> caFullCMCWebCert </param-value> </init-param>
             <init-param><param-name>  AuthzMgr    </param-name>
                         <param-value> BasicAclAuthz </param-value> </init-param>
             <init-param><param-name>  authorityId  </param-name>
                         <param-value> ca          </param-value> </init-param>
             <init-param><param-name>  ID          </param-name>
                         <param-value> caProfileSubmitCMCWeb </param-value> </init-param>
             <init-param><param-name>  templatePath  </param-name>
                         <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param>
             <init-param><param-name>  resourceID  </param-name>
                         <param-value> certServer.ee.profile </param-value> </init-param>
             <init-param><param-name>  interface   </param-name>
                         <param-value> ee          </param-value> </init-param>
   </servlet>
--------------------------------------------------

Any ideas?

Thanks
Br
Florian

-----Ursprüngliche Nachricht-----
Von: John Magne [mailto:jmagne at redhat.com] 
Gesendet: Freitag, 16. Oktober 2015 20:44
An: Supper Florian OSS sIT
Cc: pki-users at redhat.com
Betreff: Re: [Pki-users] Automatic enrollment of certificate with different profiles on Dogtag 9

I'm assuming you are using HttpClient to send the CMC requests.

Looking around it appears that the caProfileSubmitCMCFull servlet.
The servlet config for this has a profileID field.
So you COULD create a new profile based on mods to the caFullCMCUserCert
profile and set it in the web.xml.

Unless of course if you need to send individual requests to different profiles this would not help.

----- Original Message -----
From: "Supper Florian OSS sIT" <Florian.Supper at s-itsolutions.at>
To: pki-users at redhat.com
Sent: Friday, October 16, 2015 1:38:06 AM
Subject: [Pki-users] Automatic enrollment of certificate with different profiles on Dogtag 9



Hi, 



1) 

I’m searching for a better solution to automate our enrollment process. 

We’r using dogtag 9. We would like to use 10, but some features we need are not implemented at the moment. 

At the moment we’r using cmc requests for enrollment. Works pretty god, but the problem is, that you just can use one profile for this type of enrollment. 

So I tried to find a better solution, but I can’t find one. 

At the moment i’m playing around with browser automation, but no luck till now…. 



Has anyone a better solution ( for dogtag 9 ) to enroll certificates with different profiles? 





2) Has anyone a valid link for downloading the windows auto enrollment proxy exe file? 



Br 

Florian 

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list