From sharathkumar.gundu at tecra.com Fri Nov 1 11:59:40 2019 From: sharathkumar.gundu at tecra.com (Sharath) Date: Fri, 1 Nov 2019 17:29:40 +0530 Subject: [Pki-users] How to generate the certificate in pkcs #12 format using Dogtag PKI Message-ID: <6b9be431-b4a2-b607-e57c-0f29f4f1dbe3@tecra.com> HI Team, 1. Can you please help, how to generate the certificate using pkcs #12 format?? 2. Is there any to validate the certificate with password using Dogtag PKI ?? Thanks, Sharath From alex at junghalter.de Fri Nov 1 12:32:09 2019 From: alex at junghalter.de (Alexander Jung) Date: Fri, 1 Nov 2019 13:32:09 +0100 Subject: [Pki-users] How to generate the certificate in pkcs #12 format using Dogtag PKI In-Reply-To: <6b9be431-b4a2-b607-e57c-0f29f4f1dbe3@tecra.com> References: <6b9be431-b4a2-b607-e57c-0f29f4f1dbe3@tecra.com> Message-ID: Hello, you cannot generate a PKCS12 using a CA alone - the CA handles only the public key of your certificate, while a PKCS12 contains the private key too. I usually use openssl to combine those, or custom java code for bulk issued certificates. Am Fr., 1. Nov. 2019 um 13:00 Uhr schrieb Sharath < sharathkumar.gundu at tecra.com>: > HI Team, > > 1. Can you please help, how to generate the certificate using pkcs #12 > format?? > > > 2. Is there any to validate the certificate with password using Dogtag > PKI ?? > > Thanks, > > Sharath > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at junghalter.de Fri Nov 1 12:36:19 2019 From: alex at junghalter.de (Alexander Jung) Date: Fri, 1 Nov 2019 13:36:19 +0100 Subject: [Pki-users] How to generate the certificate in pkcs #12 format using Dogtag PKI In-Reply-To: <6b9be431-b4a2-b607-e57c-0f29f4f1dbe3@tecra.com> References: <6b9be431-b4a2-b607-e57c-0f29f4f1dbe3@tecra.com> Message-ID: Certifictae validation does not involve passwords. You (or your client, e.g. Windows) check the following: - is this certificate signed by a trusted CA (you need to add your CA to the trusted roots beforehand) - is the validity period still in range with the current date (= if your clock is off, this can get a problem) - if the certificate or the CA's certificate reference a CRL or an OCSP URI, then that is used for validity checking too. No password anywhere... Am Fr., 1. Nov. 2019 um 13:00 Uhr schrieb Sharath < sharathkumar.gundu at tecra.com>: > HI Team, > > 1. Can you please help, how to generate the certificate using pkcs #12 > format?? > > > 2. Is there any to validate the certificate with password using Dogtag > PKI ?? > > Thanks, > > Sharath > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Nov 4 04:29:41 2019 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 4 Nov 2019 14:29:41 +1000 Subject: [Pki-users] [Pki-devel] How to generate the certificate in pkcs #12 format using Dogtag PKI In-Reply-To: <6b9be431-b4a2-b607-e57c-0f29f4f1dbe3@tecra.com> References: <6b9be431-b4a2-b607-e57c-0f29f4f1dbe3@tecra.com> Message-ID: <20191104042941.GD8128@T470s> On Fri, Nov 01, 2019 at 05:29:40PM +0530, Sharath wrote: > HI Team, > > 1. Can you please help, how to generate the certificate using pkcs #12 > format?? > Hi Sharath, PKCS #12 is a key and certificate archival format. The main use of PKCS #12 in Dogtag is retrieving archived keys from the KRA (key recovery authority). If you have a certificate and the corresponding private key you can create a PKCS #12 file using 'openssl pkcs12', or for keys in NSS databases 'pk12util'. If provide more context about your use case, we may be able to provide more assistance :) > 2. Is there any to validate the certificate with password using Dogtag PKI > ?? > Again, it's not clear what you're trying to do. But with PKI you never need a passphrase or private key to validate certificate signatures. Cheers, Fraser > Thanks, > > Sharath > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From sharathkumar.gundu at tecra.com Mon Nov 4 07:09:54 2019 From: sharathkumar.gundu at tecra.com (Sharath) Date: Mon, 4 Nov 2019 12:39:54 +0530 Subject: [Pki-users] [Pki-devel] How to generate the certificate in pkcs #12 format using Dogtag PKI In-Reply-To: <20191104042941.GD8128@T470s> References: <6b9be431-b4a2-b607-e57c-0f29f4f1dbe3@tecra.com> <20191104042941.GD8128@T470s> Message-ID: <03e5fce4-4f18-653b-a6e7-8adceb79b73b@tecra.com> HI Fraser, I have use case like need to certify the PDF document with "handwritten user signature with associated certificate and it should be validate with the password" ?? How can we achieve this using Dogtag PKI?? Thanks, Sharath On 04/11/19 9:59 AM, Fraser Tweedale wrote: > On Fri, Nov 01, 2019 at 05:29:40PM +0530, Sharath wrote: >> HI Team, >> >> 1. Can you please help, how to generate the certificate using pkcs #12 >> format?? >> > Hi Sharath, > > PKCS #12 is a key and certificate archival format. The main use of > PKCS #12 in Dogtag is retrieving archived keys from the KRA (key > recovery authority). > > If you have a certificate and the corresponding private key you can > create a PKCS #12 file using 'openssl pkcs12', or for keys in NSS > databases 'pk12util'. > > If provide more context about your use case, we may be able to > provide more assistance :) > >> 2. Is there any to validate the certificate with password using Dogtag PKI >> ?? >> > Again, it's not clear what you're trying to do. But with PKI you > never need a passphrase or private key to validate certificate > signatures. > > Cheers, > Fraser > >> Thanks, >> >> Sharath >> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > From sharathkumar.gundu at tecra.com Mon Nov 4 11:41:51 2019 From: sharathkumar.gundu at tecra.com (Sharath) Date: Mon, 4 Nov 2019 17:11:51 +0530 Subject: [Pki-users] Generate the certificate with key length 2048 Message-ID: <6531b94b-dce9-1394-d6d5-f0b1ca2fd869@tecra.com> HI Team, How to generate the certificate with key length of 2048 bits using dogtag PKI?? How to retrieve the associated public/private key from certificate?? Thanks, Sharath From sharathkumar.gundu at tecra.com Wed Nov 6 12:20:32 2019 From: sharathkumar.gundu at tecra.com (Sharath) Date: Wed, 6 Nov 2019 17:50:32 +0530 Subject: [Pki-users] How generate the pkcs12 certificate Dogtag Message-ID: Hello Team, Can you please help? "How to generate the private key and associated certificate(matching to the Private Key) using Dogtag" ?? Thanks, Sharath From sharathkumar.gundu at tecra.com Wed Nov 6 14:00:12 2019 From: sharathkumar.gundu at tecra.com (Sharath) Date: Wed, 6 Nov 2019 19:30:12 +0530 Subject: [Pki-users] How to find the private key Dogtag Message-ID: Hello Team, I have certificate and the public key but where i can find the private key ?? pki ca-cert-show 0x30 --output myCert.cer Key ID: 0x1a ? Algorithm: 1.2.840.113549.1.1.1 ? Size: 1024 ? Owner: CN=test_sharath01,O=tecra ? Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZNLvZQ+WVnBBHM3nw3UldIdVi droNReev+/iMyaLlvuof4io2V1Yv8oT5Yhfxuoblt+nqdWpAwgFeTHKxTpVmyNpZ UiyEdhLssIJ5cPGZ0BjRKjehsapPCMZzslvFbVG8Rb8E0md0av9ncJBcM9caicRz 7qeRqqunXFtvfViZ2QIDAQAB pki -d ~/.dogtag/nssdb -c Secret at 123 -n "PKI Administrator for tecra-db02" kra-key-show? 0x1a ? Key ID: 0x1a ? Algorithm: 1.2.840.113549.1.1.1 ? Size: 1024 ? Owner: CN=test_sharath01,O=tecra ? Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZNLvZQ+WVnBBHM3nw3UldIdVi droNReev+/iMyaLlvuof4io2V1Yv8oT5Yhfxuoblt+nqdWpAwgFeTHKxTpVmyNpZ UiyEdhLssIJ5cPGZ0BjRKjehsapPCMZzslvFbVG8Rb8E0md0av9ncJBcM9caicRz 7qeRqqunXFtvfViZ2QIDAQAB Thanks, Sharath From sharathkumar.gundu at tecra.com Wed Nov 6 15:54:25 2019 From: sharathkumar.gundu at tecra.com (Sharath) Date: Wed, 6 Nov 2019 21:24:25 +0530 Subject: [Pki-users] To retrieve private key Message-ID: <3eb4c310-fd38-a348-5a12-282f4be5ced0@tecra.com> Hello Team, While retrieving getting Null pointer Exception ?? ?pki -d ~/.dogtag/nssdb -c Secret at 123 -n "PKI Administrator for tecra-db02" kra-key-retrieve --keyID 0x1a --output-data private.key WARNING: BAD_CERT_DOMAIN encountered on 'CN=tecra-db02,OU=pki-tomcat,O=tecra-db02 Security Domain' indicates a common-name mismatch ------------------------ Retrieve Key Information ------------------------ NullPointerException: null Thanks, Sharath From dmoluguw at redhat.com Thu Nov 7 18:35:17 2019 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Thu, 07 Nov 2019 13:35:17 -0500 Subject: [Pki-users] [Pki-devel] How generate the pkcs12 certificate Dogtag In-Reply-To: References: Message-ID: <0aa4c4686ec675fc31693527f12ac836b890fb52.camel@redhat.com> Hello Sharath, There are different type of certificates that can be generated using Dogtag. You can learn more here: https://www.dogtagpki.org/wiki/Certificate_Management This document should help you get started with generic certificates: https://www.dogtagpki.org/wiki/PKI_CA_Certificate_CLI Regards, --Dinesh On Wed, 2019-11-06 at 17:50 +0530, Sharath wrote: > Hello Team, > > Can you please help "How to generate the private key and associated > certificate(matching to the Private Key) using Dogtag" ?? > > Thanks, > > Sharath > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From dmoluguw at redhat.com Thu Nov 7 19:34:44 2019 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Thu, 07 Nov 2019 14:34:44 -0500 Subject: [Pki-users] [Pki-devel] How to find the private key Dogtag In-Reply-To: References: Message-ID: <7081b46301754dd3460396f4a74fb557ac10a605.camel@redhat.com> Hello Sharath, (responding to your "To retrieve private key" email as well) You can start by looking at: https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/key_recovery_authority For CLI instructions, refer: https://www.dogtagpki.org/wiki/Certificate_Key_Archival https://www.dogtagpki.org/wiki/PKI_KRA_Key_CLI OR For GUI, you can retrieve the PKCS#12 (.p12) file from the KRA Web UI: https://:/kra You can obtain the above URL by running `pkidaemon status` in the server where you have KRA installed Note that you need to import KRA Admin cert into browser in order to retrieve keys If you need more assistance, please feel free to reach out! Good luck! Regards, --Dinesh On Wed, 2019-11-06 at 19:30 +0530, Sharath wrote: > Hello Team, > > I have certificate and the public key but where i can find the > private > key ?? > > pki ca-cert-show 0x30 --output myCert.cer > > Key ID: 0x1a > Algorithm: 1.2.840.113549.1.1.1 > Size: 1024 > Owner: CN=test_sharath01,O=tecra > Public Key: > > MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZNLvZQ+WVnBBHM3nw3UldIdVi > droNReev+/iMyaLlvuof4io2V1Yv8oT5Yhfxuoblt+nqdWpAwgFeTHKxTpVmyNpZ > UiyEdhLssIJ5cPGZ0BjRKjehsapPCMZzslvFbVG8Rb8E0md0av9ncJBcM9caicRz > 7qeRqqunXFtvfViZ2QIDAQAB > > pki -d ~/.dogtag/nssdb -c Secret at 123 -n "PKI Administrator for > tecra-db02" kra-key-show 0x1a > > > Key ID: 0x1a > Algorithm: 1.2.840.113549.1.1.1 > Size: 1024 > Owner: CN=test_sharath01,O=tecra > Public Key: > > MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZNLvZQ+WVnBBHM3nw3UldIdVi > droNReev+/iMyaLlvuof4io2V1Yv8oT5Yhfxuoblt+nqdWpAwgFeTHKxTpVmyNpZ > UiyEdhLssIJ5cPGZ0BjRKjehsapPCMZzslvFbVG8Rb8E0md0av9ncJBcM9caicRz > 7qeRqqunXFtvfViZ2QIDAQAB > > > Thanks, > > Sharath > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From ascheel at redhat.com Thu Nov 7 20:21:13 2019 From: ascheel at redhat.com (Alex Scheel) Date: Thu, 7 Nov 2019 15:21:13 -0500 (EST) Subject: [Pki-users] [Pki-devel] How to generate the certificate in pkcs #12 format using Dogtag PKI In-Reply-To: <03e5fce4-4f18-653b-a6e7-8adceb79b73b@tecra.com> References: <6b9be431-b4a2-b607-e57c-0f29f4f1dbe3@tecra.com> <20191104042941.GD8128@T470s> <03e5fce4-4f18-653b-a6e7-8adceb79b73b@tecra.com> Message-ID: <325387102.10212570.1573158073709.JavaMail.zimbra@redhat.com> Hi Sarath, I think a X509 Certificate with "digital signature" key usage would suffice based on what I can tell: - https://helpx.adobe.com/acrobat/using/certificate-based-signatures.html - https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/standard_x.509_v3_certificate_extensions Per a digicert article on the subject, you might want timestamping as an extended key usage as well: - https://www.digicert.com/document-signing/how-to-sign-a-pdf.htm - https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/Standard_X.509_v3_Certificate_Extensions#Discussion-PKIX_Extended_Key_Usage_Extension_Uses Details are kinda sparse about what else you'd need, or if those are sufficient. You might try reading Section 12.7.4.5 "Signature Fields", Section 12.8 "Digital Signatures", and in particular, Section 12.8.3.3 "PKCS#7 Signatures as used in ISO 32000" of the PDF 1.7 specification for more information: - https://www.adobe.com/content/dam/acom/en/devnet/pdf/pdfs/PDF32000_2008.pdf You'd probably want to create a certificate profile with this information at any rate: - https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/certificate_profiles Hope that helps, - Alex ----- Original Message ----- > From: "Sharath" > To: "Fraser Tweedale" > Cc: pki-users at redhat.com, pki-devel at redhat.com > Sent: Monday, November 4, 2019 2:09:54 AM > Subject: Re: [Pki-users] [Pki-devel] How to generate the certificate in pkcs #12 format using Dogtag PKI > > HI Fraser, > > I have use case like need to certify the PDF document with "handwritten > user signature with associated certificate and it should be validate > with the password" ?? > > How can we achieve this using Dogtag PKI?? > > Thanks, > > Sharath > > On 04/11/19 9:59 AM, Fraser Tweedale wrote: > > On Fri, Nov 01, 2019 at 05:29:40PM +0530, Sharath wrote: > >> HI Team, > >> > >> 1. Can you please help, how to generate the certificate using pkcs #12 > >> format?? > >> > > Hi Sharath, > > > > PKCS #12 is a key and certificate archival format. The main use of > > PKCS #12 in Dogtag is retrieving archived keys from the KRA (key > > recovery authority). > > > > If you have a certificate and the corresponding private key you can > > create a PKCS #12 file using 'openssl pkcs12', or for keys in NSS > > databases 'pk12util'. > > > > If provide more context about your use case, we may be able to > > provide more assistance :) > > > >> 2. Is there any to validate the certificate with password using Dogtag PKI > >> ?? > >> > > Again, it's not clear what you're trying to do. But with PKI you > > never need a passphrase or private key to validate certificate > > signatures. > > > > Cheers, > > Fraser > > > >> Thanks, > >> > >> Sharath > >> > >> > >> _______________________________________________ > >> Pki-devel mailing list > >> Pki-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-devel > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users >