From spawn at rloteck.net Mon Sep 12 05:31:24 2016 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Sun, 11 Sep 2016 22:31:24 -0700 Subject: [Pki-users] Changing default "CN" on Dogtag Root Cert Message-ID: Hi Everyone, I was wondering. Before I use the "pkispawn" command to create my CA, how can I change the default "CN" of "CA Signing Certificate" to something else? I found this link: http://pki.fedoraproject.org/wiki/Installing_CA that provides a way to customize the CA, but I don't know what option changes the default "CN". Thanks, Rafael -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Mon Sep 12 13:43:14 2016 From: alee at redhat.com (Ade Lee) Date: Mon, 12 Sep 2016 09:43:14 -0400 Subject: [Pki-users] Changing default "CN" on Dogtag Root Cert In-Reply-To: References: Message-ID: <1473687794.14929.2.camel@redhat.com> pki_ca_signing_subject_dn On Sun, 2016-09-11 at 22:31 -0700, Rafael Leiva-Ochoa wrote: > Hi Everyone, > > I was wondering. Before I use the "pkispawn" command to create > my CA, how can I change the default "CN" of "CA Signing Certificate" > to something else? I found this link: > http://pki.fedoraproject.org/wiki/Installing_CA that provides a way > to customize the CA, but I don't know what option changes the default > "CN". > > Thanks, > > Rafael > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From spawn at rloteck.net Tue Sep 13 04:28:03 2016 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Mon, 12 Sep 2016 21:28:03 -0700 Subject: [Pki-users] Changing default "CN" on Dogtag Root Cert In-Reply-To: <1473687794.14929.2.camel@redhat.com> References: <1473687794.14929.2.camel@redhat.com> Message-ID: That worked. Thanks. On Mon, Sep 12, 2016 at 6:43 AM, Ade Lee wrote: > pki_ca_signing_subject_dn > > On Sun, 2016-09-11 at 22:31 -0700, Rafael Leiva-Ochoa wrote: > > Hi Everyone, > > I was wondering. Before I use the "pkispawn" command to create my CA, > how can I change the default "CN" of "CA Signing Certificate" to something > else? I found this link: http://pki.fedoraproject.org/wiki/Installing_CA > that provides a way to customize the CA, but I don't know what > option changes the default "CN". > > Thanks, > > Rafael > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at osh.com.mx Thu Sep 15 20:12:21 2016 From: rperez at osh.com.mx (Ricardo Alexander Perez Ricardez) Date: Thu, 15 Sep 2016 15:12:21 -0500 (CDT) Subject: [Pki-users] ocsp doesn't work on the client side - "OCSP response signature invalid" Message-ID: <132867887.2276.1473970341735.JavaMail.zimbra@osh.com.mx> Error: "OCSP response signature invalid" On the server side I have configured an instance of pki working properly, I have two subsystems a CA, and OCSP. On the client side I have a valid certificate that I use to sign a PDF document In Adobe Reader or Adobe Acrobat I perform the following steps: 1. Signing a PDF document 2. Validate Signature 3. I receive the message: "The validity of the signature is unknown" 4. Click on: Check the properties of signature 5. Click on: Show signer certificate 6. Click: Revocation tab The following message is displayed: We attempted to determine whether the certificate is valid by performing a revocation check using the protocol online certificate status (OCSP Online Certificate Status Protocol). The OCSP response was signed by "OCSP Signing CA Certificate" on 2016/09/15 14:53:06 -05'00 '. Click Details signer for more information on the source of the revocation information. Click trouble seeing the problems encountered when performing this check revocation. 6. Click on: Problems Found 7. I get the message: "OCSP response signature invalid" -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at osh.com.mx Thu Sep 15 20:29:07 2016 From: rperez at osh.com.mx (Ricardo Alexander Perez Ricardez) Date: Thu, 15 Sep 2016 15:29:07 -0500 (CDT) Subject: [Pki-users] How to install theme - I can't see theme Message-ID: <1140891714.2476.1473971347527.JavaMail.zimbra@osh.com.mx> Hi, I installed Dogtag Certificate System, it works correctly, I only have a detail with the theme, because it does not show me any pictures or styles (see attached pictures for details) . I found this information: Finally, if Certificate System is being deployed as an individual or set of standalone rather than embedded server(s)/service(s), it is strongly recommended (though not explicitly required) to include at least one PKI Theme package: * dogtag-pki-theme (Dogtag Certificate System deployments) * dogtag-pki-server-theme * redhat-pki-server-theme (Red Hat Certificate System deployments) * redhat-pki-server-theme * customized pki theme (Customized Certificate System deployments) * < customized>-pki-server-theme NOTE: As a convenience for standalone deployments, top-level meta packages may be provided which bind a particular theme to these certificate server packages Look for these packages: * Dogtag-pki-theme (Dogtag Certificate System deployments) * Dogtag-pki-server-theme * Redhat-pki-server-theme (Red Hat Certificate System deployments) * Redhat-pki-server-theme * Customized pki theme But for dogtag version I use, there are no rpms, I found the dogtag-pki-theme-10.2.5.tar.gz file that corresponds to the version I have installed, however not as compile. http://pkgs.fedoraproject.org/repo/pkgs/dogtag-pki-theme/dogtag-pki-theme-10.2.5.tar.gz/ The environment in which I am working is as follows: S.O.: Centos 7.2 Dogtag Version: 10.2.5-10.el7_2 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: theme_dogtag3.PNG Type: image/png Size: 54525 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: theme_docgtag2.PNG Type: image/png Size: 90510 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: theme_dogtag.PNG Type: image/png Size: 40599 bytes Desc: not available URL: From jmagne at redhat.com Tue Sep 20 18:02:37 2016 From: jmagne at redhat.com (John Magne) Date: Tue, 20 Sep 2016 14:02:37 -0400 (EDT) Subject: [Pki-users] ocsp doesn't work on the client side - "OCSP response signature invalid" In-Reply-To: <132867887.2276.1473970341735.JavaMail.zimbra@osh.com.mx> References: <132867887.2276.1473970341735.JavaMail.zimbra@osh.com.mx> Message-ID: <1939478162.975581.1474394557729.JavaMail.zimbra@redhat.com> Is your CA being trusted by the Adobe application in question? ----- Original Message ----- From: "Ricardo Alexander Perez Ricardez" To: pki-users at redhat.com Sent: Thursday, September 15, 2016 1:12:21 PM Subject: [Pki-users] ocsp doesn't work on the client side - "OCSP response signature invalid" Error: "OCSP response signature invalid" On the server side I have configured an instance of pki working properly, I have two subsystems a CA, and OCSP. On the client side I have a valid certificate that I use to sign a PDF document In Adobe Reader or Adobe Acrobat I perform the following steps: 1. Signing a PDF document 2. Validate Signature 3. I receive the message: "The validity of the signature is unknown" 4. Click on: Check the properties of signature 5. Click on: Show signer certificate 6. Click: Revocation tab The following message is displayed: We attempted to determine whether the certificate is valid by performing a revocation check using the protocol online certificate status (OCSP Online Certificate Status Protocol). The OCSP response was signed by "OCSP Signing CA Certificate" on 2016/09/15 14:53:06 -05'00 '. Click Details signer for more information on the source of the revocation information. Click trouble seeing the problems encountered when performing this check revocation. 6. Click on: Problems Found 7. I get the message: "OCSP response signature invalid" _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From ricardoalx.perez at gmail.com Wed Sep 21 17:04:34 2016 From: ricardoalx.perez at gmail.com (Alexander) Date: Wed, 21 Sep 2016 12:04:34 -0500 Subject: [Pki-users] Pki-users Digest, Vol 101, Issue 4 In-Reply-To: References: Message-ID: Hi John, thanks for answering... Yes it is, My CA it's trusted by the Adobe Application. I solved it partially, but I think the problem is with the certificate of the OCSP. *Solution:* 1. Enable LOG for Abode Acrobat or Adobe Reader to see more details of the error. Check this info: http://www.adobe.com/content/dam/Adobe/en/devnet/reader/pdfs/acrobat_reader_security_9x.pdf Page 127 5.3.4.4 Validation Certificate Data Logging Example 5.7: Chain building log file settings *[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Security\cASPKI\cAdobe_ChainBuilder]* *"ILogLevel" = dword: 00000008* *"SLogFilePath" = * The folder path has to exist, but Acrobat will create the file if it's missing. For example, if you want to save the file to C:\LogFile\digSigLog.txt the folder LogFile would have to exist on the C drive, but the log file itself will get created if it's not there already. When you type in the file path and name in the Edit Binary Value dialog in regedit, make sure you null terminate the string by typing a zero at the end of the hex data on the left side of the dialog. It will look like a dot on the right side, but it's not really a dot (a dot is 2E in hex). 2.- Signature Validation RevCheck http://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/Security.html#SignatureValidationRevCheck%28OCSP%29 *[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Security\cASPKI\cAdobe_OCSPRevChecker]* *"iReqRevCheck" = dword: 1* *iReqRevCheck:* Indicates whether revocation checks are required to succeed on the OCSP response. *Set this value to 1* (1: Do a check IF certificate has AIA extension or responder info is in registry; don't fail if the check fails.) After setting these values in the registry, I indicated that the signatures are valid. If I leave the default value of 2 (2: Do you have to check IF AIA certificate extension or respond info is in registry, all checks must succeed if there is data and to check OCCURS.) Continued to receive the same error message *So I think the key to solve completely the problem is:* The OCSP certificate or certificates used to sign must have: Authority Information Access (AIA) certificate extension or respond info is in registry. Really do not know how this or how to verify that the certificates comply with this requirement. 2016-09-21 11:00 GMT-05:00 : > Send Pki-users mailing list submissions to > pki-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/pki-users > or, via email, send a message with subject or body 'help' to > pki-users-request at redhat.com > > You can reach the person managing the list at > pki-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Pki-users digest..." > > > Today's Topics: > > 1. Re: ocsp doesn't work on the client side - "OCSP response > signature invalid" (John Magne) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 20 Sep 2016 14:02:37 -0400 (EDT) > From: John Magne > To: Ricardo Alexander Perez Ricardez > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] ocsp doesn't work on the client side - "OCSP > response signature invalid" > Message-ID: > <1939478162.975581.1474394557729.JavaMail.zimbra at redhat.com> > Content-Type: text/plain; charset=utf-8 > > Is your CA being trusted by the Adobe application in question? > > ----- Original Message ----- > From: "Ricardo Alexander Perez Ricardez" > To: pki-users at redhat.com > Sent: Thursday, September 15, 2016 1:12:21 PM > Subject: [Pki-users] ocsp doesn't work on the client side - "OCSP response > signature invalid" > > Error: "OCSP response signature invalid" > > > On the server side I have configured an instance of pki working properly, > I have two subsystems a CA, and OCSP. > > On the client side I have a valid certificate that I use to sign a PDF > document > > In Adobe Reader or Adobe Acrobat I perform the following steps: > > 1. Signing a PDF document > 2. Validate Signature > 3. I receive the message: "The validity of the signature is unknown" > 4. Click on: Check the properties of signature > 5. Click on: Show signer certificate > 6. Click: Revocation tab > > The following message is displayed: > > We attempted to determine whether the certificate is valid by performing a > revocation check using the protocol online certificate status (OCSP Online > Certificate Status Protocol). > The OCSP response was signed by "OCSP Signing CA Certificate" on > 2016/09/15 14:53:06 -05'00 '. > Click Details signer for more information on the source of the revocation > information. > Click trouble seeing the problems encountered when performing this check > revocation. > > 6. Click on: Problems Found > 7. I get the message: "OCSP response signature invalid" > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > > ------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > End of Pki-users Digest, Vol 101, Issue 4 > ***************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Wed Sep 21 17:35:16 2016 From: jmagne at redhat.com (John Magne) Date: Wed, 21 Sep 2016 13:35:16 -0400 (EDT) Subject: [Pki-users] Pki-users Digest, Vol 101, Issue 4 In-Reply-To: References: Message-ID: <867727863.2637860.1474479316071.JavaMail.zimbra@redhat.com> Hi: I guess I"m not sure what is going on here. The setting you describe sounds like it determines that we do a check if the certificate you are checking has an AIA extension. This appears to be the case in your scenario. The setting you chose to work around the problem merely ignores bad checks. There still appears to be some issue when you have it set to "2", where Adobe doesn't like the OCSP cert itself. I assume this is Windows, so you might go into the "Internet" config options and look at the certs to see if the OCSP cert chain is fully trusted. This is just a guess of course. ----- Original Message ----- From: "Alexander" To: pki-users at redhat.com Sent: Wednesday, September 21, 2016 10:04:34 AM Subject: Re: [Pki-users] Pki-users Digest, Vol 101, Issue 4 Hi John, thanks for answering... Yes it is, My CA it's trusted by the Adobe Application. I solved it partially, but I think the problem is with the certificate of the OCSP. Solution: 1. Enable LOG for Abode Acrobat or Adobe Reader to see more details of the error. Check this info: http://www.adobe.com/content/dam/Adobe/en/devnet/reader/pdfs/acrobat_reader_security_9x.pdf Page 127 5.3.4.4 Validation Certificate Data Logging Example 5.7: Chain building log file settings [HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Security\cASPKI\cAdobe_ChainBuilder] "ILogLevel" = dword: 00000008 "SLogFilePath" = The folder path has to exist, but Acrobat will create the file if it's missing. For example, if you want to save the file to C:\LogFile\digSigLog.txt the folder LogFile would have to exist on the C drive, but the log file itself will get created if it's not there already. When you type in the file path and name in the Edit Binary Value dialog in regedit, make sure you null terminate the string by typing a zero at the end of the hex data on the left side of the dialog. It will look like a dot on the right side, but it's not really a dot (a dot is 2E in hex). 2.- Signature Validation RevCheck http://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/Security.html#SignatureValidationRevCheck%28OCSP%29 [HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Security\cASPKI\cAdobe_OCSPRevChecker] "iReqRevCheck" = dword: 1 iReqRevCheck: Indicates whether revocation checks are required to succeed on the OCSP response. Set this value to 1 (1: Do a check IF certificate has AIA extension or responder info is in registry; don't fail if the check fails.) After setting these values in the registry, I indicated that the signatures are valid. If I leave the default value of 2 (2: Do you have to check IF AIA certificate extension or respond info is in registry, all checks must succeed if there is data and to check OCCURS.) Continued to receive the same error message So I think the key to solve completely the problem is: The OCSP certificate or certificates used to sign must have: Authority Information Access (AIA) certificate extension or respond info is in registry. Really do not know how this or how to verify that the certificates comply with this requirement. 2016-09-21 11:00 GMT-05:00 < pki-users-request at redhat.com > : Send Pki-users mailing list submissions to pki-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/pki-users or, via email, send a message with subject or body 'help' to pki-users-request at redhat.com You can reach the person managing the list at pki-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Pki-users digest..." Today's Topics: 1. Re: ocsp doesn't work on the client side - "OCSP response signature invalid" (John Magne) ---------------------------------------------------------------------- Message: 1 Date: Tue, 20 Sep 2016 14:02:37 -0400 (EDT) From: John Magne < jmagne at redhat.com > To: Ricardo Alexander Perez Ricardez < rperez at osh.com.mx > Cc: pki-users at redhat.com Subject: Re: [Pki-users] ocsp doesn't work on the client side - "OCSP response signature invalid" Message-ID: < 1939478162.975581.1474394557729.JavaMail.zimbra at redhat.com > Content-Type: text/plain; charset=utf-8 Is your CA being trusted by the Adobe application in question? ----- Original Message ----- From: "Ricardo Alexander Perez Ricardez" < rperez at osh.com.mx > To: pki-users at redhat.com Sent: Thursday, September 15, 2016 1:12:21 PM Subject: [Pki-users] ocsp doesn't work on the client side - "OCSP response signature invalid" Error: "OCSP response signature invalid" On the server side I have configured an instance of pki working properly, I have two subsystems a CA, and OCSP. On the client side I have a valid certificate that I use to sign a PDF document In Adobe Reader or Adobe Acrobat I perform the following steps: 1. Signing a PDF document 2. Validate Signature 3. I receive the message: "The validity of the signature is unknown" 4. Click on: Check the properties of signature 5. Click on: Show signer certificate 6. Click: Revocation tab The following message is displayed: We attempted to determine whether the certificate is valid by performing a revocation check using the protocol online certificate status (OCSP Online Certificate Status Protocol). The OCSP response was signed by "OCSP Signing CA Certificate" on 2016/09/15 14:53:06 -05'00 '. Click Details signer for more information on the source of the revocation information. Click trouble seeing the problems encountered when performing this check revocation. 6. Click on: Problems Found 7. I get the message: "OCSP response signature invalid" _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users ------------------------------ _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users End of Pki-users Digest, Vol 101, Issue 4 ***************************************** _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From gchorny at interactivebrokers.com Thu Sep 22 17:27:41 2016 From: gchorny at interactivebrokers.com (George Chorny) Date: Thu, 22 Sep 2016 13:27:41 -0400 Subject: [Pki-users] Which version to install Message-ID: <57E4148D.5030600@interactivebrokers.com> Two questions: 1. Which is the last stable version of DogTag CA. The wiki page on the project site is a bit confusing in that sense? 2. Fedora repos show to version of dogtag packages - rpms/dogtag-pki and rpms/pki-core. Which one is the right bundle to get the latest stable version? From mharmsen at redhat.com Thu Sep 22 21:07:24 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 22 Sep 2016 15:07:24 -0600 Subject: [Pki-users] Announcing: External COPR Builds of CentOS 7 PKI EPEL Packages Message-ID: Everyone, The Dogtag PKI team is proud to announce the availability of new external COPR builds of PKI EPEL packages for the following two platforms: * CentOS 7.2: o https://copr.fedorainfracloud.org/coprs/g/pki/epel-7.2/repo/epel-7/group_pki-epel-7.2-epel-7.repo * CentOS 7.3: o https://copr.fedorainfracloud.org/coprs/g/pki/epel-7.3/repo/epel-7/group_pki-epel-7.3-epel-7.repo The CentOS 7.2 builds are based upon the Dogtag 10.2.6 release, while the CentOS 7.3 builds are based upon the Dogtag 10.3.3 release. Details on obtaining and using these new builds are available on the following Dogtag Wiki page: * External COPR Builds of CentOS PKI EPEL Packages Enjoy, Dogtag Team -------------- next part -------------- An HTML attachment was scrubbed... URL: