From tjaalton at ubuntu.com Wed Jun 1 20:52:12 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Wed, 1 Jun 2016 23:52:12 +0300 Subject: [Pki-users] Announcing the Release of Dogtag 10.3.1 In-Reply-To: <7b706232-14e4-4953-47f1-32a428d4c594@redhat.com> References: <7b706232-14e4-4953-47f1-32a428d4c594@redhat.com> Message-ID: <574F4AFC.7010405@ubuntu.com> On 24.05.2016 19:23, Matthew Harmsen wrote: > The Dogtag team is proud to announce the release of Dogtag 10.3.1. > > Builds are available for Fedora 24. > > == Build Versions == > > * > > dogtag-pki-10.3.1-1 > > > * > > dogtag-pki-theme-10.3.1-1 > > > * > > pki-console-10.3.1-1 > > > * > > pki-core-10.3.1-1 > > > == Upgrade Notes == > > Simply use dnf to update existing packages. Hi, Are there any release notes for 10.3.x? -- t From anater78 at gmail.com Thu Jun 9 17:06:53 2016 From: anater78 at gmail.com (anater dembelov) Date: Thu, 9 Jun 2016 20:06:53 +0300 Subject: [Pki-users] install dogtag with exist private key Message-ID: Good afternoon! Help me please. I have a private key, packages generate openssl. I have dogtag 10.3 installation to introduce my private key, as the root signing certificate. What need to do? Thank you so much. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sergio.pereira at gps-pamcary.com.br Mon Jun 13 12:27:28 2016 From: sergio.pereira at gps-pamcary.com.br (Sergio Pereira) Date: Mon, 13 Jun 2016 09:27:28 -0300 Subject: [Pki-users] pki-ocsp dependency conflict Message-ID: <000a01d1c56e$f367de00$da379a00$@gps-pamcary.com.br> Hi guys, I am trying to install all dogtag subsystems on rhel 7.2. So far so good until try to install pki-ocsp subsystem. It asks for pki-server-10.1.2-7.el7 but all others use pki-server-10.2.5-10.el7. How do I resolve this dependency conflict? Thx, sp -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Mon Jun 13 16:46:46 2016 From: cfu at redhat.com (Christina Fu) Date: Mon, 13 Jun 2016 09:46:46 -0700 Subject: [Pki-users] install dogtag with exist private key In-Reply-To: References: Message-ID: <575EE376.6080806@redhat.com> Hi Anater, Not sure if anyone responded. We have something called "Existing CA" for new installations with 10.3.2 (or 1?). It's an option to allow reusing cert/keys of an existing CA. I'm not very certain of the info link, but here is one that might have some info (Endi please clarify... ): pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate Christina On 06/09/2016 10:06 AM, anater dembelov wrote: > Good afternoon! > > Help me please. > I have a private key, packages generate openssl. > > I have dogtag 10.3 installation to introduce my private key, as the > root signing certificate. > What need to do? > > Thank you so much. > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From anater78 at gmail.com Mon Jun 13 17:43:15 2016 From: anater78 at gmail.com (anater dembelov) Date: Mon, 13 Jun 2016 20:43:15 +0300 Subject: [Pki-users] install dogtag with exist private key In-Reply-To: <575EE376.6080806@redhat.com> References: <575EE376.6080806@redhat.com> Message-ID: Hi Christina! I only have the private key. I would like to generate with it ca_signing.csr and ca_signing.pem. Next, import the installation of the new CA. How can I do it? Thank you. 2016-06-13 19:46 GMT+03:00 Christina Fu : > Hi Anater, > > Not sure if anyone responded. We have something called "Existing CA" for > new installations with 10.3.2 (or 1?). It's an option to allow reusing > cert/keys of an existing CA. > I'm not very certain of the info link, but here is one that might have > some info (Endi please clarify... ): > > pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate > > Christina > > > On 06/09/2016 10:06 AM, anater dembelov wrote: > > Good afternoon! > > Help me please. > I have a private key, packages generate openssl. > > I have dogtag 10.3 installation to introduce my private key, as the root > signing certificate. > What need to do? > > Thank you so much. > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Mon Jun 13 17:53:10 2016 From: cfu at redhat.com (Christina Fu) Date: Mon, 13 Jun 2016 10:53:10 -0700 Subject: [Pki-users] install dogtag with exist private key In-Reply-To: References: <575EE376.6080806@redhat.com> Message-ID: <575EF306.8030503@redhat.com> hi Anater, Not at the moment, but the feature did cross my mind at some point, and I don't think it's that hard to implement. What we need though is a business case. Could you provide reasoning for a useful scenario so maybe we can build a business case to introduce such feature in the future release? thanks, Christina On 06/13/2016 10:43 AM, anater dembelov wrote: > Hi Christina! > > I only have the private key. I would like to generate with it > ca_signing.csr and ca_signing.pem. Next, import the installation of > the new CA. How can I do it? > > Thank you. > > 2016-06-13 19:46 GMT+03:00 Christina Fu >: > > Hi Anater, > > Not sure if anyone responded. We have something called "Existing > CA" for new installations with 10.3.2 (or 1?). It's an option to > allow reusing cert/keys of an existing CA. > I'm not very certain of the info link, but here is one that might > have some info (Endi please clarify... ): > > pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate > > > Christina > > > On 06/09/2016 10:06 AM, anater dembelov wrote: >> Good afternoon! >> >> Help me please. >> I have a private key, packages generate openssl. >> >> I have dogtag 10.3 installation to introduce my private key, as >> the root signing certificate. >> What need to do? >> >> Thank you so much. >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Jun 14 00:29:14 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 13 Jun 2016 19:29:14 -0500 Subject: [Pki-users] install dogtag with exist private key In-Reply-To: <575EF306.8030503@redhat.com> References: <575EE376.6080806@redhat.com> <575EF306.8030503@redhat.com> Message-ID: Hi, I managed to install CA with an existing CA certificate generated by OpenSSL: http://pki.fedoraproject.org/wiki/Installing_CA_with_OpenSSL_CA_Certificate The only thing is it depends on a tool that has not been added yet (see patch #768 in pki-devel list). Hopefully the tool will make it into Dogtag 10.3.3, but in the meantime feel free to create a custom build with the patch. -- Endi S. Dewata On 6/13/2016 12:53 PM, Christina Fu wrote: > hi Anater, > > Not at the moment, but the feature did cross my mind at some point, and > I don't think it's that hard to implement. What we need though is a > business case. Could you provide reasoning for a useful scenario so > maybe we can build a business case to introduce such feature in the > future release? > > thanks, > Christina > > On 06/13/2016 10:43 AM, anater dembelov wrote: >> Hi Christina! >> >> I only have the private key. I would like to generate with it >> ca_signing.csr and ca_signing.pem. Next, import the installation of >> the new CA. How can I do it? >> >> Thank you. >> >> 2016-06-13 19:46 GMT+03:00 Christina Fu > >: >> >> Hi Anater, >> >> Not sure if anyone responded. We have something called "Existing >> CA" for new installations with 10.3.2 (or 1?). It's an option to >> allow reusing cert/keys of an existing CA. >> I'm not very certain of the info link, but here is one that might >> have some info (Endi please clarify... ): >> >> pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate >> >> >> Christina >> >> >> On 06/09/2016 10:06 AM, anater dembelov wrote: >>> Good afternoon! >>> >>> Help me please. >>> I have a private key, packages generate openssl. >>> >>> I have dogtag 10.3 installation to introduce my private key, as >>> the root signing certificate. >>> What need to do? >>> >>> Thank you so much. From anater78 at gmail.com Tue Jun 14 13:34:26 2016 From: anater78 at gmail.com (anater dembelov) Date: Tue, 14 Jun 2016 16:34:26 +0300 Subject: [Pki-users] install dogtag with exist private key In-Reply-To: References: <575EE376.6080806@redhat.com> <575EF306.8030503@redhat.com> Message-ID: Excellent! Just right. I have probyval create a certificate request and through OpenSSL. With similar attributes. As in Dogtag. I fedora OS 23. pki-server-10.2.6-19.fc23.noarh What do I need to download to install the patch # 768. Thank you! 2016-06-14 3:29 GMT+03:00 Endi Sukma Dewata : > Hi, > > I managed to install CA with an existing CA certificate generated by > OpenSSL: > > http://pki.fedoraproject.org/wiki/Installing_CA_with_OpenSSL_CA_Certificate > > The only thing is it depends on a tool that has not been added yet (see > patch #768 in pki-devel list). Hopefully the tool will make it into Dogtag > 10.3.3, but in the meantime feel free to create a custom build with the > patch. > > -- > Endi S. Dewata > > > On 6/13/2016 12:53 PM, Christina Fu wrote: > >> hi Anater, >> >> Not at the moment, but the feature did cross my mind at some point, and >> I don't think it's that hard to implement. What we need though is a >> business case. Could you provide reasoning for a useful scenario so >> maybe we can build a business case to introduce such feature in the >> future release? >> >> thanks, >> Christina >> >> On 06/13/2016 10:43 AM, anater dembelov wrote: >> >>> Hi Christina! >>> >>> I only have the private key. I would like to generate with it >>> ca_signing.csr and ca_signing.pem. Next, import the installation of >>> the new CA. How can I do it? >>> >>> Thank you. >>> >>> 2016-06-13 19:46 GMT+03:00 Christina Fu >> >: >>> >>> Hi Anater, >>> >>> Not sure if anyone responded. We have something called "Existing >>> CA" for new installations with 10.3.2 (or 1?). It's an option to >>> allow reusing cert/keys of an existing CA. >>> I'm not very certain of the info link, but here is one that might >>> have some info (Endi please clarify... ): >>> >>> >>> pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate >>> < >>> http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate >>> > >>> >>> Christina >>> >>> >>> On 06/09/2016 10:06 AM, anater dembelov wrote: >>> >>>> Good afternoon! >>>> >>>> Help me please. >>>> I have a private key, packages generate openssl. >>>> >>>> I have dogtag 10.3 installation to introduce my private key, as >>>> the root signing certificate. >>>> What need to do? >>>> >>>> Thank you so much. >>>> >>> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Jun 14 20:20:03 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 14 Jun 2016 15:20:03 -0500 Subject: [Pki-users] install dogtag with exist private key In-Reply-To: References: <575EE376.6080806@redhat.com> <575EF306.8030503@redhat.com> Message-ID: <7a0486df-3fe9-b431-e654-935c08680bae@redhat.com> On 6/14/2016 8:34 AM, anater dembelov wrote: > Excellent! > Just right. > I have probyval create a certificate request and through OpenSSL. With > similar attributes. As in Dogtag. > I fedora OS 23. pki-server-10.2.6-19.fc23.noarh > What do I need to download to install the patch # 768. > Thank you! Hi, I have an unofficial build for Fedora 23 that contains the new tool: https://copr.fedorainfracloud.org/coprs/edewata/pki-fedora/ Please give it a try. Thanks! Please also note that the official build will only be available on Fedora 24 or later. -- Endi S. Dewata From anater78 at gmail.com Thu Jun 16 14:47:35 2016 From: anater78 at gmail.com (anater dembelov) Date: Thu, 16 Jun 2016 17:47:35 +0300 Subject: [Pki-users] install dogtag with exist private key In-Reply-To: <7a0486df-3fe9-b431-e654-935c08680bae@redhat.com> References: <575EE376.6080806@redhat.com> <575EF306.8030503@redhat.com> <7a0486df-3fe9-b431-e654-935c08680bae@redhat.com> Message-ID: Good evening! Install Fedora 23. I set pki: # rpm - qa | grep pki pki-symkey-10.3.3-0.1.fc23.x86_64 pki-base-10.3.3-0.1.fc23.noarch pki-tools-10.3.3-0.1.fc23.x86_64 pki-ocsp-10.3.3-0.1.fc23.noarch pki-core-debuginfo-10.3.3-0.1.fc23.x86_64 dogtag-pki-console-theme-10.2.6-1.fc23.noarch pki-base-java-10.3.3-0.1.fc23.noarch pki-server-10.3.3-0.1.fc23.noarch pki-tks-10.3.3-0.1.fc23.noarch pki-kra-10.3.3-0.1.fc23.noarch pki-console-10.2.6-1.fc23.noarch pki-javadoc-10.3.3-0.1.fc23.noarch pki-tps-10.3.3-0.1.fc23.x86_64 pki-ca-10.3.3-0.1.fc23.noarch pki-usgov-dod-cacerts-0.0.6-4.fc23.noarch from a repository from https://copr.fedorainfracloud.org/coprs/edewata/pki-fedora/repo/fedora-23/edewata-pki-fedora-fedora-23.repo By an example from http://pki.fedoraproject.org/wiki/Installing_CA_with_OpenSSL_CA_Certificate I created keys, request and the certificate. But! [root at f23-zero ~] # pki pkcs12-cert-mod - pkcs12-file ca.p12 "CA Certificate" - pkcs12-password-file password.txt - trust-flags CTu, Cu, Cu NotInitializedException: null Not work!? Help! 2016-06-14 23:20 GMT+03:00 Endi Sukma Dewata : > On 6/14/2016 8:34 AM, anater dembelov wrote: > >> Excellent! >> Just right. >> I have probyval create a certificate request and through OpenSSL. With >> similar attributes. As in Dogtag. >> I fedora OS 23. pki-server-10.2.6-19.fc23.noarh >> What do I need to download to install the patch # 768. >> Thank you! >> > > Hi, > > I have an unofficial build for Fedora 23 that contains the new tool: > https://copr.fedorainfracloud.org/coprs/edewata/pki-fedora/ > > Please give it a try. Thanks! > > Please also note that the official build will only be available on Fedora > 24 or later. > > -- > Endi S. Dewata > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Jun 16 15:13:36 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 16 Jun 2016 10:13:36 -0500 Subject: [Pki-users] install dogtag with exist private key In-Reply-To: References: <575EE376.6080806@redhat.com> <575EF306.8030503@redhat.com> <7a0486df-3fe9-b431-e654-935c08680bae@redhat.com> Message-ID: <50b8b1e4-334d-6bdf-87ac-17f8aee1db27@redhat.com> On 06/16/2016 09:47 AM, anater dembelov wrote: > By an example from > http://pki.fedoraproject.org/wiki/Installing_CA_with_OpenSSL_CA_Certificate > I created keys, request and the certificate. > But! > [root at f23-zero ~] # pki pkcs12-cert-mod - pkcs12-file ca.p12 "CA > Certificate" - pkcs12-password-file password.txt - trust-flags CTu, Cu, Cu > NotInitializedException: null > > Not work!? > > Help! Hi, it looks like you need to create an NSS database for the pki tool first: $ pki -c Secret123 client-init For the --trust-flags option there should not be any space between the flags. And make sure the double-dashes are written exactly as in the example. I've updated the wiki page based on your feedback. Thanks! Just let me know if there are other problems. -- Endi S. Dewata From anater78 at gmail.com Sun Jun 26 08:47:13 2016 From: anater78 at gmail.com (anater dembelov) Date: Sun, 26 Jun 2016 11:47:13 +0300 Subject: [Pki-users] install dogtag with exist private key In-Reply-To: <50b8b1e4-334d-6bdf-87ac-17f8aee1db27@redhat.com> References: <575EE376.6080806@redhat.com> <575EF306.8030503@redhat.com> <7a0486df-3fe9-b431-e654-935c08680bae@redhat.com> <50b8b1e4-334d-6bdf-87ac-17f8aee1db27@redhat.com> Message-ID: Good afternoon! Many thanks! It works! But I would recommend to add an option when signing OpenSSL -set_serial 1. Then the imported root certificate will have the correct serial number 1. Anatoly. 2016-06-16 18:13 GMT+03:00 Endi Sukma Dewata : > On 06/16/2016 09:47 AM, anater dembelov wrote: > >> By an example from >> >> http://pki.fedoraproject.org/wiki/Installing_CA_with_OpenSSL_CA_Certificate >> I created keys, request and the certificate. >> But! >> [root at f23-zero ~] # pki pkcs12-cert-mod - pkcs12-file ca.p12 "CA >> Certificate" - pkcs12-password-file password.txt - trust-flags CTu, Cu, Cu >> NotInitializedException: null >> >> Not work!? >> >> Help! >> > > Hi, it looks like you need to create an NSS database for the pki tool > first: > > $ pki -c Secret123 client-init > > For the --trust-flags option there should not be any space between the > flags. And make sure the double-dashes are written exactly as in the > example. > > I've updated the wiki page based on your feedback. Thanks! > Just let me know if there are other problems. > > -- > Endi S. Dewata > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Jun 27 16:35:56 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 27 Jun 2016 11:35:56 -0500 Subject: [Pki-users] install dogtag with exist private key In-Reply-To: References: <575EE376.6080806@redhat.com> <575EF306.8030503@redhat.com> <7a0486df-3fe9-b431-e654-935c08680bae@redhat.com> <50b8b1e4-334d-6bdf-87ac-17f8aee1db27@redhat.com> Message-ID: <3a029e59-eb4c-3266-e611-f336df3711bd@redhat.com> On 6/26/2016 3:47 AM, anater dembelov wrote: > Good afternoon! > Many thanks! It works! > But I would recommend to add an option when signing OpenSSL -set_serial 1. > Then the imported root certificate will have the correct serial number 1. Thanks! I've added some notes in the the wiki page about the serial number. FYI, you can also configure Dogtag CA to start from a different serial number: http://pki.fedoraproject.org/wiki/Deployment_Parameters#Serial_Number_Ranges -- Endi S. Dewata From cbarrabes at systemonenoc.com Wed Jun 29 10:10:21 2016 From: cbarrabes at systemonenoc.com (Carlos Barrabes) Date: Wed, 29 Jun 2016 12:10:21 +0200 Subject: [Pki-users] Intermediate CA Message-ID: <3ddc100e-3636-313d-cb00-ec3923ccf40d@systemonenoc.com> Hello, Im trying to create an intermediate CA so I can issue certificates with a trust path pointing to our RootCA but I'm facing some issues while following the documentation in the project's site. Once I'm done with step two, you import the external and ca-signing certificates into a users NSS db and then the wiki says you have to import the CA admin certificate and key but the problem is there is no such thing after starting the instance via custom config file or I simply cannot find them. Any suggestions? Thanks for your time! I am running Dogtag 10.2.6-12 on a Fedora 22 server machine and the prodecure Im following is this one: http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate