From techpkiuser at gmail.com Fri Apr 1 13:08:18 2016 From: techpkiuser at gmail.com (Kamal Perera) Date: Fri, 1 Apr 2016 18:38:18 +0530 Subject: [Pki-users] how to use both CA ISSUER and OCSP URLs in AIA Message-ID: Dear All, Hope you guys are doing great. I just want to know how to configure the user certificate profile to have both OCSP URL and CA ISSUERs certificate URL to be present in the certificate. Thanks. Kaml -------------- next part -------------- An HTML attachment was scrubbed... URL: From texcolorado666 at gmail.com Sun Apr 3 00:20:58 2016 From: texcolorado666 at gmail.com (patrick raspante) Date: Sat, 2 Apr 2016 20:20:58 -0400 Subject: [Pki-users] Custom Profile Input Class Message-ID: Hello, I'm interested in creating a custom profile input class. More specifically, I'd like to be able to specify the validity period in days in the certificate request. Are there any generic guides for creating custom input classes? I have an idea of what the high level process would be: 1. Create a new profile input class that extends EnrollInput and implements IProfileInput 2. ? Other modifications ? 3. Add custom profile input class to registry.cfg 4. Modify Profile to add the input class to the input class list Any suggestions would be much appreciated. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Apr 4 00:53:26 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 4 Apr 2016 10:53:26 +1000 Subject: [Pki-users] Rewrite of Subject in profile In-Reply-To: References: Message-ID: <20160404005326.GE18277@dhcp-40-8.bne.redhat.com> On Thu, Feb 25, 2016 at 08:25:54AM +0000, Supper Florian OSS sIT wrote: > Hi and good morning. > > I get some request from mobile devices which are very poor. > > Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00 > > With this subject name, it is not possible to enroll a certificate, because of the " \x00" at the end.. > > So i'm compelled to rewrite the Subject name. In the first way I only want to remove the "\x00" characters from CN. > I've tried some pattern and configs, but it doesn't work. > Does one of you knows how this could work? > Florian, The null byte at end of CN makes it an invalid CSR. I think it is unlikely that a configuration change can redeem this request, but if you provide an example CSR I will see where the request fails and determine what, if anything, can be done right now. For dealing with this in future it might be possible to add a configurable to scrub null bytes from request DN values. > policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl > policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint > policyset.cmcUserCertSet.1.constraint.params.accept=true > policyset.cmcUserCertSet.1.constraint.params.pattern=.* > policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl > policyset.cmcUserCertSet.1.default.name=Subject Name Default > policyset.cmcUserCertSet.1.default.params.name=.*CN=................................... > > In the second way, i want to set the whole subject like this below. But I want to use the CN which comes in the csr. > Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=mycn.example.com /emailAddress=pki-AT-example.com > The config you want here is: policyset.cmcUserCertSet.1.default.params.name=C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=$request.req_subject_name$, E=pki-AT-example.com Cheers, Fraser From yoshi314 at gmail.com Tue Apr 5 10:37:01 2016 From: yoshi314 at gmail.com (marcin kowalski) Date: Tue, 5 Apr 2016 12:37:01 +0200 Subject: [Pki-users] how to use both CA ISSUER and OCSP URLs in AIA In-Reply-To: References: Message-ID: I did something like this, a while ago, on DogTag. Seems to work for me. I did that on server certificate profile ; so you may need to adjust it a bit. /var/lib/pki//ca/profiles/ca/caServerCert.cfg ================================================ policyset.serverCertSet.5.constraint.class_id=noConstraintImpl policyset.serverCertSet.5.constraint.name=No Constraint policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl policyset.serverCertSet.5.default.name=AIA Extension Default policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1=URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1= http://server1/root.crt policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1=1.3.6.1.5.5.7.48.2 policyset.serverCertSet.5.default.params.authInfoAccessADEnable_2=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_2=URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_2= http://server2/root.crt policyset.serverCertSet.5.default.params.authInfoAccessADMethod_2=1.3.6.1.5.5.7.48.2 policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.5.default.params.authInfoAccessNumADs=3 After that, restart your instance and review the certificate request in agent. Hope it works fine. 2016-04-01 15:08 GMT+02:00 Kamal Perera : > Dear All, > > Hope you guys are doing great. > > I just want to know how to configure the user certificate profile to have > both OCSP URL and CA ISSUERs certificate URL to be present in the > certificate. > > Thanks. > Kaml > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From techpkiuser at gmail.com Tue Apr 5 12:02:21 2016 From: techpkiuser at gmail.com (Kamal Perera) Date: Tue, 5 Apr 2016 17:32:21 +0530 Subject: [Pki-users] how to use both CA ISSUER and OCSP URLs in AIA In-Reply-To: References: Message-ID: Dear Marcin, thank you for the reply. I have tried the same with the UserCert profile. But didn't work for me. Anyway I'll give another try. Kamal On Tue, Apr 5, 2016 at 4:07 PM, marcin kowalski wrote: > I did something like this, a while ago, on DogTag. Seems to work for me. > > > I did that on server certificate profile ; so you may need to adjust it a > bit. > > /var/lib/pki//ca/profiles/ca/caServerCert.cfg > ================================================ > policyset.serverCertSet.5.constraint.class_id=noConstraintImpl > policyset.serverCertSet.5.constraint.name=No Constraint > policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl > policyset.serverCertSet.5.default.name=AIA Extension Default > > > policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true > > policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= > > policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 > policyset.serverCertSet.5.default.params.authInfoAccessCritical=false > > > policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1=true > > policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1=URIName > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1= > http://server1/root.crt > > policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1=1.3.6.1.5.5.7.48.2 > > policyset.serverCertSet.5.default.params.authInfoAccessADEnable_2=true > > policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_2=URIName > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_2= > http://server2/root.crt > > policyset.serverCertSet.5.default.params.authInfoAccessADMethod_2=1.3.6.1.5.5.7.48.2 > > > > policyset.serverCertSet.5.default.params.authInfoAccessCritical=false > policyset.serverCertSet.5.default.params.authInfoAccessNumADs=3 > > > > After that, restart your instance and review the certificate request in > agent. Hope it works fine. > > > 2016-04-01 15:08 GMT+02:00 Kamal Perera : > >> Dear All, >> >> Hope you guys are doing great. >> >> I just want to know how to configure the user certificate profile to have >> both OCSP URL and CA ISSUERs certificate URL to be present in the >> certificate. >> >> Thanks. >> Kaml >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Fri Apr 8 18:38:13 2016 From: cfu at redhat.com (Christina Fu) Date: Fri, 8 Apr 2016 11:38:13 -0700 Subject: [Pki-users] Custom Profile Input Class In-Reply-To: References: Message-ID: <5707FA95.5050604@redhat.com> Hi Patrick, yes that's pretty much it at a high level. Of course, you want to put the .class file under the right path so that it can be found during run time. There is a page that explains and gives example on how to write an Authentication plugin. The method should be similar: pki.fedoraproject.org/wiki/PKI_Authentication_Plug-ins The original info was written for older RHCS. I think I might have updated it, but I can't be sure. The website is currently down so I can't check. Christina On 04/02/2016 05:20 PM, patrick raspante wrote: > Hello, > > I'm interested in creating a custom profile input class. More > specifically, I'd like to be able to specify the validity period in > days in the certificate request. > > Are there any generic guides for creating custom input classes? > > I have an idea of what the high level process would be: > 1. Create a new profile input class that extends EnrollInput and > implements IProfileInput > 2. ? Other modifications ? > 3. Add custom profile input class to registry.cfg > 4. Modify Profile to add the input class to the input class list > > Any suggestions would be much appreciated. > > Thanks > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From hatlam at gmail.com Mon Apr 25 04:29:07 2016 From: hatlam at gmail.com (Ha T. Lam) Date: Sun, 24 Apr 2016 21:29:07 -0700 Subject: [Pki-users] How to renew the admin certificate Message-ID: Hi all, We have a Dog Tag system hosted on Fedora inside a VirtualBox, our admin certificate has unfortunately expired, so the web interface complains that the cert is invalid. I've managed to rewind the clock and authorized myself a PKI Administrator certificate following this thread: https://www.redhat.com/archives/pki-users/2013-October/msg00008.html I'm now trying to import the new certificate into the system. The thread mentioned doing it through the pkiconsole, but I have not been able to get it to work, when I typed: pkiconsole https://ca02.mycompany.com:8433/ca I don't get any error message, but I don't see any console either. I suspect this is because I'm ssh-ing into a virtualbox and the display is not set correctly. My questions are: 1. Does the process I mentioned above make sense? I'm new to dogtag and still learning about it. 2. If I'm on the right track, is there a command line option for pkiconsole? Thank you for your help, Ha -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Apr 25 18:10:06 2016 From: jmagne at redhat.com (John Magne) Date: Mon, 25 Apr 2016 14:10:06 -0400 (EDT) Subject: [Pki-users] How to renew the admin certificate In-Reply-To: References: Message-ID: <1648950510.64255671.1461607806321.JavaMail.zimbra@redhat.com> Hello: Your approach seems reasonable: Perhaps you might want to start a vncserver on there and come in that way. There has been issues with using the console over ssh. ----- Original Message ----- > From: "Ha T. Lam" > To: pki-users at redhat.com > Sent: Sunday, April 24, 2016 9:29:07 PM > Subject: [Pki-users] How to renew the admin certificate > > Hi all, > > We have a Dog Tag system hosted on Fedora inside a VirtualBox, our admin > certificate has unfortunately expired, so the web interface complains that > the cert is invalid. I've managed to rewind the clock and authorized myself > a PKI Administrator certificate following this thread: > > https://www.redhat.com/archives/pki-users/2013-October/msg00008.html > > I'm now trying to import the new certificate into the system. The thread > mentioned doing it through the pkiconsole, but I have not been able to get > it to work, when I typed: > > pkiconsole https://ca02.mycompany.com:8433/ca > > I don't get any error message, but I don't see any console either. I suspect > this is because I'm ssh-ing into a virtualbox and the display is not set > correctly. > > My questions are: > 1. Does the process I mentioned above make sense? I'm new to dogtag and still > learning about it. > 2. If I'm on the right track, is there a command line option for pkiconsole? > > Thank you for your help, > Ha > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From hatlam at gmail.com Mon Apr 25 22:12:35 2016 From: hatlam at gmail.com (Ha T. Lam) Date: Mon, 25 Apr 2016 15:12:35 -0700 Subject: [Pki-users] How to renew the admin certificate In-Reply-To: <1648950510.64255671.1461607806321.JavaMail.zimbra@redhat.com> References: <1648950510.64255671.1461607806321.JavaMail.zimbra@redhat.com> Message-ID: Hi John, Thank you very much for your quick reply. I've managed to get ssh -X sorted out because when I typed pkiconsole https://ca02.mycompany.com:8433/ca I get a dialog box asking for User ID and Password. From our conf file, I put in the pki_admin_uid and pki_admin_password, the dialog box went away, but nothing else happened. I also tried using pki_client_pkcs12_password but with the same result. Looking at the log file /var/log/pki/pki-tomcat/localhost_access_log.2016-04-25.txt, I see "POST /ca/auths HTTP/1.0" 200 27 At this point, I'm not sure if it's because I put in the wrong authentication or if I'm still having problem with the pkiconsole. I've been trying to setup vncserver as you recommended but haven't had much luck. I stumbled on the pki commands and it looks like I can use them to install client certificate, are they equivalent to the pkiconsole? Thanks, Ha On Mon, Apr 25, 2016 at 11:10 AM, John Magne wrote: > Hello: > > Your approach seems reasonable: > > Perhaps you might want to start a vncserver on there and > come in that way. There has been issues with using the console over ssh. > > > > > > ----- Original Message ----- > > From: "Ha T. Lam" > > To: pki-users at redhat.com > > Sent: Sunday, April 24, 2016 9:29:07 PM > > Subject: [Pki-users] How to renew the admin certificate > > > > Hi all, > > > > We have a Dog Tag system hosted on Fedora inside a VirtualBox, our admin > > certificate has unfortunately expired, so the web interface complains > that > > the cert is invalid. I've managed to rewind the clock and authorized > myself > > a PKI Administrator certificate following this thread: > > > > https://www.redhat.com/archives/pki-users/2013-October/msg00008.html > > > > I'm now trying to import the new certificate into the system. The thread > > mentioned doing it through the pkiconsole, but I have not been able to > get > > it to work, when I typed: > > > > pkiconsole https://ca02.mycompany.com:8433/ca > > > > I don't get any error message, but I don't see any console either. I > suspect > > this is because I'm ssh-ing into a virtualbox and the display is not set > > correctly. > > > > My questions are: > > 1. Does the process I mentioned above make sense? I'm new to dogtag and > still > > learning about it. > > 2. If I'm on the right track, is there a command line option for > pkiconsole? > > > > Thank you for your help, > > Ha > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Apr 25 23:17:16 2016 From: jmagne at redhat.com (John Magne) Date: Mon, 25 Apr 2016 19:17:16 -0400 (EDT) Subject: [Pki-users] How to renew the admin certificate In-Reply-To: References: <1648950510.64255671.1461607806321.JavaMail.zimbra@redhat.com> Message-ID: <322377241.64609525.1461626236034.JavaMail.zimbra@redhat.com> I suspect the uid is probably caadmin, which is the default, if you left it that way. ----- Original Message ----- From: "Ha T. Lam" To: "John Magne" Cc: pki-users at redhat.com Sent: Monday, April 25, 2016 3:12:35 PM Subject: Re: [Pki-users] How to renew the admin certificate Hi John, Thank you very much for your quick reply. I've managed to get ssh -X sorted out because when I typed pkiconsole https://ca02.mycompany.com:8433/ca I get a dialog box asking for User ID and Password. From our conf file, I put in the pki_admin_uid and pki_admin_password, the dialog box went away, but nothing else happened. I also tried using pki_client_pkcs12_password but with the same result. Looking at the log file /var/log/pki/pki-tomcat/localhost_access_log.2016-04-25.txt, I see "POST /ca/auths HTTP/1.0" 200 27 At this point, I'm not sure if it's because I put in the wrong authentication or if I'm still having problem with the pkiconsole. I've been trying to setup vncserver as you recommended but haven't had much luck. I stumbled on the pki commands and it looks like I can use them to install client certificate, are they equivalent to the pkiconsole? Thanks, Ha On Mon, Apr 25, 2016 at 11:10 AM, John Magne wrote: > Hello: > > Your approach seems reasonable: > > Perhaps you might want to start a vncserver on there and > come in that way. There has been issues with using the console over ssh. > > > > > > ----- Original Message ----- > > From: "Ha T. Lam" > > To: pki-users at redhat.com > > Sent: Sunday, April 24, 2016 9:29:07 PM > > Subject: [Pki-users] How to renew the admin certificate > > > > Hi all, > > > > We have a Dog Tag system hosted on Fedora inside a VirtualBox, our admin > > certificate has unfortunately expired, so the web interface complains > that > > the cert is invalid. I've managed to rewind the clock and authorized > myself > > a PKI Administrator certificate following this thread: > > > > https://www.redhat.com/archives/pki-users/2013-October/msg00008.html > > > > I'm now trying to import the new certificate into the system. The thread > > mentioned doing it through the pkiconsole, but I have not been able to > get > > it to work, when I typed: > > > > pkiconsole https://ca02.mycompany.com:8433/ca > > > > I don't get any error message, but I don't see any console either. I > suspect > > this is because I'm ssh-ing into a virtualbox and the display is not set > > correctly. > > > > My questions are: > > 1. Does the process I mentioned above make sense? I'm new to dogtag and > still > > learning about it. > > 2. If I'm on the right track, is there a command line option for > pkiconsole? > > > > Thank you for your help, > > Ha > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > From hatlam at gmail.com Tue Apr 26 00:18:59 2016 From: hatlam at gmail.com (Ha T. Lam) Date: Mon, 25 Apr 2016 17:18:59 -0700 Subject: [Pki-users] How to renew the admin certificate In-Reply-To: <322377241.64609525.1461626236034.JavaMail.zimbra@redhat.com> References: <1648950510.64255671.1461607806321.JavaMail.zimbra@redhat.com> <322377241.64609525.1461626236034.JavaMail.zimbra@redhat.com> Message-ID: Yes, I think the uid is caadmin too. I didn't do the installation, but I inherit the config file used during installation, whic?h lists among other things, the values of pki_admin_uid, pki_admin_password, and pki_client_pkcs12_password. After digging around some more, I found this page about how to setup a new CA admin: http://pki.fedoraproject.org/wiki/CA_Admin_Setup But when I execute the following command (replacing CA Admin password and nickname appropriately from the values in config file): pki -c -n ca-user-add newcaadmin --fullName "CA Admin" I got: ResteasyIOException: IOException I think it is because the default CA Admin certificate was not installed into a database. I tried to do that following: http://pki.fedoraproject.org/wiki/Default_CA_Admin but at the following command (replacing Secret123 with our secret) pki -c Secret123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf I got: Error: Unrecognized option: --pkcs12 usage: client-cert-import [OPTIONS] --ca-cert Import CA certificate file --ca-server Import CA certificate from CA server --cert Import certificate file I switched to pki -c Secret123 -n caadmin client-cert-import --cert ~/.dogtag/pki-tomcat/ca_admin_cert.p12 to get "Import failed" I seem to get stuck at installing either the old cert or the new one. Do you know what the commands are to install cert? On Mon, Apr 25, 2016 at 4:17 PM, John Magne wrote: > I suspect the uid is probably caadmin, which is the default, if you left > it that way. > > ----- Original Message ----- > From: "Ha T. Lam" > To: "John Magne" > Cc: pki-users at redhat.com > Sent: Monday, April 25, 2016 3:12:35 PM > Subject: Re: [Pki-users] How to renew the admin certificate > > Hi John, > > Thank you very much for your quick reply. I've managed to get ssh -X sorted > out because when I typed > > pkiconsole https://ca02.mycompany.com:8433/ca > > I get a dialog box asking for User ID and Password. From our conf file, I > put in the pki_admin_uid and pki_admin_password, the dialog box went away, > but nothing else happened. I also tried using pki_client_pkcs12_password > but with the same result. Looking at the log > file /var/log/pki/pki-tomcat/localhost_access_log.2016-04-25.txt, I see > > "POST /ca/auths HTTP/1.0" 200 27 > > At this point, I'm not sure if it's because I put in the wrong > authentication or if I'm still having problem with the pkiconsole. I've > been trying to setup vncserver as you recommended but haven't had much > luck. > > I stumbled on the pki commands and it looks like I can use them to install > client certificate, are they equivalent to the pkiconsole? > > Thanks, > Ha > > > On Mon, Apr 25, 2016 at 11:10 AM, John Magne wrote: > > > Hello: > > > > Your approach seems reasonable: > > > > Perhaps you might want to start a vncserver on there and > > come in that way. There has been issues with using the console over ssh. > > > > > > > > > > > > ----- Original Message ----- > > > From: "Ha T. Lam" > > > To: pki-users at redhat.com > > > Sent: Sunday, April 24, 2016 9:29:07 PM > > > Subject: [Pki-users] How to renew the admin certificate > > > > > > Hi all, > > > > > > We have a Dog Tag system hosted on Fedora inside a VirtualBox, our > admin > > > certificate has unfortunately expired, so the web interface complains > > that > > > the cert is invalid. I've managed to rewind the clock and authorized > > myself > > > a PKI Administrator certificate following this thread: > > > > > > https://www.redhat.com/archives/pki-users/2013-October/msg00008.html > > > > > > I'm now trying to import the new certificate into the system. The > thread > > > mentioned doing it through the pkiconsole, but I have not been able to > > get > > > it to work, when I typed: > > > > > > pkiconsole https://ca02.mycompany.com:8433/ca > > > > > > I don't get any error message, but I don't see any console either. I > > suspect > > > this is because I'm ssh-ing into a virtualbox and the display is not > set > > > correctly. > > > > > > My questions are: > > > 1. Does the process I mentioned above make sense? I'm new to dogtag and > > still > > > learning about it. > > > 2. If I'm on the right track, is there a command line option for > > pkiconsole? > > > > > > Thank you for your help, > > > Ha > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Tue Apr 26 01:45:18 2016 From: jmagne at redhat.com (John Magne) Date: Mon, 25 Apr 2016 21:45:18 -0400 (EDT) Subject: [Pki-users] How to renew the admin certificate In-Reply-To: References: <1648950510.64255671.1461607806321.JavaMail.zimbra@redhat.com> <322377241.64609525.1461626236034.JavaMail.zimbra@redhat.com> Message-ID: <380266676.64624449.1461635118139.JavaMail.zimbra@redhat.com> Hi: If you have access to the nss db and the pin, you can try the following command, preferably with the server shut down: pk12util Usage: pk12util -i importfile [-d certdir] [-P dbprefix] [-h tokenname] [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw] [-v] Usage: pk12util -l listfile [-d certdir] [-P dbprefix] [-h tokenname] [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw] [-v] Usage: pk12util -o exportfile -n certname [-d certdir] [-P dbprefix] [-c key_cipher] [-C cert_cipher] [-m | --key_len keyLen] [--cert_key_len certKeyLen] [-v] [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw] ----- Original Message ----- From: "Ha T. Lam" To: "John Magne" Cc: pki-users at redhat.com Sent: Monday, 25 April, 2016 5:18:59 PM Subject: Re: [Pki-users] How to renew the admin certificate Yes, I think the uid is caadmin too. I didn't do the installation, but I inherit the config file used during installation, whic?h lists among other things, the values of pki_admin_uid, pki_admin_password, and pki_client_pkcs12_password. After digging around some more, I found this page about how to setup a new CA admin: http://pki.fedoraproject.org/wiki/CA_Admin_Setup But when I execute the following command (replacing CA Admin password and nickname appropriately from the values in config file): pki -c -n ca-user-add newcaadmin --fullName "CA Admin" I got: ResteasyIOException: IOException I think it is because the default CA Admin certificate was not installed into a database. I tried to do that following: http://pki.fedoraproject.org/wiki/Default_CA_Admin but at the following command (replacing Secret123 with our secret) pki -c Secret123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf I got: Error: Unrecognized option: --pkcs12 usage: client-cert-import [OPTIONS] --ca-cert Import CA certificate file --ca-server Import CA certificate from CA server --cert Import certificate file I switched to pki -c Secret123 -n caadmin client-cert-import --cert ~/.dogtag/pki-tomcat/ca_admin_cert.p12 to get "Import failed" I seem to get stuck at installing either the old cert or the new one. Do you know what the commands are to install cert? On Mon, Apr 25, 2016 at 4:17 PM, John Magne wrote: > I suspect the uid is probably caadmin, which is the default, if you left > it that way. > > ----- Original Message ----- > From: "Ha T. Lam" > To: "John Magne" > Cc: pki-users at redhat.com > Sent: Monday, April 25, 2016 3:12:35 PM > Subject: Re: [Pki-users] How to renew the admin certificate > > Hi John, > > Thank you very much for your quick reply. I've managed to get ssh -X sorted > out because when I typed > > pkiconsole https://ca02.mycompany.com:8433/ca > > I get a dialog box asking for User ID and Password. From our conf file, I > put in the pki_admin_uid and pki_admin_password, the dialog box went away, > but nothing else happened. I also tried using pki_client_pkcs12_password > but with the same result. Looking at the log > file /var/log/pki/pki-tomcat/localhost_access_log.2016-04-25.txt, I see > > "POST /ca/auths HTTP/1.0" 200 27 > > At this point, I'm not sure if it's because I put in the wrong > authentication or if I'm still having problem with the pkiconsole. I've > been trying to setup vncserver as you recommended but haven't had much > luck. > > I stumbled on the pki commands and it looks like I can use them to install > client certificate, are they equivalent to the pkiconsole? > > Thanks, > Ha > > > On Mon, Apr 25, 2016 at 11:10 AM, John Magne wrote: > > > Hello: > > > > Your approach seems reasonable: > > > > Perhaps you might want to start a vncserver on there and > > come in that way. There has been issues with using the console over ssh. > > > > > > > > > > > > ----- Original Message ----- > > > From: "Ha T. Lam" > > > To: pki-users at redhat.com > > > Sent: Sunday, April 24, 2016 9:29:07 PM > > > Subject: [Pki-users] How to renew the admin certificate > > > > > > Hi all, > > > > > > We have a Dog Tag system hosted on Fedora inside a VirtualBox, our > admin > > > certificate has unfortunately expired, so the web interface complains > > that > > > the cert is invalid. I've managed to rewind the clock and authorized > > myself > > > a PKI Administrator certificate following this thread: > > > > > > https://www.redhat.com/archives/pki-users/2013-October/msg00008.html > > > > > > I'm now trying to import the new certificate into the system. The > thread > > > mentioned doing it through the pkiconsole, but I have not been able to > > get > > > it to work, when I typed: > > > > > > pkiconsole https://ca02.mycompany.com:8433/ca > > > > > > I don't get any error message, but I don't see any console either. I > > suspect > > > this is because I'm ssh-ing into a virtualbox and the display is not > set > > > correctly. > > > > > > My questions are: > > > 1. Does the process I mentioned above make sense? I'm new to dogtag and > > still > > > learning about it. > > > 2. If I'm on the right track, is there a command line option for > > pkiconsole? > > > > > > Thank you for your help, > > > Ha > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > From hatlam at gmail.com Tue Apr 26 17:58:52 2016 From: hatlam at gmail.com (Ha T. Lam) Date: Tue, 26 Apr 2016 10:58:52 -0700 Subject: [Pki-users] How to renew the admin certificate In-Reply-To: <380266676.64624449.1461635118139.JavaMail.zimbra@redhat.com> References: <1648950510.64255671.1461607806321.JavaMail.zimbra@redhat.com> <322377241.64609525.1461626236034.JavaMail.zimbra@redhat.com> <380266676.64624449.1461635118139.JavaMail.zimbra@redhat.com> Message-ID: Hi John, Thank you for your continuous help. I've tried the commands that you showed me, here are the results: pk12util -i importfile ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -d /etc/pki/nssdb/ pk12util: File Open failed: importfile: PR_FILE_NOT_FOUND_ERROR: File not found pk12util -l listfile -d /etc/pki/nssdb pk12util: File Open failed: listfile: PR_FILE_NOT_FOUND_ERROR: File not found pk12util: PKCS12 decode not verified: PR_FILE_NOT_FOUND_ERROR: File not found I looked to see if there are any other nssdb directory out there, I have one in /root/.pki/nssdb but it's empty and another one /root/.dogtag/nssdb but this is the result of me running pki -c Secret123 client-init earlier. Any other idea? On Mon, Apr 25, 2016 at 6:45 PM, John Magne wrote: > Hi: > > If you have access to the nss db and the pin, you can try the > following command, preferably with the server shut down: > > pk12util > Usage: pk12util -i importfile [-d certdir] [-P dbprefix] [-h tokenname] > [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W > p12filepw] > [-v] > Usage: pk12util -l listfile [-d certdir] [-P dbprefix] [-h tokenname] > [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W > p12filepw] > [-v] > Usage: pk12util -o exportfile -n certname [-d certdir] [-P dbprefix] > [-c key_cipher] [-C cert_cipher] > [-m | --key_len keyLen] [--cert_key_len certKeyLen] [-v] > [-k slotpwfile | -K slotpw] > [-w p12filepwfile | -W p12filepw] > > > ----- Original Message ----- > From: "Ha T. Lam" > To: "John Magne" > Cc: pki-users at redhat.com > Sent: Monday, 25 April, 2016 5:18:59 PM > Subject: Re: [Pki-users] How to renew the admin certificate > > Yes, I think the uid is caadmin too. I didn't do the installation, but I > inherit the config file used during installation, whic?h lists among other > things, the values of pki_admin_uid, pki_admin_password, > and pki_client_pkcs12_password. > > After digging around some more, I found this page about how to setup a new > CA admin: > > http://pki.fedoraproject.org/wiki/CA_Admin_Setup > > But when I execute the following command (replacing CA Admin password and > nickname appropriately from the values in config file): > > pki -c -n ca-user-add newcaadmin > --fullName "CA Admin" > > I got: ResteasyIOException: IOException > > I think it is because the default CA Admin certificate was not installed > into a database. I tried to do that following: > > http://pki.fedoraproject.org/wiki/Default_CA_Admin > > but at the following command (replacing Secret123 with our secret) > > pki -c Secret123 client-cert-import --pkcs12 > ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password > ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf > > I got: > > Error: Unrecognized option: --pkcs12 > usage: client-cert-import [OPTIONS] > --ca-cert Import CA certificate file > --ca-server Import CA certificate from CA server > --cert Import certificate file > > I switched to > > pki -c Secret123 -n caadmin client-cert-import --cert > ~/.dogtag/pki-tomcat/ca_admin_cert.p12 > > to get "Import failed" > > I seem to get stuck at installing either the old cert or the new one. Do > you know what the commands are to install cert? > > On Mon, Apr 25, 2016 at 4:17 PM, John Magne wrote: > > > I suspect the uid is probably caadmin, which is the default, if you left > > it that way. > > > > ----- Original Message ----- > > From: "Ha T. Lam" > > To: "John Magne" > > Cc: pki-users at redhat.com > > Sent: Monday, April 25, 2016 3:12:35 PM > > Subject: Re: [Pki-users] How to renew the admin certificate > > > > Hi John, > > > > Thank you very much for your quick reply. I've managed to get ssh -X > sorted > > out because when I typed > > > > pkiconsole https://ca02.mycompany.com:8433/ca > > > > I get a dialog box asking for User ID and Password. From our conf file, I > > put in the pki_admin_uid and pki_admin_password, the dialog box went > away, > > but nothing else happened. I also tried using pki_client_pkcs12_password > > but with the same result. Looking at the log > > file /var/log/pki/pki-tomcat/localhost_access_log.2016-04-25.txt, I see > > > > "POST /ca/auths HTTP/1.0" 200 27 > > > > At this point, I'm not sure if it's because I put in the wrong > > authentication or if I'm still having problem with the pkiconsole. I've > > been trying to setup vncserver as you recommended but haven't had much > > luck. > > > > I stumbled on the pki commands and it looks like I can use them to > install > > client certificate, are they equivalent to the pkiconsole? > > > > Thanks, > > Ha > > > > > > On Mon, Apr 25, 2016 at 11:10 AM, John Magne wrote: > > > > > Hello: > > > > > > Your approach seems reasonable: > > > > > > Perhaps you might want to start a vncserver on there and > > > come in that way. There has been issues with using the console over > ssh. > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Ha T. Lam" > > > > To: pki-users at redhat.com > > > > Sent: Sunday, April 24, 2016 9:29:07 PM > > > > Subject: [Pki-users] How to renew the admin certificate > > > > > > > > Hi all, > > > > > > > > We have a Dog Tag system hosted on Fedora inside a VirtualBox, our > > admin > > > > certificate has unfortunately expired, so the web interface complains > > > that > > > > the cert is invalid. I've managed to rewind the clock and authorized > > > myself > > > > a PKI Administrator certificate following this thread: > > > > > > > > https://www.redhat.com/archives/pki-users/2013-October/msg00008.html > > > > > > > > I'm now trying to import the new certificate into the system. The > > thread > > > > mentioned doing it through the pkiconsole, but I have not been able > to > > > get > > > > it to work, when I typed: > > > > > > > > pkiconsole https://ca02.mycompany.com:8433/ca > > > > > > > > I don't get any error message, but I don't see any console either. I > > > suspect > > > > this is because I'm ssh-ing into a virtualbox and the display is not > > set > > > > correctly. > > > > > > > > My questions are: > > > > 1. Does the process I mentioned above make sense? I'm new to dogtag > and > > > still > > > > learning about it. > > > > 2. If I'm on the right track, is there a command line option for > > > pkiconsole? > > > > > > > > Thank you for your help, > > > > Ha > > > > > > > > _______________________________________________ > > > > Pki-users mailing list > > > > Pki-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: