From dmoluguw at redhat.com Thu Oct 1 21:58:50 2020 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Thu, 1 Oct 2020 17:58:50 -0400 Subject: [Pki-users] Dogtag PKI is migrating issue tracker from Pagure to GitHub Message-ID: Dear users, developers and maintainers of PKI, We, the Dogtag PKI team, have decided to use GitHub issues as our primary issue tracker. As a part of the effort to keep things unified, we will be migrating all the issues (open and closed) from Pagure Issues to GitHub Issues . We see several advantages by this migration: 1. Reported issues and code stay closer 2. Better ways to refer/track issues within PRs and commits 3. Better audience outreach When? Migration starts on Friday, Oct 2 (~5PM EST) and we anticipate it to end by Oct 4. Dry Run Results https://github.com/pki-bot/pki-issues-final/issues Process: We are planning to do the migration in 4 stages. *Stage 1 (~5 hours):* Copy all issues from Pagure to GitHub. We have identified and tried to map the users from Pagure to GitHub. If your nickname is listed in [1], you?ll be receiving github notifications and/or emails. Unfortunately, there is no way to keep it down. *Stage 2 (~2 hours):* This is a check stage where we test if every Pagure issue has been copied to GitHub correctly. There will be no notifications generated *Stage 3 (~2 hours):* Add comments to ALL pagure issues and close ALL OPEN pagure issues as Migrated. The comment will include a link to the corresponding GH issue. We have placed a request [2] to turn off notifications during this stage. *Stage 4 (~1 hours):* Update associated bugzilla with link to new GitHub Issues. The ?Devel Whiteboard? will be updated in the format `PKI ` and an external tracker to the GH issue will be added. There will be no notifications generated in this stage. Migration Tool: The tool is available in GH: https://github.com/SilleBille/pagure2github/ Problems? In case you find any bugs or problems in the migrated tickets, feel free to reach out to us via pki-users at redhat.com Dogtag PKI Team [1] https://github.com/SilleBille/pagure2github/blob/master/lib/pagure2github/__init__.py#L43-L123 [2] https://pagure.io/fedora-infrastructure/issue/9361 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmoluguw at redhat.com Mon Oct 5 18:55:36 2020 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Mon, 5 Oct 2020 14:55:36 -0400 Subject: [Pki-users] Dogtag PKI is migrating issue tracker from Pagure to GitHub In-Reply-To: References: Message-ID: Dear users, developers, and maintainers of PKI, We are happy to announce that the migration of issues from Pagure to Github was a success. You can now browse the issues filed against Dogtag PKI on Github: https://github.com/dogtagpki/pki/issues/ The Pagure Issue tracker is now set to "read-only", to prevent any comments/modifications that may no longer be monitored. A link to the associated Github issue has been added as a comment to the associate Pagure issue to make it easy for users to track their issues. All attachments (patches, logs, etc) have been ported to GitHub as well. So, *none of the information should be* *lost by this migration.* All associated Bugzilla bugs have been updated to track the corresponding new GitHub issues. If you find any issues, feel free to write back to us and we will try to fix it! Thanks for your understanding and we apologize for any inconvenience caused by this migration. Dogtag PKI Team On Thu, Oct 1, 2020 at 5:58 PM Dinesh Prasanth Moluguwan Krishnamoorthy < dmoluguw at redhat.com> wrote: > Dear users, developers and maintainers of PKI, > > We, the Dogtag PKI team, have decided to use GitHub issues as our primary > issue tracker. As a part of the effort to keep things unified, we will be > migrating all the issues (open and closed) from Pagure Issues > to GitHub Issues > . > > We see several advantages by this migration: > > 1. > > Reported issues and code stay closer > 2. > > Better ways to refer/track issues within PRs and commits > 3. > > Better audience outreach > > > When? > > Migration starts on Friday, Oct 2 (~5PM EST) and we anticipate it to end > by Oct 4. > > Dry Run Results > > https://github.com/pki-bot/pki-issues-final/issues > > Process: > > We are planning to do the migration in 4 stages. > > *Stage 1 (~5 hours):* > > Copy all issues from Pagure to GitHub. We have identified and tried to map > the users from Pagure to GitHub. If your nickname is listed in [1], you?ll > be receiving github notifications and/or emails. Unfortunately, there is > no way to keep it down. > > *Stage 2 (~2 hours):* > > This is a check stage where we test if every Pagure issue has been copied > to GitHub correctly. There will be no notifications generated > > *Stage 3 (~2 hours):* > > Add comments to ALL pagure issues and close ALL OPEN pagure issues as > Migrated. The comment will include a link to the corresponding GH issue. > We have placed a request [2] to turn off notifications during this stage. > > *Stage 4 (~1 hours):* > > Update associated bugzilla with link to new GitHub Issues. The ?Devel > Whiteboard? will be updated in the format `PKI ` and an > external tracker to the GH issue will be added. There will be no > notifications generated in this stage. > > > Migration Tool: > > The tool is available in GH: https://github.com/SilleBille/pagure2github/ > > Problems? > > In case you find any bugs or problems in the migrated tickets, feel free > to reach out to us via pki-users at redhat.com > > Dogtag PKI Team > > [1] > https://github.com/SilleBille/pagure2github/blob/master/lib/pagure2github/__init__.py#L43-L123 > > > [2] https://pagure.io/fedora-infrastructure/issue/9361 > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pascal.jakobi at gmail.com Thu Oct 8 20:05:55 2020 From: pascal.jakobi at gmail.com (Pascal Jakobi) Date: Thu, 8 Oct 2020 22:05:55 +0200 Subject: [Pki-users] Clarification needed Message-ID: Page : https://www.dogtagpki.org/wiki/Keycloak (This is for setting Keycloak in front of dogtag) Page says "store the configuration in /WEB-INF/keycloak.json" (referring to the keycloak client configuration). But what is the "" ? I am very unsure.... More generally, it would greatly help is more explanations were given in the page... -- *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France pascal.jakobi at gmail.com - +33 6 87 47 58 19 -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Oct 8 21:43:09 2020 From: edewata at redhat.com (Endi Dewata) Date: Thu, 8 Oct 2020 16:43:09 -0500 Subject: [Pki-users] Clarification needed In-Reply-To: References: Message-ID: On Thu, Oct 8, 2020 at 3:09 PM Pascal Jakobi wrote: > Page : https://www.dogtagpki.org/wiki/Keycloak (This is for setting > Keycloak in front of dogtag) > > Page says "store the configuration in application>/WEB-INF/keycloak.json" (referring to the keycloak client > configuration). > > But what is the "" ? I am very unsure.... > > More generally, it would greatly help is more explanations were given in > the page... > Hi, That page is meant for setting up Keycloak as an identity provider for Dogtag. Is that what you're looking for? I added some clarification in the page. Thanks! The is referring to the Dogtag web application folder that will be configured to use Keycloak, e.g. /usr/share/pki/ca/webapps/ca. This functionality is not officially supported yet, and that page basically documents the investigation that has been done so far. It's not an official document, so it's not guaranteed to be accurate. When the functionality becomes officially supported later, there will be an official documentation in the source repository. -- Endi S. Dewata -------------- next part -------------- An HTML attachment was scrubbed... URL: From roa at unixmexico.org Fri Oct 9 03:40:36 2020 From: roa at unixmexico.org (Jose Antonio Mendoza Roa) Date: Thu, 8 Oct 2020 23:40:36 -0400 Subject: [Pki-users] Some questions about dogtag Replicate Message-ID: Hi folks I have some doubts How is the better step for configure replication of dogtag-pki Im read this manual and it's very confusing for me . Now i have running dogtag-pki-10.5.1-2.el7pki.noarch in one server1 (RHEL 7.x) But i need to replicate in the other server2 in case of failure this server1 Im read this manual https://www.dogtagpki.org/wiki/DS_Replication_Setup -Firs Question in server1 i have modified 3 profiles in dogtag PKI (how to replicate this configuration in the server2) -Second Question in server1 i have some certs ssl how to replicate this certs to server 2 -- Ce courrier ?lectronique et les fichiers qui y sont annex?s peuvent renfermer des renseignements privil?gi?s et confidentiels ? l'intention exclusive du destinataire. Si vous n'?tes pas le destinataire, vous n'?tes pas autoris?(e) ? utiliser, ? copier ou ? divulguer ? un tiers le contenu de ce courrier ?lectronique ni des fichiers joints. Si vous avez re?u ce courrier ?lectronique par erreur, veuillez en aviser l'exp?diteur imm?diatement par courrier ?lectronique et d?truire ce message ainsi que les fichiers en annexe. This electronic mail message -- and any attachments -- may contain privileged/confidential information, intended only for the use of the addressee. If you are not the addressee, you may not use, copy or disclose to a third party the content of this message or its attachments. If you have received this message by mistake, please notify us immediately by e-mail and destroy this message, along with all attachments -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Oct 9 18:33:50 2020 From: edewata at redhat.com (Endi Dewata) Date: Fri, 9 Oct 2020 13:33:50 -0500 Subject: [Pki-users] Some questions about dogtag Replicate In-Reply-To: References: Message-ID: Hi, The PKI version that you have is rather old. The latest stable version is PKI 10.9 and we are working on PKI 10.10. Is it possible for you to upgrade to the latest version? If PKI is used as part of IPA, the profiles and certs will be replicated automatically. However, if it's used outside of IPA, the profiles and the certs will need to be copied manually to the new replica. Here's the upstream doc that we have on CA cloning for PKI 10.5: https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_Clone However, the PKI 10.5 code and doc is no longer maintained upstream. If you need to use this particular version on RHEL I'd suggest to check RHEL documentation or contact RH support. Thanks. -- Endi S. Dewata On Thu, Oct 8, 2020 at 10:41 PM Jose Antonio Mendoza Roa wrote: > Hi folks > I have some doubts > > How is the better step for configure replication of dogtag-pki > > Im read this manual and it's very confusing for me . > > Now i have running dogtag-pki-10.5.1-2.el7pki.noarch in one server1 > (RHEL 7.x) > > But i need to replicate in the other server2 in case of failure this > server1 > > > Im read this manual https://www.dogtagpki.org/wiki/DS_Replication_Setup > > > -Firs Question in server1 i have modified 3 profiles in dogtag PKI (how > to replicate this configuration in the server2) > > -Second Question in server1 i have some certs ssl how to replicate this > certs to server 2 > > -- > Ce courrier ?lectronique et les fichiers qui y sont annex?s peuvent > renfermer des > renseignements privil?gi?s et confidentiels ? l'intention exclusive du > destinataire. Si > vous n'?tes pas le destinataire, vous n'?tes pas autoris?(e) ? utiliser, ? > copier ou ? > divulguer ? un tiers le contenu de ce courrier ?lectronique ni des > fichiers joints. Si > vous avez re?u ce courrier ?lectronique par erreur, veuillez en aviser > l'exp?diteur > imm?diatement par courrier ?lectronique et d?truire ce message ainsi que > les fichiers > en annexe. > > This electronic mail message -- and any attachments -- may contain > privileged/confidential information, intended only for the use of the > addressee. If you > are not the addressee, you may not use, copy or disclose to a third party > the content > of this message or its attachments. If you have received this message by > mistake, > please notify us immediately by e-mail and destroy this message, along > with all > attachments > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwahaj3120 at gmail.com Wed Oct 28 09:15:04 2020 From: mwahaj3120 at gmail.com (Wahaj K) Date: Wed, 28 Oct 2020 14:15:04 +0500 Subject: [Pki-users] Automatically generate certificates without approval Message-ID: Hi Guys, I am new to Dogtag PKI and have installed it on fedora 33. I am able to send a PKCS#10 certificate, approve and then get the issued certificate. I need to know a way to generate the certificate without manual approval hence when PKCS#10 request is sent ,the certificate is generated right away. I have looked at profiles, CA configuration but couldn't see a way. I am using Dogtag 10.9. Is this possible? Any guidance is appreciated. Regards, Wahaj -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Wed Oct 28 22:21:21 2020 From: msauton at redhat.com (Marc Sauton) Date: Wed, 28 Oct 2020 15:21:21 -0700 Subject: [Pki-users] Automatically generate certificates without approval In-Reply-To: References: Message-ID: yes, it works by having SSL client authentication for an "agent" user, or LDAP basic authentication (without or with a pre-defined pin), or CMC: example for SSL server cert, look at the profile caAgentServerCert.cfg example for SSL server cert using CMC, see https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with-CMC for end user cert, examples with caDirPinUserCert.cfg , caDirUserCert.cfg from the pki command line with LDAP basic authentication , look for the command cert-request-submit with the --username either pki cert-request-submit --help or pki ca-cert-request-submit --help see https://www.dogtagpki.org/wiki/Directory-Authenticated_Profiles On Wed, Oct 28, 2020 at 2:20 AM Wahaj K wrote: > Hi Guys, > > I am new to Dogtag PKI and have installed it on fedora 33. I am able to > send a PKCS#10 certificate, approve and then get the issued certificate. I > need to know a way to generate the certificate without manual approval > hence when PKCS#10 request is sent ,the certificate is generated right > away. I have looked at profiles, CA configuration but couldn't see a way. I > am using Dogtag 10.9. Is this possible? Any guidance is appreciated. > > Regards, > Wahaj > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Wed Oct 28 22:43:32 2020 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 29 Oct 2020 08:43:32 +1000 Subject: [Pki-users] Automatically generate certificates without approval In-Reply-To: References: Message-ID: <20201028224332.GI1100811@T470s> On Wed, Oct 28, 2020 at 02:15:04PM +0500, Wahaj K wrote: > Hi Guys, > > I am new to Dogtag PKI and have installed it on fedora 33. I am able to > send a PKCS#10 certificate, approve and then get the issued certificate. I > need to know a way to generate the certificate without manual approval > hence when PKCS#10 request is sent ,the certificate is generated right > away. I have looked at profiles, CA configuration but couldn't see a way. I > am using Dogtag 10.9. Is this possible? Any guidance is appreciated. > > Regards, > Wahaj Hi Wahaj, What is your use case? For service certificates, ACME could be a good solution. Cheers, Fraser