From frolvlad at gmail.com Wed Nov 2 22:35:52 2016 From: frolvlad at gmail.com (Vladyslav Frolov) Date: Thu, 3 Nov 2016 00:35:52 +0200 Subject: [Pki-users] How to update old/incorrect certificates on Dirsrv so Dogtag can connect to it? Message-ID: Hi, I have a problem with FreeIPA state. At some point, PKI certificates were regenerated from scratch, but Dirsrv and HTTPD are still using old certificates, and Dogtag cannot connect to them because of this, here is `/var/log/pki/pki-tomcat/ca/debug`: ``` [02/Nov/2016:22:18:53][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [02/Nov/2016:22:18:53][localhost-startStop-1]: ============================================ [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=debug [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized debug [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem id=log [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init id=log [02/Nov/2016:22:18:53][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) [02/Nov/2016:22:18:53][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) [02/Nov/2016:22:18:53][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=log [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized log [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init id=jss [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=jss [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized jss [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init id=dbs [02/Nov/2016:22:18:53][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=false [02/Nov/2016:22:18:53][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem) [02/Nov/2016:22:18:53][localhost-startStop-1]: LdapBoundConnFactory: init [02/Nov/2016:22:18:53][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init() [02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init begins [02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init ends [02/Nov/2016:22:18:53][localhost-startStop-1]: init: before makeConnection errorIfDown is true [02/Nov/2016:22:18:53][localhost-startStop-1]: makeConnection: errorIfDown true [02/Nov/2016:22:18:53][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [02/Nov/2016:22:18:53][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca Internal Database Error encountered: Could not connect to LDAP server host freeipa.sparky.salford-systems.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket: org .mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8179) Peer's Certificate issuer is not recognized. (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5027) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5337) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine.shutdown() ``` I am running FreeIPA in a Docker container with Fedora 24: pki-base-10.3.5-6.fc24.noarch pki-base-java-10.3.5-6.fc24.noarch pki-kra-10.3.5-6.fc24.noarch pki-tools-10.3.5-6.fc24.x86_64 pki-ca-10.3.5-6.fc24.noarch pki-server-10.3.5-6.fc24.noarch How can I regenerate and push the certificates for Dirsrv and HTTPD? Thank you in advance, Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: From iguy at ionsphere.org Mon Nov 14 18:17:35 2016 From: iguy at ionsphere.org (Ian Koenig) Date: Mon, 14 Nov 2016 18:17:35 +0000 Subject: [Pki-users] SubjectAltName - how? Message-ID: Hi all, I have Dogtag 10.3.3 installed from COPR @pki effort onto a CentOS 7.2 (build 1511) system. I can request and approve various different certs through the system successfully and have it working properly with SSL client certificates in Chrome. What I haven't been able to figure out is how to generate a server SSL Cert that has SubjectAltName entries in it. An example cnf file I have tried is [...] [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = demo.myhome.com DNS.2 = demo DNS.3 = demo.prod.myhome.com [...] This generates a valid CSR with the SubjectAltNames in it. However when I send it through to be approved on Dogtag, the SAN gets removed. How do I setup a profile in Dogtag to allow this CSR with SAN get approved? Thanks ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From Florian.Supper at s-itsolutions.at Tue Nov 15 09:22:41 2016 From: Florian.Supper at s-itsolutions.at (Supper Florian 6342 sIT) Date: Tue, 15 Nov 2016 09:22:41 +0000 Subject: [Pki-users] SubjectAltName - how? In-Reply-To: References: Message-ID: Hi, You have to add the following lines into your certificate profile.. policyset.ServerProfile.10.constraint.class_id=noConstraintImpl policyset.ServerProfile.10.constraint.name=No Constraint policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl policyset.ServerProfile.10.default.name=User Supplied Extension Default policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17 Then the SAN's will be added to the certificate. BR Florian -----Urspr?ngliche Nachricht----- Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] Im Auftrag von Ian Koenig Gesendet: Montag, 14. November 2016 19:18 An: pki-users at redhat.com Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed] Hi all, I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2 (build 1511) system. I can request and approve various different certs through the system successfully and have it working properly with SSL client certificates in Chrome. What I haven't been able to figure out is how to generate a server SSL Cert that has SubjectAltName entries in it. An example cnf file I have tried is [ . . . ] [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA : FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = (at)alt_names [ alt_names ] DNS . 1 = demo . myhome . com DNS . 2 = demo DNS . 3 = demo . prod . myhome . com [ . . . ] This generates a valid CSR with the SubjectAltNames in it. However when I send it through to be approved on Dogtag, the SAN gets removed. How do I setup a profile in Dogtag to allow this CSR with SAN get approved? Thanks ian _______________________________________________ Pki-users mailing list Pki-users(at)redhat . com https : / / www . redhat . com / mailman / listinfo / pki-users From iguy at ionsphere.org Tue Nov 15 18:57:04 2016 From: iguy at ionsphere.org (Ian Koenig) Date: Tue, 15 Nov 2016 18:57:04 +0000 Subject: [Pki-users] SubjectAltName - how? In-Reply-To: References: Message-ID: Thanks Supper. Is there a clear documentation on how to create a new certificate profile that is visible via the WebUI? I tried this process: 1) pki -C client_password.txt -n caadmin ca-server-show --output caServerSANCert.cfg --raw caServerCert a) Add in the lines you specified above to caServerSANCert.cfg b) Update the line profileID to be caServerSANCert 4) pki -C client_password.txt -n caadmin ca-profile-add --raw caServerSANCert.cfg 5) Approve this new profile. What happens when I attempt to issue a cert request via the WebUI, there are no inputs for me to fill in like the default caServerCert profile. Just some text about Cert profile and description, then Inputs in bold and a Submit button. Thanks ian On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT < Florian.Supper at s-itsolutions.at> wrote: > Hi, > You have to add the following lines into your certificate profile.. > > policyset.ServerProfile.10.constraint.class_id=noConstraintImpl > policyset.ServerProfile.10.constraint.name=No Constraint > policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false > policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl > policyset.ServerProfile.10.default.name=User Supplied Extension Default > policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17 > > Then the SAN's will be added to the certificate. > > BR > Florian > > -----Urspr?ngliche Nachricht----- > Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] > Im Auftrag von Ian Koenig > Gesendet: Montag, 14. November 2016 19:18 > An: pki-users at redhat.com > Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed] > > Hi all, > > I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS > 7 . 2 > (build 1511) system. > > I can request and approve various different certs through the system > successfully and have it working properly with SSL client certificates in > Chrome. > > What I haven't been able to figure out is how to generate a server SSL Cert > that has SubjectAltName entries in it. An example cnf file I have tried > is > > [ . . . ] > [ v3_req ] > > # Extensions to add to a certificate request > > basicConstraints = CA : FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectAltName = (at)alt_names > > [ alt_names ] > DNS . 1 = demo . myhome . com > DNS . 2 = demo > DNS . 3 = demo . prod . myhome . com > > [ . . . ] > > This generates a valid CSR with the SubjectAltNames in it. However when I > send it through to be approved on Dogtag, the SAN gets removed. How do I > setup a profile in Dogtag to allow this CSR with SAN get approved? > > Thanks > ian > _______________________________________________ > Pki-users mailing list > Pki-users(at)redhat . com > https : / / www . redhat . com / mailman / listinfo / pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From iguy at ionsphere.org Wed Nov 16 20:40:17 2016 From: iguy at ionsphere.org (Ian Koenig) Date: Wed, 16 Nov 2016 20:40:17 +0000 Subject: [Pki-users] SubjectAltName - how? In-Reply-To: References: Message-ID: I've tried a variety ways to get this to go into the system and either I'm missing something obvious or there's something buggy going on. I figured out the test system that wasn't giving me inputs to fill in on the request was an older version 10.2.5. I've updated that system to 10.3.3. * pki ca-profile-show --output caServerCert.cfg --raw caServerCert * pki ca-profile-disable caServerCert Edit the file and add in the following lines to the bottom of the profile: [...---...] policyset.serverCertSet.10.constraint.class_id=noConstraintImpl policyset.serverCertSet.10.constraint.name=No Constraint policyset.serverCertSet.10.constraint.subjAltNameExtCritical=false policyset.serverCertSet.10.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.10.default.name=User Supplied Extension Default policyset.serverCertSet.10.default.params.userExtOID=2.5.29.17 [...---...] NOTE: I changed the policyset to match what the rest of the profile said in the default caServerCert profile from 10.3.3 install. From ServerProfile to serverCertSet. * pki ca-profile-add caServerCert.cfg --raw Then go to the WebUI and submit a request that has SAN entries in it. After I approve it, there are no SANs in the cert. What am I missing? Thanks ian On Tue, 15 Nov 2016 at 12:57 Ian Koenig wrote: > Thanks Supper. Is there a clear documentation on how to create a new > certificate profile that is visible via the WebUI? > > I tried this process: > > 1) pki -C client_password.txt -n caadmin ca-server-show --output > caServerSANCert.cfg --raw caServerCert > > a) Add in the lines you specified above to caServerSANCert.cfg > > b) Update the line profileID to be caServerSANCert > > 4) pki -C client_password.txt -n caadmin ca-profile-add --raw > caServerSANCert.cfg > > 5) Approve this new profile. > > What happens when I attempt to issue a cert request via the WebUI, there > are no inputs for me to fill in like the default caServerCert profile. > Just some text about Cert profile and description, then Inputs in bold and > a Submit button. > > > Thanks > ian > > > On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT < > Florian.Supper at s-itsolutions.at> wrote: > > Hi, > You have to add the following lines into your certificate profile.. > > policyset.ServerProfile.10.constraint.class_id=noConstraintImpl > policyset.ServerProfile.10.constraint.name=No Constraint > policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false > policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl > policyset.ServerProfile.10.default.name=User Supplied Extension Default > policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17 > > Then the SAN's will be added to the certificate. > > BR > Florian > > -----Urspr?ngliche Nachricht----- > Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] > Im Auftrag von Ian Koenig > Gesendet: Montag, 14. November 2016 19:18 > An: pki-users at redhat.com > Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed] > > Hi all, > > I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS > 7 . 2 > (build 1511) system. > > I can request and approve various different certs through the system > successfully and have it working properly with SSL client certificates in > Chrome. > > What I haven't been able to figure out is how to generate a server SSL Cert > that has SubjectAltName entries in it. An example cnf file I have tried > is > > [ . . . ] > [ v3_req ] > > # Extensions to add to a certificate request > > basicConstraints = CA : FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectAltName = (at)alt_names > > [ alt_names ] > DNS . 1 = demo . myhome . com > DNS . 2 = demo > DNS . 3 = demo . prod . myhome . com > > [ . . . ] > > This generates a valid CSR with the SubjectAltNames in it. However when I > send it through to be approved on Dogtag, the SAN gets removed. How do I > setup a profile in Dogtag to allow this CSR with SAN get approved? > > Thanks > ian > _______________________________________________ > Pki-users mailing list > Pki-users(at)redhat . com > https : / / www . redhat . com / mailman / listinfo / pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Florian.Supper at s-itsolutions.at Thu Nov 17 14:08:13 2016 From: Florian.Supper at s-itsolutions.at (Supper Florian 6342 sIT) Date: Thu, 17 Nov 2016 14:08:13 +0000 Subject: [Pki-users] SubjectAltName - how? In-Reply-To: References: Message-ID: Hi Ian, There is an redhat documentation available for dogtag version 8 and 9. They might help you. In my case, I mostly copy an existing profile and made the changes I?ve need in the copied one. BR Florian Von: Ian Koenig [mailto:iguy at ionsphere.org] Gesendet: Dienstag, 15. November 2016 19:57 An: Supper Florian 6342 sIT; Ian Koenig; pki-users at redhat.com Betreff: Re: [Pki-users] SubjectAltName - how? Thanks Supper. Is there a clear documentation on how to create a new certificate profile that is visible via the WebUI? I tried this process: 1) pki -C client_password.txt -n caadmin ca-server-show --output caServerSANCert.cfg --raw caServerCert a) Add in the lines you specified above to caServerSANCert.cfg b) Update the line profileID to be caServerSANCert 4) pki -C client_password.txt -n caadmin ca-profile-add --raw caServerSANCert.cfg 5) Approve this new profile. What happens when I attempt to issue a cert request via the WebUI, there are no inputs for me to fill in like the default caServerCert profile. Just some text about Cert profile and description, then Inputs in bold and a Submit button. Thanks ian On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT > wrote: Hi, You have to add the following lines into your certificate profile.. policyset.ServerProfile.10.constraint.class_id=noConstraintImpl policyset.ServerProfile.10.constraint.name=No Constraint policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl policyset.ServerProfile.10.default.name=User Supplied Extension Default policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17 Then the SAN's will be added to the certificate. BR Florian -----Urspr?ngliche Nachricht----- Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] Im Auftrag von Ian Koenig Gesendet: Montag, 14. November 2016 19:18 An: pki-users at redhat.com Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed] Hi all, I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2 (build 1511) system. I can request and approve various different certs through the system successfully and have it working properly with SSL client certificates in Chrome. What I haven't been able to figure out is how to generate a server SSL Cert that has SubjectAltName entries in it. An example cnf file I have tried is [ . . . ] [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA : FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = (at)alt_names [ alt_names ] DNS . 1 = demo . myhome . com DNS . 2 = demo DNS . 3 = demo . prod . myhome . com [ . . . ] This generates a valid CSR with the SubjectAltNames in it. However when I send it through to be approved on Dogtag, the SAN gets removed. How do I setup a profile in Dogtag to allow this CSR with SAN get approved? Thanks ian _______________________________________________ Pki-users mailing list Pki-users(at)redhat . com https : / / www . redhat . com / mailman / listinfo / pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From iguy at ionsphere.org Fri Nov 18 05:28:15 2016 From: iguy at ionsphere.org (Ian Koenig) Date: Fri, 18 Nov 2016 05:28:15 +0000 Subject: [Pki-users] SubjectAltName - how? In-Reply-To: References: Message-ID: How do you modify your profile? I've followed the redhat documentation and stuff doesn't work. As such I feel like I'm missing something based on how you are talking. How do you submit new requests? Through the Web UI or command line with the pki command? If via the WebUI does the agents page change when you change the profile configurations? Thanks On Thu, 17 Nov 2016 at 08:08 Supper Florian 6342 sIT < Florian.Supper at s-itsolutions.at> wrote: > Hi Ian, > > > > There is an redhat documentation available for dogtag version 8 and 9. > They might help you. > > In my case, I mostly copy an existing profile and made the changes I?ve > need in the copied one. > > > > BR > > Florian > > > > > > *Von:* Ian Koenig [mailto:iguy at ionsphere.org] > *Gesendet:* Dienstag, 15. November 2016 19:57 > *An:* Supper Florian 6342 sIT; Ian Koenig; pki-users at redhat.com > *Betreff:* Re: [Pki-users] SubjectAltName - how? > > > > Thanks Supper. Is there a clear documentation on how to create a new > certificate profile that is visible via the WebUI? > > > > I tried this process: > > > > 1) pki -C client_password.txt -n caadmin ca-server-show --output > caServerSANCert.cfg --raw caServerCert > > > > a) Add in the lines you specified above to caServerSANCert.cfg > > > > b) Update the line profileID to be caServerSANCert > > > > 4) pki -C client_password.txt -n caadmin ca-profile-add --raw > caServerSANCert.cfg > > > > 5) Approve this new profile. > > > > What happens when I attempt to issue a cert request via the WebUI, there > are no inputs for me to fill in like the default caServerCert profile. > Just some text about Cert profile and description, then Inputs in bold and > a Submit button. > > > > > > Thanks > > ian > > > > > > On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT < > Florian.Supper at s-itsolutions.at> wrote: > > Hi, > You have to add the following lines into your certificate profile.. > > policyset.ServerProfile.10.constraint.class_id=noConstraintImpl > policyset.ServerProfile.10.constraint.name=No Constraint > policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false > policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl > policyset.ServerProfile.10.default.name=User Supplied Extension Default > policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17 > > Then the SAN's will be added to the certificate. > > BR > Florian > > -----Urspr?ngliche Nachricht----- > Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] > Im Auftrag von Ian Koenig > Gesendet: Montag, 14. November 2016 19:18 > An: pki-users at redhat.com > Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed] > > Hi all, > > I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS > 7 . 2 > (build 1511) system. > > I can request and approve various different certs through the system > successfully and have it working properly with SSL client certificates in > Chrome. > > What I haven't been able to figure out is how to generate a server SSL Cert > that has SubjectAltName entries in it. An example cnf file I have tried > is > > [ . . . ] > [ v3_req ] > > # Extensions to add to a certificate request > > basicConstraints = CA : FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectAltName = (at)alt_names > > [ alt_names ] > DNS . 1 = demo . myhome . com > DNS . 2 = demo > DNS . 3 = demo . prod . myhome . com > > [ . . . ] > > This generates a valid CSR with the SubjectAltNames in it. However when I > send it through to be approved on Dogtag, the SAN gets removed. How do I > setup a profile in Dogtag to allow this CSR with SAN get approved? > > Thanks > ian > _______________________________________________ > Pki-users mailing list > Pki-users(at)redhat . com > https : / / www . redhat . com / mailman / listinfo / pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Florian.Supper at s-itsolutions.at Fri Nov 18 05:35:11 2016 From: Florian.Supper at s-itsolutions.at (Supper Florian 6342 sIT) Date: Fri, 18 Nov 2016 05:35:11 +0000 Subject: [Pki-users] SubjectAltName - how? In-Reply-To: References: Message-ID: Hi, i used the profile in /var/lib/pki-myca/ca/profiles/ I?ve used the profile through webUI, CMC and SCEP. where are your profile files located? can you send me an example? BR Florian Von: Ian Koenig [mailto:iguy at ionsphere.org] Gesendet: Freitag, 18. November 2016 06:28 An: Supper Florian 6342 sIT; Ian Koenig; pki-users at redhat.com Betreff: Re: [Pki-users] SubjectAltName - how? How do you modify your profile? I've followed the redhat documentation and stuff doesn't work. As such I feel like I'm missing something based on how you are talking. How do you submit new requests? Through the Web UI or command line with the pki command? If via the WebUI does the agents page change when you change the profile configurations? Thanks On Thu, 17 Nov 2016 at 08:08 Supper Florian 6342 sIT > wrote: Hi Ian, There is an redhat documentation available for dogtag version 8 and 9. They might help you. In my case, I mostly copy an existing profile and made the changes I?ve need in the copied one. BR Florian Von: Ian Koenig [mailto:iguy at ionsphere.org] Gesendet: Dienstag, 15. November 2016 19:57 An: Supper Florian 6342 sIT; Ian Koenig; pki-users at redhat.com Betreff: Re: [Pki-users] SubjectAltName - how? Thanks Supper. Is there a clear documentation on how to create a new certificate profile that is visible via the WebUI? I tried this process: 1) pki -C client_password.txt -n caadmin ca-server-show --output caServerSANCert.cfg --raw caServerCert a) Add in the lines you specified above to caServerSANCert.cfg b) Update the line profileID to be caServerSANCert 4) pki -C client_password.txt -n caadmin ca-profile-add --raw caServerSANCert.cfg 5) Approve this new profile. What happens when I attempt to issue a cert request via the WebUI, there are no inputs for me to fill in like the default caServerCert profile. Just some text about Cert profile and description, then Inputs in bold and a Submit button. Thanks ian On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT > wrote: Hi, You have to add the following lines into your certificate profile.. policyset.ServerProfile.10.constraint.class_id=noConstraintImpl policyset.ServerProfile.10.constraint.name=No Constraint policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl policyset.ServerProfile.10.default.name=User Supplied Extension Default policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17 Then the SAN's will be added to the certificate. BR Florian -----Urspr?ngliche Nachricht----- Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] Im Auftrag von Ian Koenig Gesendet: Montag, 14. November 2016 19:18 An: pki-users at redhat.com Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed] Hi all, I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2 (build 1511) system. I can request and approve various different certs through the system successfully and have it working properly with SSL client certificates in Chrome. What I haven't been able to figure out is how to generate a server SSL Cert that has SubjectAltName entries in it. An example cnf file I have tried is [ . . . ] [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA : FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = (at)alt_names [ alt_names ] DNS . 1 = demo . myhome . com DNS . 2 = demo DNS . 3 = demo . prod . myhome . com [ . . . ] This generates a valid CSR with the SubjectAltNames in it. However when I send it through to be approved on Dogtag, the SAN gets removed. How do I setup a profile in Dogtag to allow this CSR with SAN get approved? Thanks ian _______________________________________________ Pki-users mailing list Pki-users(at)redhat . com https : / / www . redhat . com / mailman / listinfo / pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Florian.Supper at s-itsolutions.at Tue Nov 22 10:20:00 2016 From: Florian.Supper at s-itsolutions.at (Supper Florian 6342 sIT) Date: Tue, 22 Nov 2016 10:20:00 +0000 Subject: [Pki-users] SubjectAltName - how? In-Reply-To: References: Message-ID: Hi Ian, i?ve lost your last mail.. but I could remember what the question was.. You?ve copied the part I?ve send to you in your profile and tried to enroll a cert.. But if you sign the cert the sans are not included.. Please have a look at this line in your profile.. policyset.serverCertSet.list=1,2,3,4,5,6,7,8 In this line the Number of the SAN extension part, which I?ve send to you has to be included.. So add a ?10? at the end of the line below. Restart your ca service and try again.. If this does not work too, please send me your whole profile, and I will test it in my testing environment.. Br Florian Von: Ian Koenig [mailto:iguy at ionsphere.org] Gesendet: Freitag, 18. November 2016 06:28 An: Supper Florian 6342 sIT; Ian Koenig; pki-users at redhat.com Betreff: Re: [Pki-users] SubjectAltName - how? How do you modify your profile? I've followed the redhat documentation and stuff doesn't work. As such I feel like I'm missing something based on how you are talking. How do you submit new requests? Through the Web UI or command line with the pki command? If via the WebUI does the agents page change when you change the profile configurations? Thanks On Thu, 17 Nov 2016 at 08:08 Supper Florian 6342 sIT > wrote: Hi Ian, There is an redhat documentation available for dogtag version 8 and 9. They might help you. In my case, I mostly copy an existing profile and made the changes I?ve need in the copied one. BR Florian Von: Ian Koenig [mailto:iguy at ionsphere.org] Gesendet: Dienstag, 15. November 2016 19:57 An: Supper Florian 6342 sIT; Ian Koenig; pki-users at redhat.com Betreff: Re: [Pki-users] SubjectAltName - how? Thanks Supper. Is there a clear documentation on how to create a new certificate profile that is visible via the WebUI? I tried this process: 1) pki -C client_password.txt -n caadmin ca-server-show --output caServerSANCert.cfg --raw caServerCert a) Add in the lines you specified above to caServerSANCert.cfg b) Update the line profileID to be caServerSANCert 4) pki -C client_password.txt -n caadmin ca-profile-add --raw caServerSANCert.cfg 5) Approve this new profile. What happens when I attempt to issue a cert request via the WebUI, there are no inputs for me to fill in like the default caServerCert profile. Just some text about Cert profile and description, then Inputs in bold and a Submit button. Thanks ian On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT > wrote: Hi, You have to add the following lines into your certificate profile.. policyset.ServerProfile.10.constraint.class_id=noConstraintImpl policyset.ServerProfile.10.constraint.name=No Constraint policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl policyset.ServerProfile.10.default.name=User Supplied Extension Default policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17 Then the SAN's will be added to the certificate. BR Florian -----Urspr?ngliche Nachricht----- Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] Im Auftrag von Ian Koenig Gesendet: Montag, 14. November 2016 19:18 An: pki-users at redhat.com Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed] Hi all, I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS 7 . 2 (build 1511) system. I can request and approve various different certs through the system successfully and have it working properly with SSL client certificates in Chrome. What I haven't been able to figure out is how to generate a server SSL Cert that has SubjectAltName entries in it. An example cnf file I have tried is [ . . . ] [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA : FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = (at)alt_names [ alt_names ] DNS . 1 = demo . myhome . com DNS . 2 = demo DNS . 3 = demo . prod . myhome . com [ . . . ] This generates a valid CSR with the SubjectAltNames in it. However when I send it through to be approved on Dogtag, the SAN gets removed. How do I setup a profile in Dogtag to allow this CSR with SAN get approved? Thanks ian _______________________________________________ Pki-users mailing list Pki-users(at)redhat . com https : / / www . redhat . com / mailman / listinfo / pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From iguy at ionsphere.org Tue Nov 22 16:52:29 2016 From: iguy at ionsphere.org (Ian Koenig) Date: Tue, 22 Nov 2016 16:52:29 +0000 Subject: [Pki-users] SubjectAltName - how? In-Reply-To: References: Message-ID: Awesome.. thanks Florian. That was what I was missing. Here are the steps I take now. As secondary question the redhat documentation talks about the subjAltNameExtensionImpl that does more detailed validation of the SAN entries. Do you know how to make that work? --- Steps to add SAN now: 1) Pki ca-profile-show --output caServerSANCert.cfg --raw caServerCert 2) Edit this and add in the following lines (make sure the # don't conflict) policyset.serverCertSet.10.constraint.class_id=noConstraintImpl policyset.serverCertSet.10.constraint.name=No Constraint policyset.serverCertSet.10.constraint.subjAltNameExtCritical=false policyset.serverCertSet.10.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.10.default.name=User Supplied Extension Default policyset.serverCertSet.10.default.params.userExtOID=2.5.29.17 3) Update the line a. profileId=caServerSANCert b. desc= c. name= d. policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10 4) Pki ca-profile-add --raw caServerSANCert.cfg 5) Pki ca-profile-find --size 60 (see options for more things to look at) a. Should see the new profile here now 6) Go to the Admin port of PKI and approve it (Agent Services) a. Manage Certificate Profiles b. Find the one with caServerSANCert and Approve it. OR Pki ca-profile enable caServerSANCert 7) Go to the SSL End User Services and this is now a profile that can be selected Thanks again. On Tue, 22 Nov 2016 at 04:20 Supper Florian 6342 sIT < Florian.Supper at s-itsolutions.at> wrote: > Hi Ian, > > > > i?ve lost your last mail.. > > but I could remember what the question was.. > > > > You?ve copied the part I?ve send to you in your profile and tried to > enroll a cert.. > > But if you sign the cert the sans are not included.. > > > > Please have a look at this line in your profile.. > > > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8 > > > > In this line the Number of the SAN extension part, which I?ve send to you > has to be included.. So add a ?10? at the end of the line below. Restart > your ca service and try again.. > > > > If this does not work too, please send me your whole profile, and I will > test it in my testing environment.. > > > > Br > > Florian > > > > > > *Von:* Ian Koenig [mailto:iguy at ionsphere.org] > > *Gesendet:* Freitag, 18. November 2016 06:28 > > *An:* Supper Florian 6342 sIT; Ian Koenig; pki-users at redhat.com > *Betreff:* Re: [Pki-users] SubjectAltName - how? > > > > How do you modify your profile? I've followed the redhat documentation > and stuff doesn't work. As such I feel like I'm missing something based on > how you are talking. > > > > How do you submit new requests? Through the Web UI or command line with > the pki command? > > > > If via the WebUI does the agents page change when you change the profile > configurations? > > > > Thanks > > > > > > On Thu, 17 Nov 2016 at 08:08 Supper Florian 6342 sIT < > Florian.Supper at s-itsolutions.at> wrote: > > Hi Ian, > > > > There is an redhat documentation available for dogtag version 8 and 9. > They might help you. > > In my case, I mostly copy an existing profile and made the changes I?ve > need in the copied one. > > > > BR > > Florian > > > > > > *Von:* Ian Koenig [mailto:iguy at ionsphere.org] > *Gesendet:* Dienstag, 15. November 2016 19:57 > *An:* Supper Florian 6342 sIT; Ian Koenig; pki-users at redhat.com > *Betreff:* Re: [Pki-users] SubjectAltName - how? > > > > Thanks Supper. Is there a clear documentation on how to create a new > certificate profile that is visible via the WebUI? > > > > I tried this process: > > > > 1) pki -C client_password.txt -n caadmin ca-server-show --output > caServerSANCert.cfg --raw caServerCert > > > > a) Add in the lines you specified above to caServerSANCert.cfg > > > > b) Update the line profileID to be caServerSANCert > > > > 4) pki -C client_password.txt -n caadmin ca-profile-add --raw > caServerSANCert.cfg > > > > 5) Approve this new profile. > > > > What happens when I attempt to issue a cert request via the WebUI, there > are no inputs for me to fill in like the default caServerCert profile. > Just some text about Cert profile and description, then Inputs in bold and > a Submit button. > > > > > > Thanks > > ian > > > > > > On Tue, 15 Nov 2016 at 03:22 Supper Florian 6342 sIT < > Florian.Supper at s-itsolutions.at> wrote: > > Hi, > You have to add the following lines into your certificate profile.. > > policyset.ServerProfile.10.constraint.class_id=noConstraintImpl > policyset.ServerProfile.10.constraint.name=No Constraint > policyset.ServerProfile.10.constraint.subjAltNameExtCritical=false > policyset.ServerProfile.10.default.class_id=userExtensionDefaultImpl > policyset.ServerProfile.10.default.name=User Supplied Extension Default > policyset.ServerProfile.10.default.params.userExtOID=2.5.29.17 > > Then the SAN's will be added to the certificate. > > BR > Florian > > -----Urspr?ngliche Nachricht----- > Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] > Im Auftrag von Ian Koenig > Gesendet: Montag, 14. November 2016 19:18 > An: pki-users at redhat.com > Betreff: [Pki-users] SubjectAltName - how? [bayes][heur][html-removed] > > Hi all, > > I have Dogtag 10 . 3 . 3 installed from COPR (at)pki effort onto a CentOS > 7 . 2 > (build 1511) system. > > I can request and approve various different certs through the system > successfully and have it working properly with SSL client certificates in > Chrome. > > What I haven't been able to figure out is how to generate a server SSL Cert > that has SubjectAltName entries in it. An example cnf file I have tried > is > > [ . . . ] > [ v3_req ] > > # Extensions to add to a certificate request > > basicConstraints = CA : FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectAltName = (at)alt_names > > [ alt_names ] > DNS . 1 = demo . myhome . com > DNS . 2 = demo > DNS . 3 = demo . prod . myhome . com > > [ . . . ] > > This generates a valid CSR with the SubjectAltNames in it. However when I > send it through to be approved on Dogtag, the SAN gets removed. How do I > setup a profile in Dogtag to allow this CSR with SAN get approved? > > Thanks > ian > _______________________________________________ > Pki-users mailing list > Pki-users(at)redhat . com > https : / / www . redhat . com / mailman / listinfo / pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: