From hadmut at danisch.de Tue Mar 13 10:53:50 2018 From: hadmut at danisch.de (Hadmut Danisch) Date: Tue, 13 Mar 2018 11:53:50 +0100 Subject: [Pki-users] compatibility with other LDAP servers? Message-ID: <20180313105349.GA16322@danisch.de> Hi, just a question I found no answer for in the docs and faqs: The dogtag-pki is always described together with the 389 directory server. Is there a particular reason for that, does it require that for some special feature, or does it work with standard LDAP servers as well? regards Hadmut From msauton at redhat.com Tue Mar 13 17:56:03 2018 From: msauton at redhat.com (Marc Sauton) Date: Tue, 13 Mar 2018 10:56:03 -0700 Subject: [Pki-users] compatibility with other LDAP servers? In-Reply-To: <20180313105349.GA16322@danisch.de> References: <20180313105349.GA16322@danisch.de> Message-ID: 389-ds is a general purpose / "standard" LDAP server. Dogtag has been developed and tested with 389-ds for many years, both were designed together back in version 1.0 ( http://pki.fedoraproject.org/wiki/PKI_History ), it is also related to software certifications, that is the long legacy. The LDAP schema is extended/cusomized for this PKI application, but could technically be ported to different configuration format in other general LDAP servers. Feature like sub system cloning rely on LDAP replication, and the Dogtag installer/configuration tools do setup all the necessary configurations for the replication agreements, for 389-ds, this could also be technically adapted to other general purpose LDAP servers that can do replication. So it could work, but it would take significant resources to test several LDAP servers and maintain access to feature and configurations changing over time, it does not seem to be worth doing so in comparison with all the work already required. So 389-ds-/RHDS is currently the only supported and fully tested LDAP server on Fedora, CentOS and RHEL, for the "internal db"/backend storage of configuration, requests and certificates. Note it is possible to publish certificates to other "external" LDAP servers. Thanks, M. On Tue, Mar 13, 2018 at 3:53 AM, Hadmut Danisch wrote: > Hi, > > just a question I found no answer for in the docs and faqs: > > The dogtag-pki is always described together with the 389 directory > server. > > > Is there a particular reason for that, does it require that for some > special feature, or does it work with standard LDAP servers as well? > > > regards > Hadmut > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Mar 27 15:16:01 2018 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 27 Mar 2018 11:16:01 -0400 (EDT) Subject: [Pki-users] Dogtag PKI Website URL In-Reply-To: <1236301624.16050356.1522161815530.JavaMail.zimbra@redhat.com> Message-ID: <831564631.16059417.1522163761667.JavaMail.zimbra@redhat.com> Hi, The Dogtag PKI Website URL has changed as follows: * Old URL: http://pki.fedoraproject.org * New URL: http://www.dogtagpki.org Please use the new URL whenever possible. The old URL should automatically be redirected to the new URL, so all existing links should continue to work. Unfortunately, there was a glitch during the transition yesterday causing it to be redirected to redhat.com. If you are experiencing this, you may need to clear the browser cache/history. Please refer to your browser's documentation since the steps are browser-specific. Sorry for the inconvenience. Thanks! -- Endi S. Dewata From ftweedal at redhat.com Wed Mar 28 01:26:07 2018 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 28 Mar 2018 11:26:07 +1000 Subject: [Pki-users] [Pki-devel] Dogtag PKI Website URL In-Reply-To: <831564631.16059417.1522163761667.JavaMail.zimbra@redhat.com> References: <1236301624.16050356.1522161815530.JavaMail.zimbra@redhat.com> <831564631.16059417.1522163761667.JavaMail.zimbra@redhat.com> Message-ID: <20180328012607.GU3703@T470s> On Tue, Mar 27, 2018 at 11:16:01AM -0400, Endi Sukma Dewata wrote: > Hi, > > The Dogtag PKI Website URL has changed as follows: > > * Old URL: http://pki.fedoraproject.org > * New URL: http://www.dogtagpki.org > > Please use the new URL whenever possible. The old URL should > automatically be redirected to the new URL, so all existing links > should continue to work. > > Unfortunately, there was a glitch during the transition yesterday > causing it to be redirected to redhat.com. If you are experiencing > this, you may need to clear the browser cache/history. Please refer > to your browser's documentation since the steps are browser-specific. > > Sorry for the inconvenience. Thanks! > Thanks for the update, Endi. Now that the domain change is done, what needs to be done to enable TLS? Thanks, Fraser From edewata at redhat.com Wed Mar 28 01:52:22 2018 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 27 Mar 2018 21:52:22 -0400 (EDT) Subject: [Pki-users] [Pki-devel] Dogtag PKI Website URL In-Reply-To: <20180328012607.GU3703@T470s> References: <1236301624.16050356.1522161815530.JavaMail.zimbra@redhat.com> <831564631.16059417.1522163761667.JavaMail.zimbra@redhat.com> <20180328012607.GU3703@T470s> Message-ID: <1082971584.16162292.1522201942154.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On Tue, Mar 27, 2018 at 11:16:01AM -0400, Endi Sukma Dewata wrote: > > Hi, > > > > The Dogtag PKI Website URL has changed as follows: > > > > * Old URL: http://pki.fedoraproject.org > > * New URL: http://www.dogtagpki.org > > > > Please use the new URL whenever possible. The old URL should > > automatically be redirected to the new URL, so all existing links > > should continue to work. > > > > Unfortunately, there was a glitch during the transition yesterday > > causing it to be redirected to redhat.com. If you are experiencing > > this, you may need to clear the browser cache/history. Please refer > > to your browser's documentation since the steps are browser-specific. > > > > Sorry for the inconvenience. Thanks! > > > Thanks for the update, Endi. > > Now that the domain change is done, what needs to be done to enable > TLS? > > Thanks, > Fraser I think Matt/Nathan is in the process of getting an SSL cert, unless there's an easy way to use Let's Encrypt? -- Endi S. Dewata From ftweedal at redhat.com Wed Mar 28 03:04:36 2018 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 28 Mar 2018 13:04:36 +1000 Subject: [Pki-users] [Pki-devel] Dogtag PKI Website URL In-Reply-To: <1082971584.16162292.1522201942154.JavaMail.zimbra@redhat.com> References: <1236301624.16050356.1522161815530.JavaMail.zimbra@redhat.com> <831564631.16059417.1522163761667.JavaMail.zimbra@redhat.com> <20180328012607.GU3703@T470s> <1082971584.16162292.1522201942154.JavaMail.zimbra@redhat.com> Message-ID: <20180328030436.GV3703@T470s> On Tue, Mar 27, 2018 at 09:52:22PM -0400, Endi Sukma Dewata wrote: > ----- Original Message ----- > > On Tue, Mar 27, 2018 at 11:16:01AM -0400, Endi Sukma Dewata wrote: > > > Hi, > > > > > > The Dogtag PKI Website URL has changed as follows: > > > > > > * Old URL: http://pki.fedoraproject.org > > > * New URL: http://www.dogtagpki.org > > > > > > Please use the new URL whenever possible. The old URL should > > > automatically be redirected to the new URL, so all existing links > > > should continue to work. > > > > > > Unfortunately, there was a glitch during the transition yesterday > > > causing it to be redirected to redhat.com. If you are experiencing > > > this, you may need to clear the browser cache/history. Please refer > > > to your browser's documentation since the steps are browser-specific. > > > > > > Sorry for the inconvenience. Thanks! > > > > > Thanks for the update, Endi. > > > > Now that the domain change is done, what needs to be done to enable > > TLS? > > > > Thanks, > > Fraser > > I think Matt/Nathan is in the process of getting an SSL cert, unless > there's an easy way to use Let's Encrypt? > We should be able to use the ACME HTTP or DNS challenges to get a certificate from Let's Encrypt. Not sure which would be easiest to get going (and automate) on OpenShift. Here's a recently published article on the official OpenShift blog about it: https://blog.openshift.com/lets-encrypt-acme-v2-api/ It's a shame OpenShift Online hasn't got automatic OOTB TLS support via ACME/LE yet. I have them a heads-up years ago. We are behind the competition. Cheers, Fraser From edewata at redhat.com Wed Mar 28 03:30:25 2018 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 27 Mar 2018 23:30:25 -0400 (EDT) Subject: [Pki-users] [Pki-devel] Dogtag PKI Website URL In-Reply-To: <20180328030436.GV3703@T470s> References: <1236301624.16050356.1522161815530.JavaMail.zimbra@redhat.com> <831564631.16059417.1522163761667.JavaMail.zimbra@redhat.com> <20180328012607.GU3703@T470s> <1082971584.16162292.1522201942154.JavaMail.zimbra@redhat.com> <20180328030436.GV3703@T470s> Message-ID: <1970010245.16173592.1522207825878.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On Tue, Mar 27, 2018 at 09:52:22PM -0400, Endi Sukma Dewata wrote: > > ----- Original Message ----- > > > On Tue, Mar 27, 2018 at 11:16:01AM -0400, Endi Sukma Dewata wrote: > > > > Hi, > > > > > > > > The Dogtag PKI Website URL has changed as follows: > > > > > > > > * Old URL: http://pki.fedoraproject.org > > > > * New URL: http://www.dogtagpki.org > > > > > > > > Please use the new URL whenever possible. The old URL should > > > > automatically be redirected to the new URL, so all existing links > > > > should continue to work. > > > > > > > > Unfortunately, there was a glitch during the transition yesterday > > > > causing it to be redirected to redhat.com. If you are experiencing > > > > this, you may need to clear the browser cache/history. Please refer > > > > to your browser's documentation since the steps are browser-specific. > > > > > > > > Sorry for the inconvenience. Thanks! > > > > > > > Thanks for the update, Endi. > > > > > > Now that the domain change is done, what needs to be done to enable > > > TLS? > > > > > > Thanks, > > > Fraser > > > > I think Matt/Nathan is in the process of getting an SSL cert, unless > > there's an easy way to use Let's Encrypt? > > > > We should be able to use the ACME HTTP or DNS challenges to get a > certificate from Let's Encrypt. Not sure which would be easiest to > get going (and automate) on OpenShift. Here's a recently published > article on the official OpenShift blog about it: > > https://blog.openshift.com/lets-encrypt-acme-v2-api/ > > It's a shame OpenShift Online hasn't got automatic OOTB TLS support > via ACME/LE yet. I have them a heads-up years ago. We are behind > the competition. > > Cheers, > Fraser Thanks for the info. There's also an older article about that: https://blog.openshift.com/create-https-based-encrypted-urls-using-routes/ but I haven't been able to get it working. Maybe I'll be able to revisit this in a few weeks. HTTP challenge should be easier since we have access to the server. -- Endi S. Dewata From spawn at rloteck.net Thu Mar 29 18:42:14 2018 From: spawn at rloteck.net (Rafael Leiva-Ochoa) Date: Thu, 29 Mar 2018 11:42:14 -0700 Subject: [Pki-users] SAN for Launch page. Message-ID: Hi Everyone, I am trying to build a new CA, and I am using the ca.cfg file to create the CA, but when I create the CA, the SAN is missing from the website cert (:8443). I am trying to look for the right value to put on the ca.cfg file for the SAN, so the the launch page does not give me SAN errors. Here is what I found, but nothing relating to the SAN: [CA] pki_admin_email=caadmin at example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret.123 pki_admin_uid=caadmin pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret.123 pki_security_domain_name=EXAMPLE Any ideas? Rafael -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Thu Mar 29 19:57:11 2018 From: msauton at redhat.com (Marc Sauton) Date: Thu, 29 Mar 2018 12:57:11 -0700 Subject: [Pki-users] SAN for Launch page. In-Reply-To: References: Message-ID: Try to add to the pkispawn config file, for example: pki_san_inject=True pki_san_for_server_cert=ca01.example.com,ca02.example.com,ca.example.com Note for the "non-internal" certificates, there is a way to modify enrollment profiles to add a SAN, but a recent updated feature is described in the page at http://www.dogtagpki.org/wiki/PKI_10.4_Copy_CN_To_SAN Thanks, M. On Thu, Mar 29, 2018 at 11:42 AM, Rafael Leiva-Ochoa wrote: > Hi Everyone, > > I am trying to build a new CA, and I am using the ca.cfg file to > create the CA, but when I create the CA, the SAN is missing from the > website cert (:8443). I am trying to look for the right value to put on the > ca.cfg file for the SAN, so the the launch page does not give me SAN > errors. Here is what I found, but nothing relating to the SAN: > > [CA] > pki_admin_email=caadmin at example.com > pki_admin_name=caadmin > pki_admin_nickname=caadmin > pki_admin_password=Secret.123 > pki_admin_uid=caadmin > > pki_client_database_password=Secret.123 > pki_client_database_purge=False > pki_client_pkcs12_password=Secret.123 > > pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com > pki_ds_database=ca > pki_ds_password=Secret.123 > > pki_security_domain_name=EXAMPLE > > Any ideas? > > Rafael > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Fri Mar 30 16:48:23 2018 From: msauton at redhat.com (Marc Sauton) Date: Fri, 30 Mar 2018 09:48:23 -0700 Subject: [Pki-users] SAN for Launch page. In-Reply-To: References: Message-ID: opened ticket https://pagure.io/dogtagpki/issue/2979 SAN in internal SSL server certificate in pkispawn configuration step community comments welcome. On Fri, Mar 30, 2018 at 8:24 AM, Rafael Leiva-Ochoa wrote: > Yes, Making this a default will make it much easier. > > On Fri, Mar 30, 2018 at 8:14 AM Marc Sauton wrote: > >> Yes,sorry, I forgot to mention the profile used for the internal SSL >> server certificate at configuration needed to be copied >> from /usr/share/pki/ca/conf/serverCert.profile.exampleWithSAN >> Should we make this a default setting? >> Thanks, >> M. >> >> On Thu, Mar 29, 2018 at 10:05 PM, Rafael Leiva-Ochoa >> wrote: >> >>> Found the solution here...Thanks again! >>> >>> https://www.redhat.com/archives/pki-devel/2015-April/msg00077.html >>> >>> On Thu, Mar 29, 2018 at 8:06 PM, Rafael Leiva-Ochoa >>> wrote: >>> >>>> sending to alias also... >>>> >>>> ---------- Forwarded message ---------- >>>> From: Rafael Leiva-Ochoa >>>> Date: Thu, Mar 29, 2018 at 3:35 PM >>>> Subject: Re: [Pki-users] SAN for Launch page. >>>> To: Marc Sauton >>>> >>>> >>>> It did not work. I am still getting SAN errors when using the Launch >>>> page. I viewed the Cert that was issued to the launch page, and it is still >>>> missing the SAN. Here is my ca.cfg: >>>> >>>> [CA] >>>> >>>> pki_admin_email=caadmin at test.com >>>> >>>> pki_admin_name=caadmin >>>> >>>> pki_admin_nickname=caadmin >>>> >>>> pki_admin_password=xxxxxxxx >>>> >>>> pki_admin_uid=caadmin >>>> >>>> >>>> pki_san_inject=True >>>> >>>> pki_san_for_server_cert=dogtag-ca-root.test.com >>>> >>>> >>>> pki_client_database_password=xxxxxxxx >>>> >>>> pki_client_database_purge=False >>>> >>>> pki_client_pkcs12_password=xxxxxxxxxx >>>> >>>> >>>> pki_ds_base_dn=dc=test,dc=com >>>> >>>> pki_ds_database=pki-tomcat >>>> >>>> pki_ds_password=xxxxxxx >>>> >>>> >>>> pki_ca_signing_subject_dn=cn=TEST Root CA,ou=TEST Certification >>>> Authority,c=US >>>> >>>> >>>> Thanks, >>>> >>>> Rafael >>>> >>>> On Thu, Mar 29, 2018 at 2:50 PM, Rafael Leiva-Ochoa >>>> wrote: >>>> >>>>> Thanks, I will give that a try. >>>>> >>>>> On Thu, Mar 29, 2018 at 12:57 PM, Marc Sauton >>>>> wrote: >>>>> >>>>>> Try to add to the pkispawn config file, for example: >>>>>> pki_san_inject=True >>>>>> pki_san_for_server_cert=ca01.example.com,ca02.example.com,c >>>>>> a.example.com >>>>>> >>>>>> Note for the "non-internal" certificates, there is a way to modify >>>>>> enrollment profiles to add a SAN, but a recent updated feature is described >>>>>> in the page at >>>>>> http://www.dogtagpki.org/wiki/PKI_10.4_Copy_CN_To_SAN >>>>>> >>>>>> Thanks, >>>>>> M. >>>>>> >>>>>> On Thu, Mar 29, 2018 at 11:42 AM, Rafael Leiva-Ochoa < >>>>>> spawn at rloteck.net> wrote: >>>>>> >>>>>>> Hi Everyone, >>>>>>> >>>>>>> I am trying to build a new CA, and I am using the ca.cfg file to >>>>>>> create the CA, but when I create the CA, the SAN is missing from the >>>>>>> website cert (:8443). I am trying to look for the right value to put on the >>>>>>> ca.cfg file for the SAN, so the the launch page does not give me SAN >>>>>>> errors. Here is what I found, but nothing relating to the SAN: >>>>>>> >>>>>>> [CA] >>>>>>> pki_admin_email=caadmin at example.com >>>>>>> pki_admin_name=caadmin >>>>>>> pki_admin_nickname=caadmin >>>>>>> pki_admin_password=Secret.123 >>>>>>> pki_admin_uid=caadmin >>>>>>> >>>>>>> pki_client_database_password=Secret.123 >>>>>>> pki_client_database_purge=False >>>>>>> pki_client_pkcs12_password=Secret.123 >>>>>>> >>>>>>> pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com >>>>>>> pki_ds_database=ca >>>>>>> pki_ds_password=Secret.123 >>>>>>> >>>>>>> pki_security_domain_name=EXAMPLE >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Rafael >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Pki-users mailing list >>>>>>> Pki-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: