[Pki-users] Automatically generate certificates without approval
Wahaj K
mwahaj3120 at gmail.com
Thu Nov 5 16:42:22 UTC 2020
Thanks for your response. I was more looking for a server side
configuration to enable it like Microsoft CA has got. It seems there is no
configuration and one has to trigger approval separately. Probably doing
via RestAPI is more quick hence I saw this:
https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API
I am able to make calls to get a certificate i.e.
https://192.168.56.103:8443/ca/rest/certs/0xd successfully but when I try
to approve a pending request I get an error.
If I don't set *Content-Type* I get *Unsupported media type *and when I set
it to *application/xml *I get *400 Bad Request* with following exception:
javax.xml.bind.JAXBException
- with linked exception:
[java.security.PrivilegedActionException: javax.xml.bind.UnmarshalException
- with linked exception:
[org.xml.sax.SAXParseException; Premature end of file.]]
[image: image.png]
Do I need to login and pass some token to the *approve* call as hinted
here: https://www.dogtagpki.org/wiki/PKI_REST_API? I am using the admin
cert for client auth and testing using Postman which comes as default and
hence should be able to approve. Having said, I can trigger approve via CLI
command while authenticated by the same admin cert: pki -c
*Secret.123* -n "*PKI
Administrator for localhost.localdomain*" ca-cert-request-review *40*
--action *approve*
In short I can achieve approval via sending P10 cert request via Java SDK
and then approving via CLI but I would prefer the RestFul API approach if
possible. Any Hint on why Restful API could be failing?
Regards,
WK
On Thu, Oct 29, 2020 at 3:21 AM Marc Sauton <msauton at redhat.com> wrote:
> yes, it works by having SSL client authentication for an "agent" user, or
> LDAP basic authentication (without or with a pre-defined pin), or CMC:
>
> example for SSL server cert, look at the profile caAgentServerCert.cfg
>
> example for SSL server cert using CMC, see
>
> https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with-CMC
>
> for end user cert, examples with caDirPinUserCert.cfg , caDirUserCert.cfg
>
> from the pki command line with LDAP basic authentication , look for the
> command cert-request-submit with the --username
> either
> pki cert-request-submit --help
> or
> pki ca-cert-request-submit --help
> see
> https://www.dogtagpki.org/wiki/Directory-Authenticated_Profiles
>
>
> On Wed, Oct 28, 2020 at 2:20 AM Wahaj K <mwahaj3120 at gmail.com> wrote:
>
>> Hi Guys,
>>
>> I am new to Dogtag PKI and have installed it on fedora 33. I am able to
>> send a PKCS#10 certificate, approve and then get the issued certificate. I
>> need to know a way to generate the certificate without manual approval
>> hence when PKCS#10 request is sent ,the certificate is generated right
>> away. I have looked at profiles, CA configuration but couldn't see a way. I
>> am using Dogtag 10.9. Is this possible? Any guidance is appreciated.
>>
>> Regards,
>> Wahaj
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20201105/b93d5c9e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 61158 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20201105/b93d5c9e/attachment.png>
More information about the Pki-users
mailing list