From rperez at osh.com.mx Sat Oct 1 05:59:56 2016 From: rperez at osh.com.mx (Ricardo Alexander Perez Ricardez) Date: Sat, 1 Oct 2016 00:59:56 -0500 (CDT) Subject: [Pki-users] Recoverable Signature Error Message-ID: <45575048.3233.1475301595977.JavaMail.zimbra@osh.com.mx> When I sign a Microsoft Word document, I get the message: Recoverable Signature: Researching I found this information: https://support.office.com/en-us/article/How-to-tell-if-a-digital-signature-is-trustworthy-61a46050-9a9f-40ab-a894-3ccd60c44415#bm1 Recoverable-error digital signatures In Office 2010, there is a new classification category for digital signatures. Other than valid and invalid, in Office 2010 a signature can be a recoverable-error signature, which means that there is something wrong with the signature. But the error may be fixed to make the signature valid again. There are three scenarios for recoverable errors: * The veifier is offline (disconnected from the Internet) therefore making it impossible to check certificate-revocation data, or to verify time stamps if they are present. * The certificate used to create the signature has expired and no time stamp is available. * The root certificate authority who issued the certificate is not trusted. The following image is an example of the Signatures pane with a recoverable error. Signatures pane, recoverable error IMPORTANT: If you experience a recoverable error, contact your system administrator, who may be able to change the signature's state to valid. When I check the details of the firm, obtain the following information: Signature recoverable: Unable to verify the signer's certificate. Try again later or check the network connection. Type of signature: XAdES-EPES I check the details of the user certificate and CA, both certificates are valid and are in the certificate store windows: At first I thought the problem was the connection with the OCSP response, but also check the connection to the OCSP response and is successful . Also try to solve the problem by changing some parameters security settings Microsoft Office in the Windows registry as shown here: http://winintro.com/?Category=Office2013&Policy=office15.Office.Microsoft.Policies.Windows::L_CheckTheXAdESPortionsOfADigitalSignature None of these settings solved the problem I have partially solved this error, importing the Certificate Revocation List Download the latest CRL in binary form and install in the certificate store windows, after doing this, the signatures in Microsoft Word appear to me as valid, however after a few minutes, or when you close the document and open it again, the signatures are shown as recoverable again. The drawback with this partial solution is that it would have to download and install the CRL every time I go to sign a document. After analyzing all the information obtained from these tests, I conclude that the source of the problem is that the OCSP not get the update information of the Certificate Revocation List. Or when Microsoft Word is connected to OCSP response for validation, this response does not contain the updated Certificate Revocation List information. So even though the certificates are valid, it does not have all necessary information to consider a signature as valid. How can I solve this problem? How I can validate if the OCSP is getting updates CRL? How I can set the automatic update OCSP with the latest CRL? Do you need to modify or create a new certificate profile that includes all this information? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error.JPG Type: image/jpeg Size: 80547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: recoverable.jpg Type: image/jpeg Size: 14188 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature_details.JPG Type: image/jpeg Size: 40804 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error_details2.JPG Type: image/jpeg Size: 147106 bytes Desc: not available URL: From rperez at osh.com.mx Sun Oct 2 05:09:20 2016 From: rperez at osh.com.mx (Ricardo Alexander Perez Ricardez) Date: Sun, 2 Oct 2016 00:09:20 -0500 (CDT) Subject: [Pki-users] Where is the CA Key? Message-ID: <781987021.356.1475384960253.JavaMail.zimbra@osh.com.mx> Hello, I am configuring SSL jboss Wildfly 10 following these steps: In step 3: (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days. $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365 Signature ok subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository Getting CA Private Key Enter pass phrase for ca.key: -CAkey the parameter, use the file ca.key How I can get this file DogTag Certificate System? How I can generate, export or import? Instructions for Generating Repository SSL Keystores ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore, ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore. These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA). It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available. You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key and certificate are available in svn. (i) Generate the repository public/private key pair in a keystore: $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Alfresco Repository What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: Alfresco Software Ltd. What is the name of your City or Locality? [Unknown]: Maidenhead What is the name of your State or Province? [Unknown]: UK What is the two-letter country code for this unit? [Unknown]: GB Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct? [no]: yes Enter key password for (RETURN if same as keystore password): (ii) Generate a certificate request for the repository key $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days. $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365 Signature ok subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository Getting CA Private Key Enter pass phrase for ca.key: (iv) Import the Alfresco CA key into the repository key store $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass Enter keystore password: Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB Serial number: 805ba6dc8f62f8b8 Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021 Certificate fingerprints: MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0 SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q 0010: 4E 38 71 D6 N8q. ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q 0010: 4E 38 71 D6 N8q. ] [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB] SerialNumber: [ 805ba6dc 8f62f8b8] ] Trust this certificate? [no]: yes Certificate was added to keystore (v) Import the CA-signed repository certificate into the repository keystore $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass Enter keystore password: Certificate reply was installed in keystore (vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'. keytool -importkeystore -srckeystore ssl.keystore -srcstorepass -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco (vi) Create a repository truststore containing the Alfresco CA certificate keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass (vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'. (viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'. Instructions for Generating a Certificate Authority (CA) Key and Certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (i) Generate the CA private key $ openssl genrsa -des3 -out ca.key 1024 Generating RSA private key, 1024 bit long modulus ..........++++++ ..++++++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key: (ii) Generate the CA self-signed certificate $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:UK Locality Name (eg, city) []:Maidenhead Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd. Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Alfresco CA Email Address []: -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: CreateSSLKeystores.txt URL: From rperez at osh.com.mx Sun Oct 2 05:16:37 2016 From: rperez at osh.com.mx (Ricardo Alexander Perez Ricardez) Date: Sun, 2 Oct 2016 00:16:37 -0500 (CDT) Subject: [Pki-users] Update documentation Message-ID: <289641858.375.1475385397450.JavaMail.zimbra@osh.com.mx> This is a request or suggestion: It would be possible to include in the documentation website DogTag Certificate System, How to Installing and configuring a certificate wildfly jboss server. We provided the following information: http://reallifejava.com/configuring-ssl-in-wildfly-8/ Instructions for Generating Repository SSL Keystores ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore, ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore. These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA). It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available. You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key and certificate are available in svn. (i) Generate the repository public/private key pair in a keystore: $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Alfresco Repository What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: Alfresco Software Ltd. What is the name of your City or Locality? [Unknown]: Maidenhead What is the name of your State or Province? [Unknown]: UK What is the two-letter country code for this unit? [Unknown]: GB Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct? [no]: yes Enter key password for (RETURN if same as keystore password): (ii) Generate a certificate request for the repository key $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days. $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365 Signature ok subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository Getting CA Private Key Enter pass phrase for ca.key: (iv) Import the Alfresco CA key into the repository key store $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass Enter keystore password: Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB Serial number: 805ba6dc8f62f8b8 Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021 Certificate fingerprints: MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0 SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q 0010: 4E 38 71 D6 N8q. ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q 0010: 4E 38 71 D6 N8q. ] [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB] SerialNumber: [ 805ba6dc 8f62f8b8] ] Trust this certificate? [no]: yes Certificate was added to keystore (v) Import the CA-signed repository certificate into the repository keystore $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass Enter keystore password: Certificate reply was installed in keystore (vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'. keytool -importkeystore -srckeystore ssl.keystore -srcstorepass -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco (vi) Create a repository truststore containing the Alfresco CA certificate keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass (vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'. (viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'. Instructions for Generating a Certificate Authority (CA) Key and Certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (i) Generate the CA private key $ openssl genrsa -des3 -out ca.key 1024 Generating RSA private key, 1024 bit long modulus ..........++++++ ..++++++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key: (ii) Generate the CA self-signed certificate $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:UK Locality Name (eg, city) []:Maidenhead Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd. Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Alfresco CA Email Address []: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: CreateSSLKeystores.txt URL: From rperez at osh.com.mx Sun Oct 2 16:31:35 2016 From: rperez at osh.com.mx (Ricardo Alexander Perez Ricardez) Date: Sun, 2 Oct 2016 11:31:35 -0500 (CDT) Subject: [Pki-users] Web Cryptography API Message-ID: <1504794354.183.1475425895782.JavaMail.zimbra@osh.com.mx> In some sections of the application I get the message: Warning: This version of Firefox no longer supports the crypto web object used to generate and archive keys from the browser. As a result expect limited functionality in this area. Doing a little research I found this information : https://www.redhat.com/archives/pki-users/2015-September/msg00012.html It means that Firefox's API changed. The old, custom keygen / crypto API was deprecated for a long time, then removed, but the new, standardised Web Crypto API is not supported by Dogtag yet. Hope that clarifies the situation for you. -Fraser Tweedale- It was reported On Mon, Sep 07, 2015 at 03:03:03PM +0300, By Aleksey Chudov Little more than a year , so I doubt arise as follows : Do you have plans to migrate to Web Cryptography API? Could take a look at PKI.js project, have made great strides in this topic: https://github.com/PeculiarVentures/PKI.js PKIjs is a pure JavaScript library implementing the formats that are used in PKI applications. It is built on WebCrypto ( Web Cryptography API ) and aspires to make it possible to build native web applications that utilize X.509 and the related formats on the web without plug-ins. Features of the library * First and ONLY (April 2015) open-source JS library with full support for all "Suite B" algorithms in CMS messages; * First library with support for CMS Enveloped data (encrypt/decrypt) in pure JavaScript + Web Cryptography API; * Fully object-oriented library. Inhiritence is using everywhere inside the lib; * Working with HTML5 data objects (ArrayBuffer, Uint8Array, Promises, Web Cryptography API, etc.); * Has a complete set of helpers for working with types like: * GeneralName; * RelativeDistinguishedName; * Time; * AlgorithmIdentifier; * All types of ASN.1 strings, including "international" like UniversalString, UTF8String and BMPString (with help from ASN1js ); * All extension types of X.509 certificates (BasicConstraints, CertificatePolicies, AuthorityKeyIdentifier etc.); * All "support types" for OCSP requests and responces; * All "support types" for Time-Stamping Protocol (TSP) requests and responces; * Has own certification chain verification engine, built in pure JavaScript, with help from Promises and Web Cryptography API latest standard implementation; * Working with all Web Cryptography API signature algorithms: * RSASSA-PKCS1-v1_5; * RSA-PSS; * ECDSA; * Working with all "Suite B" (and more) encryption algorithms and schemas: * RSASSA-OAEP + AES-KW + AES-CBC/GCM; * ECDH + KDF on SHA-1/256/384/512 + AES-KW + AES-CBC/GCM; * Pre-defined "key encryption key" + AES-KW + AES-CBC/GCM; * Password-based encryption for CMS with PBKDF2 on HMAC on SHA-1/256/384/512 + AES-KW + AES-CBC/GCM; * Working with all major PKI-related types ("minor" types are not mentioned here but there are huge number of such "minor types"): * X.509 certificates: * Parsing internal values; * Getting/setting any internal values; * Creatiion of a new X.509 certificate "from scratch"; * Internal certificate chain validation engine ; * X.509 "certificate revocation lists" (CRLs): * Parsing internal values; * Getting/setting any internal values; * Creation of a new CRL "from scratch"; * Validation of CRL signature; * Search inside CRL for specific revoked certificate. * PKCS#10 certificate request: * Parsing internal values; * Getting/setting any internal values; * Creation of a new PKCS#10 certificate request "from scratch"; * Validation of PKCS#10 signature; * OCSP request: * Parsing internal values; * Getting/setting any internal values; * Creation of a new OCSP request "from scratch". * OCSP response: * Parsing internal values; * Getting/setting any internal values; * Creation of a new OCSP response "from scratch"; * Validation of OCSP response signature. * Time-stamping request: * Parsing internal values; * Getting/setting any internal values; * Creation of a new Time-stamping request "from scratch"; * Validation of Time-stamping request signature; * Time-stamping response: * Parsing internal values; * Getting/setting any internal values; * Creation of a new Time-stamping response "from scratch"; * Validation of Time-stamping response signature * CMS Signed Data: * Parsing internal values; * Getting/setting any internal values; * Creation of a new CMS Signed Data "from scratch"; * Validation of CMS Signed Data signature; * CMS Enveloped Data: * Parsing internal values; * Getting/setting any internal values; * Creation (encryption) with full support for "Suite B" algorithms and more; * Decryption with full support for "Suite B" algorithms and more; * CMS Encrypted Data: * Parsing internal values; * Getting/setting any internal values; * Creation (encryption) with password; * Decryption with password; * PKCS#12: * Parsing internal values; * Making any kind of internal values (SafeContexts/SafeBags) with any kind of parameters; -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at osh.com.mx Sun Oct 2 17:26:23 2016 From: rperez at osh.com.mx (Ricardo Alexander Perez Ricardez) Date: Sun, 2 Oct 2016 12:26:23 -0500 (CDT) Subject: [Pki-users] Full support to spanish language Message-ID: <1743958419.247.1475429183410.JavaMail.zimbra@osh.com.mx> Include full support to spanish language, I believe that in Latin America there is a very large community that would love them to be considered to include their native language. https://es.wikipedia.org/wiki/Am%C3%A9rica_Latina -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at osh.com.mx Sun Oct 2 18:00:26 2016 From: rperez at osh.com.mx (Ricardo Alexander Perez Ricardez) Date: Sun, 2 Oct 2016 13:00:26 -0500 (CDT) Subject: [Pki-users] How to translate Dogtag Certificate System? Message-ID: <1006046570.253.1475431226859.JavaMail.zimbra@osh.com.mx> How to translate Dogtag Certificate System? Hello, I want to translate Dogtag Certificate System, but can not find the files to do so. Could you tell me where I can start or what is the procedure to translate? I am using version 10.2 From ftweedal at redhat.com Tue Oct 4 08:32:45 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 4 Oct 2016 18:32:45 +1000 Subject: [Pki-users] Where is the CA Key? In-Reply-To: <781987021.356.1475384960253.JavaMail.zimbra@osh.com.mx> References: <781987021.356.1475384960253.JavaMail.zimbra@osh.com.mx> Message-ID: <20161004083245.GJ20504@dhcp-40-8.bne.redhat.com> On Sun, Oct 02, 2016 at 12:09:20AM -0500, Ricardo Alexander Perez Ricardez wrote: > Hello, I am configuring SSL jboss Wildfly 10 following these steps: > > In step 3: (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days. > > $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365 > Signature ok > subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository > Getting CA Private Key > Enter pass phrase for ca.key: > > > -CAkey the parameter, use the file ca.key > > How I can get this file DogTag Certificate System? > How I can generate, export or import? > Hi Ricardo, I do not understand what is going on in this documentation. The server certificate is being signed using `openssl', but if you are using Dogtag then you should submit the CSR to Dogtag to be signed. The Dogtag CA's signing key lives in the NSS database at /etc/pki//alias and should not be exported. But if you really do want to export it you can use the `certutil' program. Thanks, Fraser > > Instructions for Generating Repository SSL Keystores > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore, > ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore. > > These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA). > It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository > URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available. > You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key > and certificate are available in svn. > > (i) Generate the repository public/private key pair in a keystore: > > $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Re-enter new password: > What is your first and last name? > [Unknown]: Alfresco Repository > What is the name of your organizational unit? > [Unknown]: > What is the name of your organization? > [Unknown]: Alfresco Software Ltd. > What is the name of your City or Locality? > [Unknown]: Maidenhead > What is the name of your State or Province? > [Unknown]: UK > What is the two-letter country code for this unit? > [Unknown]: GB > Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct? > [no]: yes > > Enter key password for > (RETURN if same as keystore password): > > (ii) Generate a certificate request for the repository key > > $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass > > (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days. > > $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365 > Signature ok > subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository > Getting CA Private Key > Enter pass phrase for ca.key: > > (iv) Import the Alfresco CA key into the repository key store > > $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Serial number: 805ba6dc8f62f8b8 > Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021 > Certificate fingerprints: > MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0 > SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3 > Signature algorithm name: SHA1withRSA > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > ] > > #2: ObjectId: 2.5.29.19 Criticality=false > BasicConstraints:[ > CA:true > PathLen:2147483647 > ] > > #3: ObjectId: 2.5.29.35 Criticality=false > AuthorityKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > > [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB] > SerialNumber: [ 805ba6dc 8f62f8b8] > ] > > Trust this certificate? [no]: yes > Certificate was added to keystore > > (v) Import the CA-signed repository certificate into the repository keystore > > $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Certificate reply was installed in keystore > > (vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'. > > keytool -importkeystore -srckeystore ssl.keystore -srcstorepass -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco > > (vi) Create a repository truststore containing the Alfresco CA certificate > > keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass > keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass > > (vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'. > (viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'. > > Instructions for Generating a Certificate Authority (CA) Key and Certificate > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > (i) Generate the CA private key > > $ openssl genrsa -des3 -out ca.key 1024 > Generating RSA private key, 1024 bit long modulus > ..........++++++ > ..++++++ > e is 65537 (0x10001) > Enter pass phrase for ca.key: > Verifying - Enter pass phrase for ca.key: > > (ii) Generate the CA self-signed certificate > > $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > Enter pass phrase for ca.key: > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [AU]:GB > State or Province Name (full name) [Some-State]:UK > Locality Name (eg, city) []:Maidenhead > Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd. > Organizational Unit Name (eg, section) []: > Common Name (eg, YOUR name) []:Alfresco CA > Email Address []: > > Instructions for Generating Repository SSL Keystores > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore, > ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore. > > These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA). > It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository > URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available. > You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key > and certificate are available in svn. > > (i) Generate the repository public/private key pair in a keystore: > > $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Re-enter new password: > What is your first and last name? > [Unknown]: Alfresco Repository > What is the name of your organizational unit? > [Unknown]: > What is the name of your organization? > [Unknown]: Alfresco Software Ltd. > What is the name of your City or Locality? > [Unknown]: Maidenhead > What is the name of your State or Province? > [Unknown]: UK > What is the two-letter country code for this unit? > [Unknown]: GB > Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct? > [no]: yes > > Enter key password for > (RETURN if same as keystore password): > > (ii) Generate a certificate request for the repository key > > $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass > > (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days. > > $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365 > Signature ok > subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository > Getting CA Private Key > Enter pass phrase for ca.key: > > (iv) Import the Alfresco CA key into the repository key store > > $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Serial number: 805ba6dc8f62f8b8 > Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021 > Certificate fingerprints: > MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0 > SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3 > Signature algorithm name: SHA1withRSA > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > ] > > #2: ObjectId: 2.5.29.19 Criticality=false > BasicConstraints:[ > CA:true > PathLen:2147483647 > ] > > #3: ObjectId: 2.5.29.35 Criticality=false > AuthorityKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > > [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB] > SerialNumber: [ 805ba6dc 8f62f8b8] > ] > > Trust this certificate? [no]: yes > Certificate was added to keystore > > (v) Import the CA-signed repository certificate into the repository keystore > > $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Certificate reply was installed in keystore > > (vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'. > > keytool -importkeystore -srckeystore ssl.keystore -srcstorepass -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco > > (vi) Create a repository truststore containing the Alfresco CA certificate > > keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass > keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass > > (vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'. > (viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'. > > Instructions for Generating a Certificate Authority (CA) Key and Certificate > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > (i) Generate the CA private key > > $ openssl genrsa -des3 -out ca.key 1024 > Generating RSA private key, 1024 bit long modulus > ..........++++++ > ..++++++ > e is 65537 (0x10001) > Enter pass phrase for ca.key: > Verifying - Enter pass phrase for ca.key: > > (ii) Generate the CA self-signed certificate > > $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > Enter pass phrase for ca.key: > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [AU]:GB > State or Province Name (full name) [Some-State]:UK > Locality Name (eg, city) []:Maidenhead > Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd. > Organizational Unit Name (eg, section) []: > Common Name (eg, YOUR name) []:Alfresco CA > Email Address []: > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From ftweedal at redhat.com Tue Oct 4 08:37:05 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 4 Oct 2016 18:37:05 +1000 Subject: [Pki-users] Update documentation In-Reply-To: <289641858.375.1475385397450.JavaMail.zimbra@osh.com.mx> References: <289641858.375.1475385397450.JavaMail.zimbra@osh.com.mx> Message-ID: <20161004083705.GK20504@dhcp-40-8.bne.redhat.com> Hi Ricardo, Dogtag is all about signing and managing certificates. Our documentation covers how to submit a CSR to Dogtag, how to sign the cert and retrieve the certificate. It is not really in scope for our documentation to explain how to configure TLS/SSL for a particular server program. Cheers, Fraser On Sun, Oct 02, 2016 at 12:16:37AM -0500, Ricardo Alexander Perez Ricardez wrote: > This is a request or suggestion: > > It would be possible to include in the documentation website DogTag Certificate System, How to Installing and configuring a certificate wildfly jboss server. > > We provided the following information: > > http://reallifejava.com/configuring-ssl-in-wildfly-8/ > > Instructions for Generating Repository SSL Keystores > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore, > ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore. > > These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA). > It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository > URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available. > You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key > and certificate are available in svn. > > (i) Generate the repository public/private key pair in a keystore: > > $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Re-enter new password: > What is your first and last name? > [Unknown]: Alfresco Repository > What is the name of your organizational unit? > [Unknown]: > What is the name of your organization? > [Unknown]: Alfresco Software Ltd. > What is the name of your City or Locality? > [Unknown]: Maidenhead > What is the name of your State or Province? > [Unknown]: UK > What is the two-letter country code for this unit? > [Unknown]: GB > Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct? > [no]: yes > > Enter key password for > (RETURN if same as keystore password): > > (ii) Generate a certificate request for the repository key > > $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass > > (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days. > > $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365 > Signature ok > subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository > Getting CA Private Key > Enter pass phrase for ca.key: > > (iv) Import the Alfresco CA key into the repository key store > > $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Serial number: 805ba6dc8f62f8b8 > Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021 > Certificate fingerprints: > MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0 > SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3 > Signature algorithm name: SHA1withRSA > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > ] > > #2: ObjectId: 2.5.29.19 Criticality=false > BasicConstraints:[ > CA:true > PathLen:2147483647 > ] > > #3: ObjectId: 2.5.29.35 Criticality=false > AuthorityKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > > [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB] > SerialNumber: [ 805ba6dc 8f62f8b8] > ] > > Trust this certificate? [no]: yes > Certificate was added to keystore > > (v) Import the CA-signed repository certificate into the repository keystore > > $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Certificate reply was installed in keystore > > (vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'. > > keytool -importkeystore -srckeystore ssl.keystore -srcstorepass -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco > > (vi) Create a repository truststore containing the Alfresco CA certificate > > keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass > keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass > > (vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'. > (viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'. > > Instructions for Generating a Certificate Authority (CA) Key and Certificate > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > (i) Generate the CA private key > > $ openssl genrsa -des3 -out ca.key 1024 > Generating RSA private key, 1024 bit long modulus > ..........++++++ > ..++++++ > e is 65537 (0x10001) > Enter pass phrase for ca.key: > Verifying - Enter pass phrase for ca.key: > > (ii) Generate the CA self-signed certificate > > $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > Enter pass phrase for ca.key: > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [AU]:GB > State or Province Name (full name) [Some-State]:UK > Locality Name (eg, city) []:Maidenhead > Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd. > Organizational Unit Name (eg, section) []: > Common Name (eg, YOUR name) []:Alfresco CA > Email Address []: > > Instructions for Generating Repository SSL Keystores > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore, > ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore. > > These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA). > It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository > URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available. > You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key > and certificate are available in svn. > > (i) Generate the repository public/private key pair in a keystore: > > $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Re-enter new password: > What is your first and last name? > [Unknown]: Alfresco Repository > What is the name of your organizational unit? > [Unknown]: > What is the name of your organization? > [Unknown]: Alfresco Software Ltd. > What is the name of your City or Locality? > [Unknown]: Maidenhead > What is the name of your State or Province? > [Unknown]: UK > What is the two-letter country code for this unit? > [Unknown]: GB > Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct? > [no]: yes > > Enter key password for > (RETURN if same as keystore password): > > (ii) Generate a certificate request for the repository key > > $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass > > (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days. > > $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365 > Signature ok > subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository > Getting CA Private Key > Enter pass phrase for ca.key: > > (iv) Import the Alfresco CA key into the repository key store > > $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Serial number: 805ba6dc8f62f8b8 > Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021 > Certificate fingerprints: > MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0 > SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3 > Signature algorithm name: SHA1withRSA > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > ] > > #2: ObjectId: 2.5.29.19 Criticality=false > BasicConstraints:[ > CA:true > PathLen:2147483647 > ] > > #3: ObjectId: 2.5.29.35 Criticality=false > AuthorityKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > > [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB] > SerialNumber: [ 805ba6dc 8f62f8b8] > ] > > Trust this certificate? [no]: yes > Certificate was added to keystore > > (v) Import the CA-signed repository certificate into the repository keystore > > $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass > Enter keystore password: > Certificate reply was installed in keystore > > (vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'. > > keytool -importkeystore -srckeystore ssl.keystore -srcstorepass -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco > > (vi) Create a repository truststore containing the Alfresco CA certificate > > keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass > keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass > > (vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'. > (viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'. > > Instructions for Generating a Certificate Authority (CA) Key and Certificate > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > (i) Generate the CA private key > > $ openssl genrsa -des3 -out ca.key 1024 > Generating RSA private key, 1024 bit long modulus > ..........++++++ > ..++++++ > e is 65537 (0x10001) > Enter pass phrase for ca.key: > Verifying - Enter pass phrase for ca.key: > > (ii) Generate the CA self-signed certificate > > $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > Enter pass phrase for ca.key: > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [AU]:GB > State or Province Name (full name) [Some-State]:UK > Locality Name (eg, city) []:Maidenhead > Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd. > Organizational Unit Name (eg, section) []: > Common Name (eg, YOUR name) []:Alfresco CA > Email Address []: > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From wojciech.kromer at dgt.com.pl Fri Oct 7 08:42:32 2016 From: wojciech.kromer at dgt.com.pl (Wojciech Kromer) Date: Fri, 7 Oct 2016 10:42:32 +0200 Subject: [Pki-users] SCEP enroll with works once Message-ID: <71ba668f-a78d-ff24-2b9e-f11e919795e9@dgt.com.pl> Hello. I'm just trying to make SCEP work on Fedora with dogtag. On client side I'm using sscep as described in doc. It work fine on very first enroll, but after this flatfile.txt changes from something like : UID:1.2.3.4 PWD:secret into this: #UID:1.2.3.4 #PWD:secret What's wrong? WK From msauton at redhat.com Tue Oct 11 17:53:07 2016 From: msauton at redhat.com (Marc Sauton) Date: Tue, 11 Oct 2016 10:53:07 -0700 Subject: [Pki-users] SCEP enroll with works once In-Reply-To: <71ba668f-a78d-ff24-2b9e-f11e919795e9@dgt.com.pl> References: <71ba668f-a78d-ff24-2b9e-f11e919795e9@dgt.com.pl> Message-ID: <7bc613f6-78ed-c94f-c240-1f5f4c4e64a9@redhat.com> On 10/07/2016 01:42 AM, Wojciech Kromer wrote: > Hello. > > I'm just trying to make SCEP work on Fedora with dogtag. > On client side I'm using sscep as described in doc. > > It work fine on very first enroll, but after this flatfile.txt > changes from something like : > UID:1.2.3.4 > PWD:secret > > into this: > #UID:1.2.3.4 > #PWD:secret > > > What's wrong? This is working "by design", the credentials should not be left over for unlimited enrollment use, as this is supposed to be a "one-time pin", so they are commentified. In fact they should even be completely removed for somehow better practice. > > > WK > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From gchorny at interactivebrokers.com Tue Oct 11 19:15:07 2016 From: gchorny at interactivebrokers.com (George Chorny) Date: Tue, 11 Oct 2016 15:15:07 -0400 Subject: [Pki-users] SCEP enroll with works once In-Reply-To: References: Message-ID: <57FD3A3B.6050605@interactivebrokers.com> Nothing is wrong. This is by design - this prevents you from reusing passwords. Can you give us more details on what you are trying to set up? My wild guess would be - VPN clients to get Client Certificates through ASA? On 10/11/2016 12:00 PM, pki-users-request at redhat.com wrote: > Send Pki-users mailing list submissions to > pki-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/pki-users > or, via email, send a message with subject or body 'help' to > pki-users-request at redhat.com > > You can reach the person managing the list at > pki-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Pki-users digest..." > > > Today's Topics: > > 1. SCEP enroll with works once (Wojciech Kromer) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 7 Oct 2016 10:42:32 +0200 > From: Wojciech Kromer > To: pki-users at redhat.com > Subject: [Pki-users] SCEP enroll with works once > Message-ID: <71ba668f-a78d-ff24-2b9e-f11e919795e9 at dgt.com.pl> > Content-Type: text/plain; charset=utf-8; format=flowed > > Hello. > > I'm just trying to make SCEP work on Fedora with dogtag. > On client side I'm using sscep as described in doc. > > It work fine on very first enroll, but after this flatfile.txt > changes from something like : > UID:1.2.3.4 > PWD:secret > > into this: > #UID:1.2.3.4 > #PWD:secret > > > What's wrong? > > > WK > > > > ------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > End of Pki-users Digest, Vol 102, Issue 5 > ***************************************** > From wojciech.kromer at dgt.com.pl Tue Oct 11 18:02:19 2016 From: wojciech.kromer at dgt.com.pl (Wojciech Kromer) Date: Tue, 11 Oct 2016 20:02:19 +0200 Subject: [Pki-users] SCEP enroll with works once In-Reply-To: <7bc613f6-78ed-c94f-c240-1f5f4c4e64a9@redhat.com> References: <71ba668f-a78d-ff24-2b9e-f11e919795e9@dgt.com.pl> <7bc613f6-78ed-c94f-c240-1f5f4c4e64a9@redhat.com> Message-ID: >> >> I'm just trying to make SCEP work on Fedora with dogtag. >> On client side I'm using sscep as described in doc. >> >> It work fine on very first enroll, but after this flatfile.txt >> changes from something like : >> UID:1.2.3.4 >> PWD:secret >> >> into this: >> #UID:1.2.3.4 >> #PWD:secret >> >> >> What's wrong? > This is working "by design", the credentials should not be left over > for unlimited enrollment use, as this is supposed to be a "one-time > pin", so they are commentified. > In fact they should even be completely removed for somehow better > practice. Thank you for answer. Is there another way to use SCEP for automatic certificate "download" every time router reboots? I do not want to save certificate in it's flash... Best regards. WK From WilliamC.Elliott at s-itsolutions.at Wed Oct 19 11:29:23 2016 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Wed, 19 Oct 2016 11:29:23 +0000 Subject: [Pki-users] Dogtag 10 HSM Support Message-ID: <85C87A9995875247B2DD471950E0AE4D1BA9DEDC@M0182.s-mxs.net> Hi, What is the current status of HSM Support? We tried to setup Dogtag 10 on RHEL7 with Safenet Luna SA HSM earlier this year, but creating a CA didn't seem to support using a HSM as the version 9 did. Is this working now? Should it work? Will it work in the future? Without it, we must use a different CA. Thanks in advance! William Elliott From edewata at redhat.com Wed Oct 19 14:46:37 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 19 Oct 2016 09:46:37 -0500 Subject: [Pki-users] Dogtag 10 HSM Support In-Reply-To: <85C87A9995875247B2DD471950E0AE4D1BA9DEDC@M0182.s-mxs.net> References: <85C87A9995875247B2DD471950E0AE4D1BA9DEDC@M0182.s-mxs.net> Message-ID: On 10/19/2016 6:29 AM, Elliott William C OSS sIT wrote: > Hi, > > What is the current status of HSM Support? > We tried to setup Dogtag 10 on RHEL7 with Safenet Luna SA HSM earlier this year, but creating a CA didn't seem to support using a HSM as the version 9 did. > Is this working now? Should it work? Will it work in the future? Without it, we must use a different CA. > > Thanks in advance! > > William Elliott Hi, Dogtag 10 does support HSM including Luna SA. Please take a look at this page: http://pki.fedoraproject.org/wiki/Installing_CA_with_HSM Just be sure to use the latest available version. -- Endi S. Dewata From cfu at redhat.com Wed Oct 19 17:21:37 2016 From: cfu at redhat.com (Christina Fu) Date: Wed, 19 Oct 2016 10:21:37 -0700 Subject: [Pki-users] Dogtag 10 HSM Support In-Reply-To: References: <85C87A9995875247B2DD471950E0AE4D1BA9DEDC@M0182.s-mxs.net> Message-ID: <613a8dfc-1bfc-8fe4-e116-ca0c831206aa@redhat.com> On 10/19/2016 07:46 AM, Endi Sukma Dewata wrote: > On 10/19/2016 6:29 AM, Elliott William C OSS sIT wrote: >> Hi, >> >> What is the current status of HSM Support? >> We tried to setup Dogtag 10 on RHEL7 with Safenet Luna SA HSM earlier >> this year, but creating a CA didn't seem to support using a HSM as >> the version 9 did. >> Is this working now? Should it work? Will it work in the future? >> Without it, we must use a different CA. >> >> Thanks in advance! >> >> William Elliott > > Hi, > > Dogtag 10 does support HSM including Luna SA. Please take a look at > this page: > http://pki.fedoraproject.org/wiki/Installing_CA_with_HSM > > Just be sure to use the latest available version. > Right. Just want to stress that older versions of the lunaSA firmware exhibit issues which were somehow fixed in the latest firmware v6.24.0 I think. Christina From WilliamC.Elliott at s-itsolutions.at Wed Oct 19 18:29:16 2016 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Wed, 19 Oct 2016 18:29:16 +0000 Subject: [Pki-users] Dogtag 10 HSM Support Message-ID: <85C87A9995875247B2DD471950E0AE4D1BA9F280@M0182.s-mxs.net> Great - we'll give it a try. as a side note: we had issues last year with Dogtag 9 and the latest fw at the time, and were unable to resolve them with safenet support. We stayed with an older fw version (at startup, dogtag calls to hsm reliably *killed* the internal connection of the appliance itself to the hsm unit - rendering all partitions dead and requiring reboot of the appliance - very nasty) Thanks for the prompt reply. Cheers, William -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu Sent: Mittwoch, 19. Oktober 2016 19:22 To: pki-users at redhat.com Subject: Re: [Pki-users] Dogtag 10 HSM Support [heur] On 10/19/2016 07:46 AM, Endi Sukma Dewata wrote: > On 10/19/2016 6:29 AM, Elliott William C OSS sIT wrote: >> Hi, >> >> What is the current status of HSM Support? >> We tried to setup Dogtag 10 on RHEL7 with Safenet Luna SA HSM earlier >> this year, but creating a CA didn't seem to support using a HSM as >> the version 9 did. >> Is this working now? Should it work? Will it work in the future? >> Without it, we must use a different CA. >> >> Thanks in advance! >> >> William Elliott > > Hi, > > Dogtag 10 does support HSM including Luna SA. Please take a look at > this page: > http://pki.fedoraproject.org/wiki/Installing_CA_with_HSM > > Just be sure to use the latest available version. > Right. Just want to stress that older versions of the lunaSA firmware exhibit issues which were somehow fixed in the latest firmware v6.24.0 I think. Christina _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From cfu at redhat.com Wed Oct 19 20:32:24 2016 From: cfu at redhat.com (Christina Fu) Date: Wed, 19 Oct 2016 13:32:24 -0700 Subject: [Pki-users] Dogtag 10 HSM Support In-Reply-To: <85C87A9995875247B2DD471950E0AE4D1BA9F280@M0182.s-mxs.net> References: <85C87A9995875247B2DD471950E0AE4D1BA9F280@M0182.s-mxs.net> Message-ID: yes that sounds like exactly what we experienced before getting the latest update recently. regards, Christina On 10/19/2016 11:29 AM, Elliott William C OSS sIT wrote: > Great - we'll give it a try. > > as a side note: we had issues last year with Dogtag 9 and the latest fw at the time, and were unable to resolve them > with safenet support. We stayed with an older fw version (at startup, dogtag calls to hsm reliably *killed* the > internal connection of the appliance itself to the hsm unit - rendering all partitions dead and requiring > reboot of the appliance - very nasty) > > Thanks for the prompt reply. > > Cheers, > William > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu > Sent: Mittwoch, 19. Oktober 2016 19:22 > To: pki-users at redhat.com > Subject: Re: [Pki-users] Dogtag 10 HSM Support [heur] > > > > On 10/19/2016 07:46 AM, Endi Sukma Dewata wrote: >> On 10/19/2016 6:29 AM, Elliott William C OSS sIT wrote: >>> Hi, >>> >>> What is the current status of HSM Support? >>> We tried to setup Dogtag 10 on RHEL7 with Safenet Luna SA HSM earlier >>> this year, but creating a CA didn't seem to support using a HSM as >>> the version 9 did. >>> Is this working now? Should it work? Will it work in the future? >>> Without it, we must use a different CA. >>> >>> Thanks in advance! >>> >>> William Elliott >> Hi, >> >> Dogtag 10 does support HSM including Luna SA. Please take a look at >> this page: >> http://pki.fedoraproject.org/wiki/Installing_CA_with_HSM >> >> Just be sure to use the latest available version. >> > Right. Just want to stress that older versions of the lunaSA firmware > exhibit issues which were somehow fixed in the latest firmware v6.24.0 I > think. > > Christina > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users