From ricardoalx.perez at gmail.com Mon May 4 19:48:14 2020 From: ricardoalx.perez at gmail.com (Alexander) Date: Mon, 4 May 2020 14:48:14 -0500 Subject: [Pki-users] Centos 8 Install error pki-core Message-ID: $ sudo dnf module install pki-core: 10.6 There are no default profiles for the pki-core module: 10.6 Error: Problems in the request: missing modules or groups: pki-core: 10.6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmoluguw at redhat.com Mon May 4 19:53:29 2020 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Mon, 4 May 2020 15:53:29 -0400 Subject: [Pki-users] Centos 8 Install error pki-core In-Reply-To: References: Message-ID: Hi Alexander, pki-core module does not come with default profiles. Have you tried the following? ```` $ dnf module enable pki-core:10.6 $ dnf install pki-ca pki-kra ```` HTH! Regards, --Dinesh On Mon, May 4, 2020 at 3:49 PM Alexander wrote: > $ sudo dnf module install pki-core: 10.6 > > There are no default profiles for the pki-core module: 10.6 > > Error: Problems in the request: > > missing modules or groups: pki-core: 10.6 > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From redhat.com at msqr.us Wed May 6 08:35:49 2020 From: redhat.com at msqr.us (Matt Magoffin) Date: Wed, 6 May 2020 20:35:49 +1200 Subject: [Pki-users] How to renew CA root signing certificate? Message-ID: <99614B33-7DD0-40B7-A2B0-352EE1629A75@msqr.us> Hello, I have a Dogtag 10.0 CA system where the root self-signed certificate is set to expire next year. I plan to upgrade to Dogtag 10.7, but after that it is not clear to me what procedure I should follow to renew the root signing certificate. I understand the general process for renewing system certificates as outlined here: https://www.dogtagpki.org/wiki/System_Certificate_Renewal However the examples there are all for system certificates other than the root certificate, so I wanted to be clear on the steps needed. In my testing, I found that I can renew & approve the root signing certificate as documented: $ pki ca-cert-request-submit --profile caManualRenewal --serial 0x1 ?renewal If I use the web GUI?s ?Bypass CA notAfter constraint? option to approve the request I can get the expiration date of the approved certificate set to the distant future. Is there a way to do this with the pki command line tool? When I tried, the expiration date gets capped to the current CA root certificate?s expiration date. Then, assuming that approved root certificate is what I need, do I just run $ systemctl stop pki-tomcatd at pki-tomcat.service $ pki-server subsystem-cert-update ca ?cert $ systemctl start pki-tomcatd at pki-tomcat.service And then will I be able to renew the other system certificates normally later (before they expire)? Thanks for any advice, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From nadeeragalagedara at yahoo.com Wed May 13 14:36:09 2020 From: nadeeragalagedara at yahoo.com (Nadeera Galagedara) Date: Wed, 13 May 2020 14:36:09 +0000 (UTC) Subject: [Pki-users] OCSP Installation Problem References: <1609490340.323519.1589380569628.ref@mail.yahoo.com> Message-ID: <1609490340.323519.1589380569628@mail.yahoo.com> Dear, I have Root CA and Issue CA in my network. The issue CA is signed by the Root CA. Both these CAs are installed in CentOS 7 and Dogtag Version 10.5. Now I am going to Install the OCSP for the Issue CA. There is no OCSP for the CentOS 7, so I installed the OCSP? (10.8) in fedora. I tried to connect the OCSP to Issue CA with both Interactive and Manual configuration method. I still got an error. Error comes while tried to install the OCSP INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfgINFO: Checking existing SSL server cert: Server-Cert cert-pki-tomcatINFO: Creating temp SSL server cert for ocsp.mycompany.lkNotice: Trust flag u is set automatically if the private key is present.INFO: Joining existing domainINFO: Getting token for installing OCSP on ocsp.mycompany.lk Installation failed:com.netscape.certsrv.base.PKIException: error result Please check the OCSP logs in /var/log/pki/pki-tomcat/ocsp. There is no error shows in the log file. If I use the pkispawn it also generate the same error. My OCSP configuration [DEFAULT]pki_server_database_password=Secret.123 [OCSP]pki_admin_cert_file=/home/user/Desktop/ca_admin_cert.p12? [ i used the p12 admin file from issue ca server]pki_admin_email=ocspadmin at example.compki_admin_name=ocspadminpki_admin_nickname=ocspadminpki_admin_password=Secret.123pki_admin_uid=ocspadmin pki_client_database_password=Secret.123pki_client_database_purge=Falsepki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=ocsp,dc=mycompany,dc=lkpki_ds_database=ocsppki_ds_password=Secret.123 pki_clone_pkcs12_password=Secret.123 pki_security_domain_name=MYDOMAINpki_security_domain_user=caadminpki_security_domain_password=Secret.123 pki_token_password=Secret.123 pki_security_domain_hostname=issueca.mycompany.lk My Issue CA configuration. [CA]pki_admin_email=caadmin at example.compki_admin_name=caadminpki_admin_nickname=caadminpki_admin_password=Secret.123pki_admin_uid=caadmin pki_client_database_password=Secret.123pki_client_database_purge=Falsepki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lkpki_ds_database=capki_ds_password=Secret.123 pki_security_domain_name=MYDOMAINpki_token_password=Secret.123 pki_external=Truepki_external_step_two=True pki_ca_signing_csr_path=ca_signing.csrpki_ca_signing_cert_path=ca_signing.crt -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Wed May 27 16:37:54 2020 From: cfu at redhat.com (Christina Fu) Date: Wed, 27 May 2020 09:37:54 -0700 Subject: [Pki-users] =?utf-8?q?Translate_Dogtag_Certif=C3=ADcate_System?= In-Reply-To: References: Message-ID: Hi, Thank you for your interest in volunteering for contribution! May I ask in which area(s) you are interested in doing translations? I believe there was some infrastructure for message translations, which entailed in having LogMessages.properties and UserMessages.properties bearing indicator "US" (as United States) in the file names by default. It was probably determined at some point that no one ever got around to help with the translation so now those message file names no longer bear such indicator. The message files, along with a new one which is audit messages separated out from the log messages now reside under pki/base/server/cmsbundle/src Is this something you are interested in translating for? And what language is that? We could possibly discuss the plausibility for that. thanks, Christina On Thu, Apr 30, 2020 at 8:00 AM Alexander wrote: > Hi, it?s possible translate Dogtag Certificate System? > > How i can contribute to do this? > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: