From joris.dedieu at gmail.com Fri Feb 8 13:12:59 2019 From: joris.dedieu at gmail.com (joris dedieu) Date: Fri, 8 Feb 2019 14:12:59 +0100 Subject: [Pki-users] exporting sub CA to pem format Message-ID: Hello Pki users, I found how to issue a sub certificate with pki ca-authority-create and export certificate with ca-authority-show, but I don't understand how to export Sub CA key. I need it to sign some certificates with puppet or openssl. Is there a way to do so ? Best Regards Joris From msauton at redhat.com Fri Feb 8 18:53:08 2019 From: msauton at redhat.com (Marc Sauton) Date: Fri, 8 Feb 2019 10:53:08 -0800 Subject: [Pki-users] exporting sub CA to pem format In-Reply-To: References: Message-ID: I always use the pkispawn command to create instances, not "pki ca-authority-create", so I have a doubt. But try to check for a related PKCS #12 file with extension .p12 in ~/ , or use certutil in /etc/pki/*/alias/ , the default being /etc/pki/pki-tomcat/alias/ If there is a p12 file, the key material is wrapped, if not, use pk12util to create a p12 file from the NSS db directory. If this using an HSM, do not export, or only use the vendor's tools. Thanks, M. On Fri, Feb 8, 2019 at 5:13 AM joris dedieu wrote: > Hello Pki users, > I found how to issue a sub certificate with pki ca-authority-create > and export certificate with ca-authority-show, but I don't understand > how to export Sub CA key. I need it to sign some certificates with > puppet or openssl. Is there a way to do so ? > > Best Regards > Joris > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Feb 11 00:41:55 2019 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 11 Feb 2019 10:41:55 +1000 Subject: [Pki-users] exporting sub CA to pem format In-Reply-To: References: Message-ID: <20190211004155.GL4404@T470s> On Fri, Feb 08, 2019 at 02:12:59PM +0100, joris dedieu wrote: > Hello Pki users, > I found how to issue a sub certificate with pki ca-authority-create > and export certificate with ca-authority-show, but I don't understand > how to export Sub CA key. I need it to sign some certificates with > puppet or openssl. Is there a way to do so ? > > Best Regards > Joris > You really shouldn't export the sub-CA key. There are two alternatives: 1. Use Dogtag to sign the required certificates using the lightweight sub-CA. For example: pki ca-cert-request-submit --csr-file PATH --issuer-id UUID 2. Generate a keypair and CSR for the Puppet/OpenSSL CA, and create the certificate in Dogtag using a CA profile. Dogtag never sees the sub-CA's private key. Hope that helps, Fraser From ftweedal at redhat.com Mon Feb 11 00:45:50 2019 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 11 Feb 2019 10:45:50 +1000 Subject: [Pki-users] exporting sub CA to pem format In-Reply-To: References: Message-ID: <20190211004550.GM4404@T470s> On Fri, Feb 08, 2019 at 10:53:08AM -0800, Marc Sauton wrote: > I always use the pkispawn command to create instances, not "pki > ca-authority-create", so I have a doubt. > To clarify, ca-authority-create creates a lightweight sub-CA within an existing Dogtag CA instance. For more info see https://www.dogtagpki.org/wiki/Lightweight_sub-CAs. > But try to check for a related PKCS #12 file with extension .p12 in ~/ , or > use certutil in /etc/pki/*/alias/ , the default > being /etc/pki/pki-tomcat/alias/ > > If there is a p12 file, the key material is wrapped, if not, use pk12util > to create a p12 file from the NSS db directory. > The lightweight CA keys indeed live in /etc/pki/pki-tomcat/alias NSSDB. No PKCS #12 file is created. You could export them yourself, but you probably shouldn't (unless for backup). I suggest alternatives in my other reply. Cheers, Fraser > If this using an HSM, do not export, or only use the vendor's tools. > Thanks, > M. > > On Fri, Feb 8, 2019 at 5:13 AM joris dedieu wrote: > > > Hello Pki users, > > I found how to issue a sub certificate with pki ca-authority-create > > and export certificate with ca-authority-show, but I don't understand > > how to export Sub CA key. I need it to sign some certificates with > > puppet or openssl. Is there a way to do so ? > > > > Best Regards > > Joris > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From Brian.Wolf at risd.org Fri Feb 15 19:27:11 2019 From: Brian.Wolf at risd.org (Wolf, Brian) Date: Fri, 15 Feb 2019 19:27:11 +0000 Subject: [Pki-users] Problem Renewing Server Certificates Message-ID: I installed PKI-CA two years ago on a Redhat 7 server. I used it to create certificates for an application and have not needed it since. Now the PKI server certificates are about to expire, I'm trying to renew them using the directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal . I am getting an error when I try to submit the renewal request. The error seems to be that it can't find /pki/rest/info. Installed packages: pki-base-10.5.9-6.el7.noarch pki-base-java-10.5.9-6.el7.noarch pki-ca-10.5.9-6.el7.noarch pki-kra-10.5.9-6.el7.noarch pki-server-10.5.9-6.el7.noarch pki-tools-10.5.9-6.el7.x86_64 nuxwdog-1.0.3-8.el7.x86_64 java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64 javapackages-tools-3.4.1-11.el7.noarch javassist-3.16.1-10.el7.noarch nuxwdog-client-java-1.0.3-8.el7.x86_64 rest-0.8.1-2.el7.x86_64 resteasy-base-atom-provider-3.0.6-4.el7.noarch resteasy-base-client-3.0.6-4.el7.noarch resteasy-base-jackson-provider-3.0.6-4.el7.noarch resteasy-base-jaxb-provider-3.0.6-4.el7.noarch resteasy-base-jaxrs-3.0.6-4.el7.noarch resteasy-base-jaxrs-api-3.0.6-4.el7.noarch Listing the certificates works. We do not use the default instance of pki-tomcat. # pki-server cert-find -i ca ----------------- 5 entries matched ----------------- Cert ID: ca_signing Nickname: caSigningCert ... CA Token: Internal Key Storage Token Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,... Issuer DN: CN=CA Signing Certificate,... Not Valid Before: Fri Mar 10 16:38:21 2017 Not Valid After: Tue Mar 10 16:38:21 2037 Cert ID: ca_ocsp_signing Nickname: ocspSigningCert ... CA Token: Internal Key Storage Token Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,... Issuer DN: CN=CA Signing Certificate,OU=... Not Valid Before: Fri Mar 10 16:38:23 2017 Not Valid After: Thu Feb 28 16:38:23 2019 [snip] But the renewal request gives a Not Found error: # pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal PKIException: Not Found Adding -v shows an error on the HTTP GET of /pki/rest/info. I don't see that directory structure anywhere on the server. Am I missing something in the configuration, or is there another package I need to install? Do I have to point the command to our non-default instance, and if so, how do I do that? # pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal PKI options: -v PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Server URI: http://my-server:8370 Client security database: /root/.dogtag/nssdb Message format: null Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Initializing security database Module: ca Module: cert Module: request-submit Retrieving caManualRenewal profile. Initializing PKIClient HTTP request: GET /pki/rest/info HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: my-server:8370 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 977 Date: Fri, 15 Feb 2019 18:53:25 GMT com.netscape.certsrv.base.PKIException: Not Found at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107) at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46) at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576) at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) at com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95) at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669) ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370', 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', '0x2', '--renewal']' returned non-zero exit status 255 -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Sat Feb 16 01:00:36 2019 From: msauton at redhat.com (Marc Sauton) Date: Fri, 15 Feb 2019 17:00:36 -0800 Subject: [Pki-users] Problem Renewing Server Certificates In-Reply-To: References: Message-ID: Try adding a -U option with the CA URL, like for example: pki -v -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 ca-cert-request-submit --profile caManualRenewal --serial 0x3f0 --renewal I added a -d option to point to a NSS db that already trust the issuer of the SSL certificate presented in the HTTPS connection. A request should be created and in pending state, until an agent approves it. ( use a profile with agent authentication for automatic issuance, user with SSL client auth should have automatic renewal/cert issuance) Thanks, M. On Fri, Feb 15, 2019 at 11:28 AM Wolf, Brian wrote: > I installed PKI-CA two years ago on a Redhat 7 server. I used it to create > certificates for an application and have not needed it since. Now the PKI > server certificates are about to expire, I?m trying to renew them using the > directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal > . I am getting an error when I try to submit the renewal request. The > error seems to be that it can?t find /pki/rest/info. > > > > Installed packages: > > > > pki-base-10.5.9-6.el7.noarch > > pki-base-java-10.5.9-6.el7.noarch > > pki-ca-10.5.9-6.el7.noarch > > pki-kra-10.5.9-6.el7.noarch > > pki-server-10.5.9-6.el7.noarch > > pki-tools-10.5.9-6.el7.x86_64 > > nuxwdog-1.0.3-8.el7.x86_64 > > > > > > java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 > > java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64 > > javapackages-tools-3.4.1-11.el7.noarch > > javassist-3.16.1-10.el7.noarch > > nuxwdog-client-java-1.0.3-8.el7.x86_64 > > > > rest-0.8.1-2.el7.x86_64 > > resteasy-base-atom-provider-3.0.6-4.el7.noarch > > resteasy-base-client-3.0.6-4.el7.noarch > > resteasy-base-jackson-provider-3.0.6-4.el7.noarch > > resteasy-base-jaxb-provider-3.0.6-4.el7.noarch > > resteasy-base-jaxrs-3.0.6-4.el7.noarch > > resteasy-base-jaxrs-api-3.0.6-4.el7.noarch > > > > > > > > Listing the certificates works. We do not use the default instance of > pki-tomcat. > > > > # pki-server cert-find -i ca > > ----------------- > > 5 entries matched > > ----------------- > > Cert ID: ca_signing > > Nickname: caSigningCert ? CA > > Token: Internal Key Storage Token > > Serial Number: 0x1 > > Subject DN: CN=CA Signing Certificate,? > > Issuer DN: CN=CA Signing Certificate,? > > Not Valid Before: Fri Mar 10 16:38:21 2017 > > Not Valid After: Tue Mar 10 16:38:21 2037 > > > > Cert ID: ca_ocsp_signing > > Nickname: ocspSigningCert ? CA > > Token: Internal Key Storage Token > > Serial Number: 0x2 > > Subject DN: CN=CA OCSP Signing Certificate,? > > Issuer DN: CN=CA Signing Certificate,OU=? > > Not Valid Before: Fri Mar 10 16:38:23 2017 > > Not Valid After: Thu Feb 28 16:38:23 2019 > > > > [snip] > > > > > > But the renewal request gives a Not Found error: > > > > # pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial > 0x2 --renewal > > PKIException: Not Found > > > > Adding ?v shows an error on the HTTP GET of /pki/rest/info. I don?t see > that directory structure anywhere on the server. Am I missing something in > the configuration, or is there another package I need to install? Do I have > to point the command to our non-default instance, and if so, how do I do > that? > > > > > > # pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial > 0x2 --renewal > > PKI options: -v > > PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal > --serial 0x2 --renewal > > Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java > -Djava.ext.dirs=/usr/share/pki/lib > -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties > com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit > --profile caManualRenewal --serial 0x2 --renewal > > Server URI: http://my-server:8370 > > Client security database: /root/.dogtag/nssdb > > Message format: null > > Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 > --renewal > > Initializing security database > > Module: ca > > Module: cert > > Module: request-submit > > Retrieving caManualRenewal profile. > > Initializing PKIClient > > HTTP request: GET /pki/rest/info HTTP/1.1 > > Accept-Encoding: gzip, deflate > > Accept: application/xml > > Host: my-server:8370 > > Connection: Keep-Alive > > User-Agent: Apache-HttpClient/4.2.5 (java 1.5) > > HTTP response: HTTP/1.1 404 Not Found > > Server: Apache-Coyote/1.1 > > Content-Type: text/html;charset=utf-8 > > Content-Language: en > > Content-Length: 977 > > Date: Fri, 15 Feb 2019 18:53:25 GMT > > com.netscape.certsrv.base.PKIException: Not Found > > at > com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467) > > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439) > > at > com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107) > > at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46) > > at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576) > > at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) > > at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) > > at > com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95) > > at > com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138) > > at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) > > at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) > > at > com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67) > > at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) > > at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633) > > at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669) > > ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', > '-Djava.ext.dirs=/usr/share/pki/lib', > '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', > 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370', > 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', > '0x2', '--renewal']' returned non-zero exit status 255 > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.Wolf at risd.org Tue Feb 19 22:39:04 2019 From: Brian.Wolf at risd.org (Wolf, Brian) Date: Tue, 19 Feb 2019 22:39:04 +0000 Subject: [Pki-users] Problem Renewing Server Certificates In-Reply-To: References: Message-ID: Thanks. That got me a little farther: # pki -U https://mydomain.example.xyz:8373 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal WARNING: UNTRUSTED ISSUER encountered on 'CN=mydomain.example.xyz,OU=my-instance,O=example.xyz' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=my-instance,O=example.xyz' Import CA certificate (Y/n)? ?CA Signing Certificate? is the base signing certificate (serial number 0x1). Should the WARNING and prompt about importing it (to where?) be expected? I?m running the commands locally on the CA server, FWIW. Your command example includes ?-d ~/.dogtag/subca1?. The man page says ?d is for the client security database location. I just have the default nssdb and my instance directory under ~/.dogtag, so I?m guessing the default nssdb is what I need? # ls -l ~/.dogtag total 4 drwxr-xr-x. 2 root root 51 Mar 22 2017 nssdb drwxrwxr-x. 3 root root 4096 Oct 6 2017 my-instance - Brian From: Marc Sauton [mailto:msauton at redhat.com] Sent: Friday, February 15, 2019 7:01 PM To: Wolf, Brian Cc: pki-users at redhat.com Subject: Re: [Pki-users] Problem Renewing Server Certificates Try adding a -U option with the CA URL, like for example: pki -v -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 ca-cert-request-submit --profile caManualRenewal --serial 0x3f0 --renewal I added a -d option to point to a NSS db that already trust the issuer of the SSL certificate presented in the HTTPS connection. A request should be created and in pending state, until an agent approves it. ( use a profile with agent authentication for automatic issuance, user with SSL client auth should have automatic renewal/cert issuance) Thanks, M. On Fri, Feb 15, 2019 at 11:28 AM Wolf, Brian > wrote: I installed PKI-CA two years ago on a Redhat 7 server. I used it to create certificates for an application and have not needed it since. Now the PKI server certificates are about to expire, I?m trying to renew them using the directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal . I am getting an error when I try to submit the renewal request. The error seems to be that it can?t find /pki/rest/info. Installed packages: pki-base-10.5.9-6.el7.noarch pki-base-java-10.5.9-6.el7.noarch pki-ca-10.5.9-6.el7.noarch pki-kra-10.5.9-6.el7.noarch pki-server-10.5.9-6.el7.noarch pki-tools-10.5.9-6.el7.x86_64 nuxwdog-1.0.3-8.el7.x86_64 java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64 javapackages-tools-3.4.1-11.el7.noarch javassist-3.16.1-10.el7.noarch nuxwdog-client-java-1.0.3-8.el7.x86_64 rest-0.8.1-2.el7.x86_64 resteasy-base-atom-provider-3.0.6-4.el7.noarch resteasy-base-client-3.0.6-4.el7.noarch resteasy-base-jackson-provider-3.0.6-4.el7.noarch resteasy-base-jaxb-provider-3.0.6-4.el7.noarch resteasy-base-jaxrs-3.0.6-4.el7.noarch resteasy-base-jaxrs-api-3.0.6-4.el7.noarch Listing the certificates works. We do not use the default instance of pki-tomcat. # pki-server cert-find -i ca ----------------- 5 entries matched ----------------- Cert ID: ca_signing Nickname: caSigningCert ? CA Token: Internal Key Storage Token Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,? Issuer DN: CN=CA Signing Certificate,? Not Valid Before: Fri Mar 10 16:38:21 2017 Not Valid After: Tue Mar 10 16:38:21 2037 Cert ID: ca_ocsp_signing Nickname: ocspSigningCert ? CA Token: Internal Key Storage Token Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,? Issuer DN: CN=CA Signing Certificate,OU=? Not Valid Before: Fri Mar 10 16:38:23 2017 Not Valid After: Thu Feb 28 16:38:23 2019 [snip] But the renewal request gives a Not Found error: # pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal PKIException: Not Found Adding ?v shows an error on the HTTP GET of /pki/rest/info. I don?t see that directory structure anywhere on the server. Am I missing something in the configuration, or is there another package I need to install? Do I have to point the command to our non-default instance, and if so, how do I do that? # pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal PKI options: -v PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Server URI: http://my-server:8370 Client security database: /root/.dogtag/nssdb Message format: null Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Initializing security database Module: ca Module: cert Module: request-submit Retrieving caManualRenewal profile. Initializing PKIClient HTTP request: GET /pki/rest/info HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: my-server:8370 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 977 Date: Fri, 15 Feb 2019 18:53:25 GMT com.netscape.certsrv.base.PKIException: Not Found at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107) at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46) at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576) at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) at com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95) at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669) ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370', 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', '0x2', '--renewal']' returned non-zero exit status 255 _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Wed Feb 20 00:08:36 2019 From: msauton at redhat.com (Marc Sauton) Date: Tue, 19 Feb 2019 16:08:36 -0800 Subject: [Pki-users] Problem Renewing Server Certificates In-Reply-To: References: Message-ID: yes, the CA cert could be trusted in ~/.dogtag/nssdb/ my test was using a different path. it is just a warning, so the renewal should have been processed, check in the transactions log file. Thanks, M. On Tue, Feb 19, 2019 at 2:39 PM Wolf, Brian wrote: > Thanks. That got me a little farther: > > > > # pki -U https://mydomain.example.xyz:8373 ca-cert-request-submit > --profile caManualRenewal --serial 0x2 --renewal > > WARNING: UNTRUSTED ISSUER encountered on 'CN=mydomain.example.xyz > ,OU=my-instance,O=example.xyz' indicates a non-trusted CA cert 'CN=CA > Signing Certificate,OU=my-instance,O=example.xyz' > > Import CA certificate (Y/n)? > > > > ?CA Signing Certificate? is the base signing certificate (serial number > 0x1). Should the WARNING and prompt about importing it (to where?) be > expected? I?m running the commands locally on the CA server, FWIW. > > > > Your command example includes ?-d ~/.dogtag/subca1?. The man page says ?d > is for the client security database location. I just have the default nssdb > and my instance directory under ~/.dogtag, so I?m guessing the default > nssdb is what I need? > > > > # ls -l ~/.dogtag > > total 4 > > drwxr-xr-x. 2 root root 51 Mar 22 2017 nssdb > > drwxrwxr-x. 3 root root 4096 Oct 6 2017 my-instance > > > > > > - Brian > > > > *From:* Marc Sauton [mailto:msauton at redhat.com] > *Sent:* Friday, February 15, 2019 7:01 PM > *To:* Wolf, Brian > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] Problem Renewing Server Certificates > > > > Try adding a -U option with the CA URL, like for example: > > pki -v -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 > ca-cert-request-submit --profile caManualRenewal --serial 0x3f0 --renewal > > I added a -d option to point to a NSS db that already trust the issuer of > the SSL certificate presented in the HTTPS connection. > > A request should be created and in pending state, until an agent approves > it. > > ( use a profile with agent authentication for automatic issuance, user > with SSL client auth should have automatic renewal/cert issuance) > > Thanks, > > M. > > > > On Fri, Feb 15, 2019 at 11:28 AM Wolf, Brian wrote: > > I installed PKI-CA two years ago on a Redhat 7 server. I used it to create > certificates for an application and have not needed it since. Now the PKI > server certificates are about to expire, I?m trying to renew them using the > directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal > . I am getting an error when I try to submit the renewal request. The > error seems to be that it can?t find /pki/rest/info. > > > > Installed packages: > > > > pki-base-10.5.9-6.el7.noarch > > pki-base-java-10.5.9-6.el7.noarch > > pki-ca-10.5.9-6.el7.noarch > > pki-kra-10.5.9-6.el7.noarch > > pki-server-10.5.9-6.el7.noarch > > pki-tools-10.5.9-6.el7.x86_64 > > nuxwdog-1.0.3-8.el7.x86_64 > > > > > > java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 > > java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64 > > javapackages-tools-3.4.1-11.el7.noarch > > javassist-3.16.1-10.el7.noarch > > nuxwdog-client-java-1.0.3-8.el7.x86_64 > > > > rest-0.8.1-2.el7.x86_64 > > resteasy-base-atom-provider-3.0.6-4.el7.noarch > > resteasy-base-client-3.0.6-4.el7.noarch > > resteasy-base-jackson-provider-3.0.6-4.el7.noarch > > resteasy-base-jaxb-provider-3.0.6-4.el7.noarch > > resteasy-base-jaxrs-3.0.6-4.el7.noarch > > resteasy-base-jaxrs-api-3.0.6-4.el7.noarch > > > > > > > > Listing the certificates works. We do not use the default instance of > pki-tomcat. > > > > # pki-server cert-find -i ca > > ----------------- > > 5 entries matched > > ----------------- > > Cert ID: ca_signing > > Nickname: caSigningCert ? CA > > Token: Internal Key Storage Token > > Serial Number: 0x1 > > Subject DN: CN=CA Signing Certificate,? > > Issuer DN: CN=CA Signing Certificate,? > > Not Valid Before: Fri Mar 10 16:38:21 2017 > > Not Valid After: Tue Mar 10 16:38:21 2037 > > > > Cert ID: ca_ocsp_signing > > Nickname: ocspSigningCert ? CA > > Token: Internal Key Storage Token > > Serial Number: 0x2 > > Subject DN: CN=CA OCSP Signing Certificate,? > > Issuer DN: CN=CA Signing Certificate,OU=? > > Not Valid Before: Fri Mar 10 16:38:23 2017 > > Not Valid After: Thu Feb 28 16:38:23 2019 > > > > [snip] > > > > > > But the renewal request gives a Not Found error: > > > > # pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial > 0x2 --renewal > > PKIException: Not Found > > > > Adding ?v shows an error on the HTTP GET of /pki/rest/info. I don?t see > that directory structure anywhere on the server. Am I missing something in > the configuration, or is there another package I need to install? Do I have > to point the command to our non-default instance, and if so, how do I do > that? > > > > > > # pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial > 0x2 --renewal > > PKI options: -v > > PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal > --serial 0x2 --renewal > > Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java > -Djava.ext.dirs=/usr/share/pki/lib > -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties > com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit > --profile caManualRenewal --serial 0x2 --renewal > > Server URI: http://my-server:8370 > > Client security database: /root/.dogtag/nssdb > > Message format: null > > Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 > --renewal > > Initializing security database > > Module: ca > > Module: cert > > Module: request-submit > > Retrieving caManualRenewal profile. > > Initializing PKIClient > > HTTP request: GET /pki/rest/info HTTP/1.1 > > Accept-Encoding: gzip, deflate > > Accept: application/xml > > Host: my-server:8370 > > Connection: Keep-Alive > > User-Agent: Apache-HttpClient/4.2.5 (java 1.5) > > HTTP response: HTTP/1.1 404 Not Found > > Server: Apache-Coyote/1.1 > > Content-Type: text/html;charset=utf-8 > > Content-Language: en > > Content-Length: 977 > > Date: Fri, 15 Feb 2019 18:53:25 GMT > > com.netscape.certsrv.base.PKIException: Not Found > > at > com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467) > > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439) > > at > com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107) > > at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46) > > at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576) > > at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) > > at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) > > at > com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95) > > at > com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138) > > at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) > > at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) > > at > com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67) > > at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) > > at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633) > > at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669) > > ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', > '-Djava.ext.dirs=/usr/share/pki/lib', > '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', > 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370', > 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', > '0x2', '--renewal']' returned non-zero exit status 255 > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From uncommonkat at gmail.com Mon Feb 25 14:33:33 2019 From: uncommonkat at gmail.com (Kat) Date: Mon, 25 Feb 2019 08:33:33 -0600 Subject: [Pki-users] DogTag ca denied (inside IPA) Message-ID: Hi all - new to list. I can't find the answer on the IPA mailing list and I really thing this is directly related to DogTag anyway. Trying to debug a key being denied. Here is a little snippet of log. Where can I find WHY it is getting denied - or is there some additional debug I can turn on to find it? See the last one? This is driving me crazy - if anyone can point me to debug settings or anything to help me diagnose? 2019-02-09 16:12:56 - SimpleCredsAuth-[auth:simple]??? - PASS: '30015' authenticated as '48, 48' 2019-02-09 16:12:56 - SimpleHeaderAuth-[auth:header]?? - PASS: '30015' authenticated as '(null)' 2019-02-09 16:12:56 - IPAKEMKeys-[authz:kemkeys]?????? - PASS: '30015' authorized for '/keys' 2019-02-09 16:12:57 - Secrets-[/keys]????????????????? - ALLOWED: '(null)' requested key 'ca/subsystemCert cert-pki-ca' 2019-02-09 16:14:53 - SimpleCredsAuth-[auth:simple]??? - PASS: '30015' authenticated as '48, 48' 2019-02-09 16:14:53 - SimpleHeaderAuth-[auth:header]?? - PASS: '30015' authenticated as '(null)' 2019-02-09 16:14:53 - IPAKEMKeys-[authz:kemkeys]?????? - PASS: '30015' authorized for '/keys' 2019-02-09 16:14:53 - Secrets-[/keys]????????????????? - ALLOWED: '(null)' requested key 'ra/ipaCert' 2019-02-09 16:17:34 - SimpleCredsAuth-[auth:simple]??? - PASS: '24826' authenticated as '48, 48' 2019-02-09 16:17:34 - SimpleHeaderAuth-[auth:header]?? - PASS: '24826' authenticated as '(null)' 2019-02-09 16:17:34 - IPAKEMKeys-[authz:kemkeys]?????? - PASS: '24826' authorized for '/keys' 2019-02-09 16:17:34 - Secrets-[/keys]????????????????? - ALLOWED: '(null)' requested key 'dm/DMHash' *2019-02-25 09:21:47 - SimpleCredsAuth-[auth:simple]??? - PASS: '5570' authenticated as '48, 48'** **2019-02-25 09:21:47 - SimpleHeaderAuth-[auth:header]?? - PASS: '5570' authenticated as '(null)'** **2019-02-25 09:21:47 - IPAKEMKeys-[authz:kemkeys]?????? - PASS: '5570' authorized for '/keys'** **2019-02-25 09:21:47 - Secrets-[/keys]????????????????? - DENIED: '(null)' requested key 'ca/caSigningCert cert-pki-ca'* -K -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Mon Feb 25 22:06:10 2019 From: msauton at redhat.com (Marc Sauton) Date: Mon, 25 Feb 2019 14:06:10 -0800 Subject: [Pki-users] DogTag ca denied (inside IPA) In-Reply-To: References: Message-ID: This is from IPA custodia. Are there any Dogtag related logs to those events in /var/log/pki/pki-tomcatd/*/debug or /var/log/httpd/* ? May be the CA signing key access requires more privilege. Thanks, M. On Mon, Feb 25, 2019 at 6:34 AM Kat wrote: > Hi all - new to list. I can't find the answer on the IPA mailing list and > I really thing this is directly related to DogTag anyway. > > Trying to debug a key being denied. Here is a little snippet of log. Where > can I find WHY it is getting denied - or is there some additional debug I > can turn on to find it? See the last one? This is driving me crazy - if > anyone can point me to debug settings or anything to help me diagnose? > > 2019-02-09 16:12:56 - SimpleCredsAuth-[auth:simple] - PASS: '30015' > authenticated as '48, 48' > 2019-02-09 16:12:56 - SimpleHeaderAuth-[auth:header] - PASS: '30015' > authenticated as '(null)' > 2019-02-09 16:12:56 - IPAKEMKeys-[authz:kemkeys] - PASS: '30015' > authorized for '/keys' > 2019-02-09 16:12:57 - Secrets-[/keys] - ALLOWED: '(null)' > requested key 'ca/subsystemCert cert-pki-ca' > 2019-02-09 16:14:53 - SimpleCredsAuth-[auth:simple] - PASS: '30015' > authenticated as '48, 48' > 2019-02-09 16:14:53 - SimpleHeaderAuth-[auth:header] - PASS: '30015' > authenticated as '(null)' > 2019-02-09 16:14:53 - IPAKEMKeys-[authz:kemkeys] - PASS: '30015' > authorized for '/keys' > 2019-02-09 16:14:53 - Secrets-[/keys] - ALLOWED: '(null)' > requested key 'ra/ipaCert' > 2019-02-09 16:17:34 - SimpleCredsAuth-[auth:simple] - PASS: '24826' > authenticated as '48, 48' > 2019-02-09 16:17:34 - SimpleHeaderAuth-[auth:header] - PASS: '24826' > authenticated as '(null)' > 2019-02-09 16:17:34 - IPAKEMKeys-[authz:kemkeys] - PASS: '24826' > authorized for '/keys' > 2019-02-09 16:17:34 - Secrets-[/keys] - ALLOWED: '(null)' > requested key 'dm/DMHash' > *2019-02-25 09:21:47 - SimpleCredsAuth-[auth:simple] - PASS: '5570' > authenticated as '48, 48'* > *2019-02-25 09:21:47 - SimpleHeaderAuth-[auth:header] - PASS: '5570' > authenticated as '(null)'* > *2019-02-25 09:21:47 - IPAKEMKeys-[authz:kemkeys] - PASS: '5570' > authorized for '/keys'* > *2019-02-25 09:21:47 - Secrets-[/keys] - DENIED: '(null)' > requested key 'ca/caSigningCert cert-pki-ca'* > > -K > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: