From dmoluguw at redhat.com Sat Dec 1 02:35:28 2018 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Fri, 30 Nov 2018 21:35:28 -0500 Subject: [Pki-users] New release: PKI 10.6.8 Message-ID: <64f3b1651857a53dfceb90c10de3dfb4946be6d5.camel@redhat.com> Hi everyone! I'm happy to announce a new release of PKI and its dependencies. PKI 10.6.8 is now available upstream: https://github.com/dogtagpki/pki/releases/tag/v10.6.8 Fedora 29 builds are available via the following update: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3241dd6a7f Fedora 28 builds are available via the following update: https://bodhi.fedoraproject.org/updates/FEDORA-2018-115068f60e Fedora Rawhide builds are available in Koji. Please feel free to try it out. We would love to hear feedbacks from you! Regards, Dinesh From zarko at etcfstab.com Sun Dec 2 02:09:32 2018 From: zarko at etcfstab.com (Z D) Date: Sun, 2 Dec 2018 02:09:32 +0000 Subject: [Pki-users] expired pki-server 10.3.3 certificates In-Reply-To: <4dfe02080e9efa9a8aad6f91047a07e45040d8fe.camel@redhat.com> References: , <1786347373.22072751.1542248219045.JavaMail.zimbra@redhat.com> ,<5eaa84ea25c20ca6d5aeedb424ff1fc988a26cd0.camel@redhat.com> ,<80bd565f0f2df62768d644570c1df887f2b06ad7.camel@redhat.com> , <4dfe02080e9efa9a8aad6f91047a07e45040d8fe.camel@redhat.com> Message-ID: Thanks Dinesh, I misread that argument for ca-cert-request-review is serial number, but as you said it has to be request ID. Indeed, I made progress, and can retrieve renewed Cert: [root at ca-ldap04 tmp]# pki ca-cert-show 0x8fff0090 --output ipacert.crt ------------------------ Certificate "0x8fff0090" ------------------------ Serial Number: 0x8fff0090 Issuer: CN=Certificate Authority,O=DOMAIN.COM Subject: CN=IPA RA,O=DOMIAN.COM Status: VALID Not Before: Fri Aug 10 01:08:19 PDT 2018 Not After: Thu Jul 30 01:08:19 PDT 2020 I also stopped PKI server, removed old cert from NSS database, and installed new one. This is all for ipaCert. But before I start renewing other ones (audit, ocsp, subsystem), I have to ask next [1] how to properly convert cert (.crt file) into one line? I believe I need this in order to update below lines in CS.cfg file. ca.audit_signing.cert=... ca.ocsp_signing.cert=... ca.subsystem.cert=... Thanks a lot for your support. Zarko ________________________________ From: Dinesh Prasanth Moluguwan Krishnamoorthy Sent: Tuesday, November 27, 2018 9:56 AM To: Z D; John Magne; pki-users at redhat.com Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates ZD, >From [6], your request ID is 89990160. But, you are passing request ID as 7 Regards, Dinesh On Thu, 2018-11-22 at 06:17 +0000, Z D wrote: [6] Submit cert request, it's pending # pki ca-cert-request-submit caManualRenewal.xml ----------------------------- Submitted certificate request ----------------------------- Request ID: 89990160 Type: renewal Request Status: pending Operation Result: success [7] This fails with message "BadRequestException: Request Not In Pending State", as per [6] it should be in pending state # pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmoluguw at redhat.com Tue Dec 4 20:25:00 2018 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Tue, 04 Dec 2018 12:25:00 -0800 Subject: [Pki-users] expired pki-server 10.3.3 certificates In-Reply-To: References: , <1786347373.22072751.1542248219045.JavaMail.zimbra@redhat.com> ,<5eaa84ea25c20ca6d5aeedb424ff1fc988a26cd0.camel@redhat.com> ,<80bd565f0f2df62768d644570c1df887f2b06ad7.camel@redhat.com> ,<4dfe02080e9efa9a8aad6f91047a07e45040d8fe.camel@redhat.com> Message-ID: <1de56a71bbfac19e890d734d0117f4734a393148.camel@redhat.com> ZD, Open the .crt file and delete the newline, header and footer. Now, update the CS.cfg with this value. Reference: https://www.dogtagpki.org/wiki/System_Certificate_Renewal#PKI_10.3_or_earlier_2 Regards,Dinesh On Sun, 2018-12-02 at 02:09 +0000, Z D wrote: > Thanks Dinesh, > > > I misread that argument for ca-cert-request-review is serial number, > but as you said it has to be request ID. Indeed, I made progress, > and > can retrieve renewed Cert: > > > > > [root at ca-ldap04 tmp]# pki ca-cert-show 0x8fff0090 --output > ipacert.crt > > ------------------------ > > Certificate "0x8fff0090" > > ------------------------ > > Serial Number: 0x8fff0090 > > Issuer: CN=Certificate Authority,O=DOMAIN.COM > > Subject: CN=IPA RA,O=DOMIAN.COM > > Status: VALID > > Not Before: Fri Aug 10 01:08:19 PDT 2018 > > Not After: Thu Jul 30 01:08:19 PDT 2020 > > > > > I also stopped PKI server, removed old cert from NSS database, and > installed new one. This is all for ipaCert. But before I start > renewing other ones (audit, ocsp, subsystem), I have to ask next > > > > > > [1] how to properly convert cert (.crt file) into one line? > > > > > > > I believe I need this in order to update below lines in CS.cfg file. > > > > > ca.audit_signing.cert=... > > ca.ocsp_signing.cert=... > > ca.subsystem.cert=... > > > > Thanks a lot for your support. Zarko > > > > > > From: Dinesh Prasanth Moluguwan Krishnamoorthy > > Sent: Tuesday, November 27, 2018 9:56 AM > > To: Z D; John Magne; pki-users at redhat.com > > Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates > > > > ZD, > > > > From [6], your request ID is 89990160. But, you are passing request > ID as 7 > > > > Regards, > Dinesh > > > > On Thu, 2018-11-22 at 06:17 +0000, Z D wrote: > > [6] Submit cert request, it's pending > > > > > > > > > > # pki ca-cert-request-submit caManualRenewal.xml > > > > ----------------------------- > > > > Submitted certificate request > > > > ----------------------------- > > > > Request ID: 89990160 > > > > Type: renewal > > > > Request Status: pending > > > > Operation Result: success > > > > > > > > > > > > [7] This fails with message "BadRequestException: Request Not In > > Pending State", as per [6] it should be in pending state > > > > > > > > > > # pki -v -d /etc/httpd/alias -c > > e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert- > > request-review 7 --action approve > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jared at techsmix.net Wed Dec 5 04:43:44 2018 From: jared at techsmix.net (Jared Ledvina) Date: Tue, 04 Dec 2018 23:43:44 -0500 Subject: [Pki-users] Configuring pagesize/max request for LDAP certificate searches Message-ID: <1543985024.3303850.1599281480.40FC9CA7@webmail.messagingengine.com> Hi! I've been looking into why on our production FreeIPA v4.5.4 installation, 'ipa host-del --updatedns FQDN' operations take 2-5 minutes per host. While looking into this I've discovered a variety of issues that I've fixed along the way. This appears to be the last significant one that I'm unable to sort out. During an IPA host deletion, it looks like FreeIPA has pki-tomcat revoke all issued certificates for the host being deleted. In our setup, this results in ~10 seconds of paginated LDAP searches to an VLV index per certificate. Typically, a host will have around 5-7 certificates issued and active for it. From the 389-ds access logs, we see entries like this: https://paste.fedoraproject.org/paste/60eEuw1ldZh7SZyoIEqUCw and then in the pki-tomcat debug logs, there are corresponding by timestamp entries like this: [04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: getEntries: exception java.lang.ClassCastException [04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: DBVirtualList: entries: 2000 [04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: DBVirtualList.getPage(11995) [04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: DBVirtualList.getEntries() Since the search result etime's according to LDAP are really quick (sub 0.0## seconds), I think the easiest way to speed these up would be to increase the page size / max request limit pki-tomcat is doing when it queries LDAP. >From my tracing through the code, I think that would involve setting this: https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_1_FEDORA_27/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java#L90 which might be used in: https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_1_FEDORA_27/base/server/cmscore/src/com/netscape/cmscore/dbs/DBVirtualList.java#L563-L586 Has anyone looked at this code path before? 2000 seems like a sane default but, we have 133,934+ entries and counting in our ou=certificateRepository,ou=ca,o=ipaca so, paging through those results for each issued certificate takes a noticeable amount of time. Of course, if any other information would help, let me know, more than happy to provide it! Thanks, Jared -- Jared Ledvina jared at techsmix.net From ftweedal at redhat.com Fri Dec 21 09:17:13 2018 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 21 Dec 2018 19:17:13 +1000 Subject: [Pki-users] Inquiry: Can Dog Tag issue a ceritificate for windows users and computers? In-Reply-To: References: Message-ID: <20181221091713.GQ20482@T470s> On Fri, Dec 21, 2018 at 03:27:59PM +0800, fu-hong-quan at pacific-textiles.com wrote: > Hi, > > I come across your blog and know that you're working on FreeIPA and dog > tag PKI. So as we know MS CA is pretty good PKI and it's powered by Group > Policy of > > Active Directory, user is easy to request, issue and renew a certificate. > So my question is that does Dog tag has the same function? Issuing and > renewing cert > > for windows users? e.g sending a request when user's computer is and user > is logging on? > > -Thanks, > Hi, (Cc pki-users at redhat.com mailing list for visibility) I don't know enough about exactly what Windows does to request certs against AD. Ultimately it will depend on the enrolment protocol, what authentication mechanism is used, and so on. If you can find out more about that, or point me to documentation, I'll be better able to explain how Dogtag could meet the need (or not). Cheers, Fraser