From arhsagar at gmail.com Fri Jan 17 14:50:31 2020 From: arhsagar at gmail.com (Akshath Hegde) Date: Fri, 17 Jan 2020 20:20:31 +0530 Subject: [Pki-users] enabling key usage extension in caRouterCert Message-ID: Hi, I'm trying to enroll my router with dogtag CA through scep. On router I have 2 different rsa keypairs, one of which is to be used onyl for signing and the other for key encipherment. The router sends scep requests for each of these keys and 2 certificates are expected at the end. I need the key usage extension from the server for this. I need some help in editing the profile for this. I tried editing caRouterCert.cfg file with different values for defaults and constraints, but I couldnt see how to get the final cert o have just what was in the request. If I put default as true for both, then both of them would be in the cert request in both requests sent by router, and when its false none would be there. Any help regarding how to achieve this would be greatly appreciated Thanks Akshath -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Sat Jan 18 04:20:34 2020 From: msauton at redhat.com (Marc Sauton) Date: Fri, 17 Jan 2020 20:20:34 -0800 Subject: [Pki-users] enabling key usage extension in caRouterCert In-Reply-To: References: Message-ID: I believe that would be a RFE, because by default, there is only 1 profile out of the box, called caRouterCert.cfg, for 1 set of the "Key Usage Extension Constraint", and we would need 2 profiles. The workaround is to use a third party tool from EPEL, called sscep, it does exist for Fedora and RHEL-7. See: https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/enrolling_a_certificate_in_a_cisco_router#issuing-ecc-certificates-with-scep https://github.com/certnanny/sscep Thanks, M. On Fri, Jan 17, 2020 at 6:51 AM Akshath Hegde wrote: > Hi, > I'm trying to enroll my router with dogtag CA through scep. On router I > have 2 different rsa keypairs, one of which is to be used onyl for signing > and the other for key encipherment. The router sends scep requests for each > of these keys and 2 certificates are expected at the end. I need the key > usage extension from the server for this. I need some help in editing the > profile for this. I tried editing caRouterCert.cfg file with different > values for defaults and constraints, but I couldnt see how to get the final > cert o have just what was in the request. If I put default as true for > both, then both of them would be in the cert request in both requests sent > by router, and when its false none would be there. Any help regarding how > to achieve this would be greatly appreciated > > Thanks > Akshath > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Wed Jan 22 17:30:38 2020 From: cfu at redhat.com (Christina Fu) Date: Wed, 22 Jan 2020 09:30:38 -0800 Subject: [Pki-users] enabling key usage extension in caRouterCert In-Reply-To: References: Message-ID: Hi Akshath, It's very common for Dogtag users to create customized profiles themselves. So creating two profiles with each tailored to what's needed is what you need. The RHCS documentation should cover it. e.g.: https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide/index#Modifying_Certificate_Profiles_through_the_Command_Line Hope this helps, Christina On Fri, Jan 17, 2020 at 8:21 PM Marc Sauton wrote: > I believe that would be a RFE, because by default, there is only 1 profile > out of the box, called caRouterCert.cfg, for 1 set of the "Key Usage > Extension Constraint", and we would need 2 profiles. > > The workaround is to use a third party tool from EPEL, called sscep, it > does exist for Fedora and RHEL-7. > See: > > https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/enrolling_a_certificate_in_a_cisco_router#issuing-ecc-certificates-with-scep > https://github.com/certnanny/sscep > > Thanks, > M. > > > On Fri, Jan 17, 2020 at 6:51 AM Akshath Hegde wrote: > >> Hi, >> I'm trying to enroll my router with dogtag CA through scep. On router I >> have 2 different rsa keypairs, one of which is to be used onyl for signing >> and the other for key encipherment. The router sends scep requests for each >> of these keys and 2 certificates are expected at the end. I need the key >> usage extension from the server for this. I need some help in editing the >> profile for this. I tried editing caRouterCert.cfg file with different >> values for defaults and constraints, but I couldnt see how to get the final >> cert o have just what was in the request. If I put default as true for >> both, then both of them would be in the cert request in both requests sent >> by router, and when its false none would be there. Any help regarding how >> to achieve this would be greatly appreciated >> >> Thanks >> Akshath >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From sharathkumar.gundu at tecra.com Tue Jan 28 13:32:36 2020 From: sharathkumar.gundu at tecra.com (Sharath) Date: Tue, 28 Jan 2020 19:02:36 +0530 Subject: [Pki-users] Dogtag Build Message-ID: Hello Team, I have taken the source code git repository, currently pointing origin/DOGTAG_10_6_BRANCH. Can you please text the steps to build Dogtag PKI source ? ./build.sh is failed due to dependencies... is there any automated script or solution to install the required dependencies ? Currently using below OS: NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" Thanks, Sharath From ftweedal at redhat.com Wed Jan 29 01:16:41 2020 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 29 Jan 2020 11:16:41 +1000 Subject: [Pki-users] [Pki-devel] Dogtag Build In-Reply-To: References: Message-ID: <20200129011641.GF28885@T470s> On Tue, Jan 28, 2020 at 07:02:36PM +0530, Sharath wrote: > Hello Team, > > I have taken the source code git repository, currently pointing > origin/DOGTAG_10_6_BRANCH. Can you please text the steps to build Dogtag PKI > source ? > > ./build.sh is failed due to dependencies... > > is there any automated script or solution to install the required > dependencies ? > Try yum-builddep(1), from the yum-utils package: yum-builddep pki.spec Cheers, Fraser > Currently using below OS: > > NAME="CentOS Linux" > VERSION="7 (Core)" > ID="centos" > ID_LIKE="rhel fedora" > VERSION_ID="7" > PRETTY_NAME="CentOS Linux 7 (Core)" > ANSI_COLOR="0;31" > CPE_NAME="cpe:/o:centos:centos:7" > HOME_URL="https://www.centos.org/" > BUG_REPORT_URL="https://bugs.centos.org/" > > CENTOS_MANTISBT_PROJECT="CentOS-7" > CENTOS_MANTISBT_PROJECT_VERSION="7" > REDHAT_SUPPORT_PRODUCT="centos" > REDHAT_SUPPORT_PRODUCT_VERSION="7" > > Thanks, > > Sharath > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel