From sharathkumar.gundu at tecra.com Mon Oct 28 16:10:49 2019 From: sharathkumar.gundu at tecra.com (Sharath) Date: Mon, 28 Oct 2019 21:40:49 +0530 Subject: [Pki-users] PKI Dogtag Support Message-ID: <6af772c2-60aa-a056-822e-6ad3fa66d2e7@tecra.com> Hello Team, I've just started using pki-tomcat server installed ca/kra. As deafault CA Admin i want to approve the certificate request, Please help?? command to create the cert-request ---------------------------------------------------- pki -c tecra at 123 client-cert-request CN=Sharath --profile caSigningUserCert --type crmf ----------------------------- Submitted certificate request ----------------------------- ? Request ID: 20 ? Type: enrollment ? Request Status: pending ? Operation Result: success to approve the above request _-------------------------------------------- pki ca-cert-request-review 20 --action approve pki ca-cert-request-review 20 --action approve WARNING: BAD_CERT_DOMAIN encountered on 'CN=tecra-db02,OU=pki-tomcat,O=tecra-db02 Security Domain' indicates a common-name mismatch PKIException: Unauthorized Thanks, Sharath From ftweedal at redhat.com Tue Oct 29 00:45:13 2019 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 29 Oct 2019 10:45:13 +1000 Subject: [Pki-users] Red Hat Certificate System question In-Reply-To: References: Message-ID: <20191029004513.GH8128@T470s> On Mon, Oct 28, 2019 at 05:27:14PM -0500, Steve Laesch wrote: > Fraser, > > I enjoyed reading the blog article from 8/2015 in which you described how > to create a custom certificate profile for provisioning S/MIME certificates. > > I'm currently struggling to complete a task using Red Hat Certificate > System that I understand probably needs to involve creating a custom > certificate profile. > > I'm trying to provision a set of CA certificates using dual root, mutually > cross signed CAs. I did it using openssl first, and that went wonderfully. > > For reference, I'm trying to do what is described in this Wikipedia page: > https://en.wikipedia.org/wiki/X.509#Example_1:_Cross-certification_at_root_Certification_Authority_(CA)_level_between_two_PKIs > > I'm working with Red Hat Certificate System PKIs installed on two different > AWS EC2 instances. > > I'm almost a complete newbie when it comes to working with certificate > profiles, unfortunately. I find it rather daunting. I'm determined to get > this done and working, though. I can certainly use all the help I can get! > > Cheers, > Steve Laesch > Hi Steve, Adding the pki-users@ mailing list. We need a bit more information. We have a profile for CA certificates ("caCACert"). The validity period is 20 years which is probably too long, but if you make a custom profile that is a copy of caCAcert except with the desired validity period, it should be suitable. Can you please give more information on exactly what you're having difficulty with, or how the results differ from your goal? Thanks, Fraser From sharathkumar.gundu at tecra.com Tue Oct 29 07:20:46 2019 From: sharathkumar.gundu at tecra.com (Sharath) Date: Tue, 29 Oct 2019 12:50:46 +0530 Subject: [Pki-users] PKI Dogtag Support In-Reply-To: <6af772c2-60aa-a056-822e-6ad3fa66d2e7@tecra.com> References: <6af772c2-60aa-a056-822e-6ad3fa66d2e7@tecra.com> Message-ID: Hello Team, I've just started using pki-tomcat server installed ca/kra. As deafault CA Admin i want to approve the certificate request, Please help?? command to create the cert-request ---------------------------------------------------- pki -c tecra at 123 client-cert-request CN=Sharath --profile caSigningUserCert --type crmf ----------------------------- Submitted certificate request ----------------------------- ? Request ID: 20 ? Type: enrollment ? Request Status: pending ? Operation Result: success to approve the above request _-------------------------------------------- pki ca-cert-request-review 20 --action approve WARNING: BAD_CERT_DOMAIN encountered on 'CN=tecra-db02,OU=pki-tomcat,O=tecra-db02 Security Domain' indicates a common-name mismatch PKIException: Unauthorized How to resolve this ?? appreciate your help. Thanks, Sharath From edewata at redhat.com Tue Oct 29 17:41:12 2019 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 29 Oct 2019 13:41:12 -0400 (EDT) Subject: [Pki-users] PKI Dogtag Support In-Reply-To: <6af772c2-60aa-a056-822e-6ad3fa66d2e7@tecra.com> References: <6af772c2-60aa-a056-822e-6ad3fa66d2e7@tecra.com> Message-ID: <1131507845.14846744.1572370872397.JavaMail.zimbra@redhat.com> Hi Sharath, It looks like you did not provide the CA admin's cert nickname and password in the pki ca-cert-request-review command. See the following docs: https://www.dogtagpki.org/wiki/PKI_CLI_Initialization https://www.dogtagpki.org/wiki/PKI_Client_CLI https://www.dogtagpki.org/wiki/PKI_CA_Certificate_Request_CLI https://www.dogtagpki.org/wiki/Handling_Certificate_Request Hope this helps. -- Endi S. Dewata ----- Original Message ----- > Hello Team, > > I've just started using pki-tomcat server installed ca/kra. > > As deafault CA Admin i want to approve the certificate request, Please > help?? > > command to create the cert-request > > ---------------------------------------------------- > > pki -c tecra at 123 client-cert-request CN=Sharath --profile > caSigningUserCert --type crmf > > ----------------------------- > Submitted certificate request > ----------------------------- > ? Request ID: 20 > ? Type: enrollment > ? Request Status: pending > ? Operation Result: success > > to approve the above request > > _-------------------------------------------- > > pki ca-cert-request-review 20 --action approve > > pki ca-cert-request-review 20 --action approve > WARNING: BAD_CERT_DOMAIN encountered on > 'CN=tecra-db02,OU=pki-tomcat,O=tecra-db02 Security Domain' indicates a > common-name mismatch > PKIException: Unauthorized > > Thanks, > > Sharath > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users