From pseite35 at gmail.com Thu Feb 4 09:42:41 2021 From: pseite35 at gmail.com (Perig Bouenou) Date: Thu, 4 Feb 2021 10:42:41 +0100 Subject: [Pki-users] Approve Certificate Request with curl Message-ID: Hello I'm trying to approve certificate requests by using curl as in https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API I manage to submit certificate requests by posting an xml request template, I can retrieve the list of requests, the curl command for a review works fine, but I'm stuck with approval by using curl (I can approve CSR with pki tool but I still don't know do the same with curl). BTW, here is my command for reviewing request: curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12: https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header "Content-Type:application/xml" | xmllint --format - Can someone tell me what's the correct curl command to approve cr? or is there any example of request approval (with curl) somewhere? or even something more detailed than https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API ? PS: I had a look at the JAVA API ( https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request) but it didn't help me so much. Regards, Pier -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Thu Feb 4 22:38:04 2021 From: msauton at redhat.com (Marc Sauton) Date: Thu, 4 Feb 2021 14:38:04 -0800 Subject: [Pki-users] Approve Certificate Request with curl In-Reply-To: References: Message-ID: or use the pki command like tool with the option ca-cert-request-review : https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request for example: pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 --action approve and after successful authentication, the URI is in the form of /ca/rest/agent/certrequests/xx/approve where xx is the request id it is a HTTPS POST operation Thanks, M. On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou wrote: > Hello > > > I'm trying to approve certificate requests by using curl as in > https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API > > I manage to submit certificate requests by posting an xml request > template, I can retrieve the list of requests, the curl command for a > review works fine, but I'm stuck with approval by using curl (I can approve > CSR with pki tool but I still don't know do the same with curl). > > BTW, here is my command for reviewing request: > > curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12: > https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header > "Content-Type:application/xml" | xmllint --format - > > > Can someone tell me what's the correct curl command to approve cr? or is > there any example of request approval (with curl) somewhere? or even > something more detailed than > https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API > ? > > PS: I had a look at the JAVA API ( > https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request) > but it didn't help me so much. > > Regards, > Pier > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From pseite35 at gmail.com Mon Feb 8 15:51:22 2021 From: pseite35 at gmail.com (Perig Bouenou) Date: Mon, 8 Feb 2021 16:51:22 +0100 Subject: [Pki-users] Approve Certificate Request with curl In-Reply-To: References: Message-ID: Hi, Thanks for the hint. Now, I make with curl the same queries than "a pki -U http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review 8 --action approve" (I'm using unsecure port to be able to capture unencrypted queries to the API): I start with a login and a review to get a nonce: curl -s --cert-type P12 --cert ca_admin_cert.p12: https://dogtag.org:8443/ca/rest/account/login curl -s -H "Accept: application/xml" --cert-type P12 --cert ca_admin_cert.p12: https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint --format - > 08.xml The nonce is well generated: $ grep nonce 08.xml -8605088983470492766 Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but the request returns the error "Nonce for cert-request 8 does not exist" curl -X POST --cert-type P12 --cert ca_admin_cert.p12: https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header "Content-Type:application/xml" -H "Accept: application/json" { "Attributes": { "Attribute": [] }, "ClassName": "com.netscape.certsrv.base.BadRequestException", "Code": 400, "Message": "Nonce for cert-request 8 does not exist" } Something is missing... any ideas? BR Le jeu. 4 f?vr. 2021 ? 23:38, Marc Sauton a ?crit : > or use the pki command like tool with the option ca-cert-request-review : > https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request > for example: > pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C > ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 > --action approve > > and after successful authentication, the URI is in the form > of /ca/rest/agent/certrequests/xx/approve > where xx is the request id > it is a HTTPS POST operation > > Thanks, > M. > > > On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou wrote: > >> Hello >> >> >> I'm trying to approve certificate requests by using curl as in >> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >> >> I manage to submit certificate requests by posting an xml request >> template, I can retrieve the list of requests, the curl command for a >> review works fine, but I'm stuck with approval by using curl (I can approve >> CSR with pki tool but I still don't know do the same with curl). >> >> BTW, here is my command for reviewing request: >> >> curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12: >> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header >> "Content-Type:application/xml" | xmllint --format - >> >> >> Can someone tell me what's the correct curl command to approve cr? or is >> there any example of request approval (with curl) somewhere? or even >> something more detailed than >> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >> ? >> >> PS: I had a look at the JAVA API ( >> https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request) >> but it didn't help me so much. >> >> Regards, >> Pier >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pseite35 at gmail.com Mon Feb 8 15:57:08 2021 From: pseite35 at gmail.com (Perig Bouenou) Date: Mon, 8 Feb 2021 16:57:08 +0100 Subject: [Pki-users] Approve Certificate Request with curl In-Reply-To: References: Message-ID: BTW, it is similar issue than raised in https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ... Le lun. 8 f?vr. 2021 ? 16:51, Perig Bouenou a ?crit : > Hi, > > Thanks for the hint. Now, I make with curl the same queries than "a pki -U > http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review 8 > --action approve" (I'm using unsecure port to be able to capture > unencrypted queries to the API): > > I start with a login and a review to get a nonce: > > curl -s --cert-type P12 --cert ca_admin_cert.p12: > https://dogtag.org:8443/ca/rest/account/login > curl -s -H "Accept: application/xml" --cert-type P12 --cert > ca_admin_cert.p12: > https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint --format > - > 08.xml > > The nonce is well generated: > > $ grep nonce 08.xml > -8605088983470492766 > > Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but the > request returns the error "Nonce for cert-request 8 does not exist" > > curl -X POST --cert-type P12 --cert ca_admin_cert.p12: > https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header > "Content-Type:application/xml" -H "Accept: application/json" > { > "Attributes": { > "Attribute": [] > }, > "ClassName": "com.netscape.certsrv.base.BadRequestException", > "Code": 400, > "Message": "Nonce for cert-request 8 does not exist" > } > > Something is missing... any ideas? > > BR > > Le jeu. 4 f?vr. 2021 ? 23:38, Marc Sauton a ?crit : > >> or use the pki command like tool with the option ca-cert-request-review : >> https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request >> for example: >> pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C >> ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 >> --action approve >> >> and after successful authentication, the URI is in the form >> of /ca/rest/agent/certrequests/xx/approve >> where xx is the request id >> it is a HTTPS POST operation >> >> Thanks, >> M. >> >> >> On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou wrote: >> >>> Hello >>> >>> >>> I'm trying to approve certificate requests by using curl as in >>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >>> >>> I manage to submit certificate requests by posting an xml request >>> template, I can retrieve the list of requests, the curl command for a >>> review works fine, but I'm stuck with approval by using curl (I can approve >>> CSR with pki tool but I still don't know do the same with curl). >>> >>> BTW, here is my command for reviewing request: >>> >>> curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12: >>> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header >>> "Content-Type:application/xml" | xmllint --format - >>> >>> >>> Can someone tell me what's the correct curl command to approve cr? or is >>> there any example of request approval (with curl) somewhere? or even >>> something more detailed than >>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >>> ? >>> >>> PS: I had a look at the JAVA API ( >>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request) >>> but it didn't help me so much. >>> >>> Regards, >>> Pier >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From pseite35 at gmail.com Mon Feb 8 17:40:59 2021 From: pseite35 at gmail.com (Perig Bouenou) Date: Mon, 8 Feb 2021 18:40:59 +0100 Subject: [Pki-users] Approve Certificate Request with curl In-Reply-To: References: Message-ID: according to the debug logs in /var/log/pki/pki-tomcat/ca/, it seems that login permission for certServer.ca.account are not set and the session is not created. 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CertUserDBAuthentication: UID caadmin authenticated. 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User ID: caadmin 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User DN: uid=caadmin,ou=people,dc=ca,dc=pki,dc=nono,dc=org 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: Roles: 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Certificate Manager Agents 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Administrators 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Security Domain Administrators 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise CA Administrators 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise KRA Administrators 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise OCSP Administrators 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise TKS Administrators 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise RA Administrators 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise TPS Administrators Here, Granting login permission for certServer.ca.account and Creating session are missing... 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: Granting execute permission for certServer.ca.certrequests 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CertRequestService: Validating certificate request 12 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: DBSSession: reading cn=12,ou=ca,ou=requests,dc=ca,dc=pki,dc=nono,dc=org 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: Granting approve permission for certServer.ca.request.profile 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CAProcessor: Nonce: 2691022150130176365 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] WARNING: CAProcessor: Nonce for cert-request 12 does not exist Le lun. 8 f?vr. 2021 ? 16:57, Perig Bouenou a ?crit : > BTW, it is similar issue than raised in > https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ... > > Le lun. 8 f?vr. 2021 ? 16:51, Perig Bouenou a ?crit : > >> Hi, >> >> Thanks for the hint. Now, I make with curl the same queries than "a pki >> -U http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review 8 >> --action approve" (I'm using unsecure port to be able to capture >> unencrypted queries to the API): >> >> I start with a login and a review to get a nonce: >> >> curl -s --cert-type P12 --cert ca_admin_cert.p12: >> https://dogtag.org:8443/ca/rest/account/login >> curl -s -H "Accept: application/xml" --cert-type P12 --cert >> ca_admin_cert.p12: >> https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint --format >> - > 08.xml >> >> The nonce is well generated: >> >> $ grep nonce 08.xml >> -8605088983470492766 >> >> Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but the >> request returns the error "Nonce for cert-request 8 does not exist" >> >> curl -X POST --cert-type P12 --cert ca_admin_cert.p12: >> https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header >> "Content-Type:application/xml" -H "Accept: application/json" >> { >> "Attributes": { >> "Attribute": [] >> }, >> "ClassName": "com.netscape.certsrv.base.BadRequestException", >> "Code": 400, >> "Message": "Nonce for cert-request 8 does not exist" >> } >> >> Something is missing... any ideas? >> >> BR >> >> Le jeu. 4 f?vr. 2021 ? 23:38, Marc Sauton a ?crit : >> >>> or use the pki command like tool with the option ca-cert-request-review : >>> https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request >>> for example: >>> pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C >>> ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 >>> --action approve >>> >>> and after successful authentication, the URI is in the form >>> of /ca/rest/agent/certrequests/xx/approve >>> where xx is the request id >>> it is a HTTPS POST operation >>> >>> Thanks, >>> M. >>> >>> >>> On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou wrote: >>> >>>> Hello >>>> >>>> >>>> I'm trying to approve certificate requests by using curl as in >>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >>>> >>>> I manage to submit certificate requests by posting an xml request >>>> template, I can retrieve the list of requests, the curl command for a >>>> review works fine, but I'm stuck with approval by using curl (I can approve >>>> CSR with pki tool but I still don't know do the same with curl). >>>> >>>> BTW, here is my command for reviewing request: >>>> >>>> curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12: >>>> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header >>>> "Content-Type:application/xml" | xmllint --format - >>>> >>>> >>>> Can someone tell me what's the correct curl command to approve cr? or >>>> is there any example of request approval (with curl) somewhere? or even >>>> something more detailed than >>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >>>> ? >>>> >>>> PS: I had a look at the JAVA API ( >>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request) >>>> but it didn't help me so much. >>>> >>>> Regards, >>>> Pier >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From pseite35 at gmail.com Mon Feb 8 21:17:04 2021 From: pseite35 at gmail.com (Perig Bouenou) Date: Mon, 8 Feb 2021 22:17:04 +0100 Subject: [Pki-users] Approve Certificate Request with curl In-Reply-To: References: Message-ID: Actually, I forgot to include the session coolie in the requests... Here is a script that works: curl -I -c /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD https://dogtag.org:8443/ca/rest/account/login curl -s -b /tmp/cookie -H "Accept: application/xml" --cert-type P12 --cert ca_admin_cert.p12:$PWD https://dogtag.org:8443/ca/rest/agent/certrequests/$ID | xmllint --format - > review.xml curl -X POST -s -b /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD https://dogtag.org:8443/ca/rest/agent/certrequests/$ID/approve --header "Content-Type:application/xml" -H "Accept: application/json" -d @review.xml | jq Hopefully it can be useful for someone else... Le lun. 8 f?vr. 2021 ? 18:40, Perig Bouenou a ?crit : > according to the debug logs in /var/log/pki/pki-tomcat/ca/, it seems that > login permission for certServer.ca.account are not set and the session is > not created. > > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: > CertUserDBAuthentication: UID caadmin authenticated. > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User ID: > caadmin > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: > retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User DN: > uid=caadmin,ou=people,dc=ca,dc=pki,dc=nono,dc=org > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: Roles: > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Certificate Manager Agents > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Security Domain Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise CA Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise KRA Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise OCSP Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise TKS Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise RA Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise TPS Administrators > > Here, Granting login permission for certServer.ca.account and Creating > session are missing... > > > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: > retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: > Granting execute permission for certServer.ca.certrequests > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: > CertRequestService: Validating certificate request 12 > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: DBSSession: > reading cn=12,ou=ca,ou=requests,dc=ca,dc=pki,dc=nono,dc=org > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: > retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: > Granting approve permission for certServer.ca.request.profile > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CAProcessor: > Nonce: 2691022150130176365 > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] WARNING: CAProcessor: > Nonce for cert-request 12 does not exist > > Le lun. 8 f?vr. 2021 ? 16:57, Perig Bouenou a ?crit : > >> BTW, it is similar issue than raised in >> https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ... >> >> Le lun. 8 f?vr. 2021 ? 16:51, Perig Bouenou a >> ?crit : >> >>> Hi, >>> >>> Thanks for the hint. Now, I make with curl the same queries than "a pki >>> -U http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review >>> 8 --action approve" (I'm using unsecure port to be able to capture >>> unencrypted queries to the API): >>> >>> I start with a login and a review to get a nonce: >>> >>> curl -s --cert-type P12 --cert ca_admin_cert.p12: >>> https://dogtag.org:8443/ca/rest/account/login >>> curl -s -H "Accept: application/xml" --cert-type P12 --cert >>> ca_admin_cert.p12: >>> https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint >>> --format - > 08.xml >>> >>> The nonce is well generated: >>> >>> $ grep nonce 08.xml >>> -8605088983470492766 >>> >>> Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but the >>> request returns the error "Nonce for cert-request 8 does not exist" >>> >>> curl -X POST --cert-type P12 --cert ca_admin_cert.p12: >>> https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header >>> "Content-Type:application/xml" -H "Accept: application/json" >>> { >>> "Attributes": { >>> "Attribute": [] >>> }, >>> "ClassName": "com.netscape.certsrv.base.BadRequestException", >>> "Code": 400, >>> "Message": "Nonce for cert-request 8 does not exist" >>> } >>> >>> Something is missing... any ideas? >>> >>> BR >>> >>> Le jeu. 4 f?vr. 2021 ? 23:38, Marc Sauton a ?crit : >>> >>>> or use the pki command like tool with the option ca-cert-request-review >>>> : >>>> https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request >>>> for example: >>>> pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C >>>> ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 >>>> --action approve >>>> >>>> and after successful authentication, the URI is in the form >>>> of /ca/rest/agent/certrequests/xx/approve >>>> where xx is the request id >>>> it is a HTTPS POST operation >>>> >>>> Thanks, >>>> M. >>>> >>>> >>>> On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou >>>> wrote: >>>> >>>>> Hello >>>>> >>>>> >>>>> I'm trying to approve certificate requests by using curl as in >>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >>>>> >>>>> I manage to submit certificate requests by posting an xml request >>>>> template, I can retrieve the list of requests, the curl command for a >>>>> review works fine, but I'm stuck with approval by using curl (I can approve >>>>> CSR with pki tool but I still don't know do the same with curl). >>>>> >>>>> BTW, here is my command for reviewing request: >>>>> >>>>> curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12: >>>>> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header >>>>> "Content-Type:application/xml" | xmllint --format - >>>>> >>>>> >>>>> Can someone tell me what's the correct curl command to approve cr? or >>>>> is there any example of request approval (with curl) somewhere? or even >>>>> something more detailed than >>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >>>>> ? >>>>> >>>>> PS: I had a look at the JAVA API ( >>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request) >>>>> but it didn't help me so much. >>>>> >>>>> Regards, >>>>> Pier >>>>> _______________________________________________ >>>>> Pki-users mailing list >>>>> Pki-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> >>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Mon Feb 8 21:58:56 2021 From: msauton at redhat.com (Marc Sauton) Date: Mon, 8 Feb 2021 13:58:56 -0800 Subject: [Pki-users] Approve Certificate Request with curl In-Reply-To: References: Message-ID: Yes, good catch for the cookie header. Thanks for the feedback to the list. M. On Mon, Feb 8, 2021 at 1:17 PM Perig Bouenou wrote: > Actually, I forgot to include the session coolie in the requests... Here > is a script that works: > > curl -I -c /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD > https://dogtag.org:8443/ca/rest/account/login > > curl -s -b /tmp/cookie -H "Accept: application/xml" --cert-type P12 --cert > ca_admin_cert.p12:$PWD > https://dogtag.org:8443/ca/rest/agent/certrequests/$ID | xmllint --format > - > review.xml > > curl -X POST -s -b /tmp/cookie --cert-type P12 --cert > ca_admin_cert.p12:$PWD > https://dogtag.org:8443/ca/rest/agent/certrequests/$ID/approve --header > "Content-Type:application/xml" -H "Accept: application/json" -d @review.xml > | jq > > Hopefully it can be useful for someone else... > > Le lun. 8 f?vr. 2021 ? 18:40, Perig Bouenou a ?crit : > >> according to the debug logs in /var/log/pki/pki-tomcat/ca/, it seems >> that login permission for certServer.ca.account are not set and the >> session is not created. >> >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: >> CertUserDBAuthentication: UID caadmin authenticated. >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User >> ID: caadmin >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: >> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User >> DN: uid=caadmin,ou=people,dc=ca,dc=pki,dc=nono,dc=org >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: Roles: >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Certificate Manager Agents >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Security Domain Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise CA Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise KRA Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise OCSP Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise TKS Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise RA Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise TPS Administrators >> >> Here, Granting login permission for certServer.ca.account and Creating >> session are missing... >> >> >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: >> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: >> Granting execute permission for certServer.ca.certrequests >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: >> CertRequestService: Validating certificate request 12 >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: DBSSession: >> reading cn=12,ou=ca,ou=requests,dc=ca,dc=pki,dc=nono,dc=org >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: >> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: >> Granting approve permission for certServer.ca.request.profile >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CAProcessor: >> Nonce: 2691022150130176365 >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] WARNING: CAProcessor: >> Nonce for cert-request 12 does not exist >> >> Le lun. 8 f?vr. 2021 ? 16:57, Perig Bouenou a >> ?crit : >> >>> BTW, it is similar issue than raised in >>> https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ... >>> >>> Le lun. 8 f?vr. 2021 ? 16:51, Perig Bouenou a >>> ?crit : >>> >>>> Hi, >>>> >>>> Thanks for the hint. Now, I make with curl the same queries than "a pki >>>> -U http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review >>>> 8 --action approve" (I'm using unsecure port to be able to capture >>>> unencrypted queries to the API): >>>> >>>> I start with a login and a review to get a nonce: >>>> >>>> curl -s --cert-type P12 --cert ca_admin_cert.p12: >>>> https://dogtag.org:8443/ca/rest/account/login >>>> curl -s -H "Accept: application/xml" --cert-type P12 --cert >>>> ca_admin_cert.p12: >>>> https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint >>>> --format - > 08.xml >>>> >>>> The nonce is well generated: >>>> >>>> $ grep nonce 08.xml >>>> -8605088983470492766 >>>> >>>> Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but >>>> the request returns the error "Nonce for cert-request 8 does not exist" >>>> >>>> curl -X POST --cert-type P12 --cert ca_admin_cert.p12: >>>> https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header >>>> "Content-Type:application/xml" -H "Accept: application/json" >>>> { >>>> "Attributes": { >>>> "Attribute": [] >>>> }, >>>> "ClassName": "com.netscape.certsrv.base.BadRequestException", >>>> "Code": 400, >>>> "Message": "Nonce for cert-request 8 does not exist" >>>> } >>>> >>>> Something is missing... any ideas? >>>> >>>> BR >>>> >>>> Le jeu. 4 f?vr. 2021 ? 23:38, Marc Sauton a >>>> ?crit : >>>> >>>>> or use the pki command like tool with the option >>>>> ca-cert-request-review : >>>>> https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request >>>>> for example: >>>>> pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C >>>>> ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 >>>>> --action approve >>>>> >>>>> and after successful authentication, the URI is in the form >>>>> of /ca/rest/agent/certrequests/xx/approve >>>>> where xx is the request id >>>>> it is a HTTPS POST operation >>>>> >>>>> Thanks, >>>>> M. >>>>> >>>>> >>>>> On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou >>>>> wrote: >>>>> >>>>>> Hello >>>>>> >>>>>> >>>>>> I'm trying to approve certificate requests by using curl as in >>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >>>>>> >>>>>> I manage to submit certificate requests by posting an xml request >>>>>> template, I can retrieve the list of requests, the curl command for a >>>>>> review works fine, but I'm stuck with approval by using curl (I can approve >>>>>> CSR with pki tool but I still don't know do the same with curl). >>>>>> >>>>>> BTW, here is my command for reviewing request: >>>>>> >>>>>> curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12: >>>>>> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header >>>>>> "Content-Type:application/xml" | xmllint --format - >>>>>> >>>>>> >>>>>> Can someone tell me what's the correct curl command to approve cr? or >>>>>> is there any example of request approval (with curl) somewhere? or even >>>>>> something more detailed than >>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >>>>>> ? >>>>>> >>>>>> PS: I had a look at the JAVA API ( >>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request) >>>>>> but it didn't help me so much. >>>>>> >>>>>> Regards, >>>>>> Pier >>>>>> _______________________________________________ >>>>>> Pki-users mailing list >>>>>> Pki-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>> >>>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.mcalister at navy.mil Wed Feb 24 15:21:54 2021 From: brian.mcalister at navy.mil (McAlister, Brian William (53501) CTR USN NIWC PACIFIC CA (USA)) Date: Wed, 24 Feb 2021 15:21:54 +0000 Subject: [Pki-users] PKI Warning Message-ID: <59a9973ed41147689567008c0c15dfad@NAWESPSCXE01V.nadsuswe.nads.navy.mil> Hello, Every time I run the cli pki command I am shown the following warning: WARNING: BAD_CERT_DOMAIN encountered on 'CN=dogtag..mil,OU=,O=dogtag..mil Security Domain' indicates a common-name mismatch. I am not sure how to troubleshoot or resolve this warning. Regards, Brian? ? Brian McAlister Senior System Administrator (BAH) (619) 553-9577 brian.mcalister.ctr at navy.mil From ricardoalx.perez at gmail.com Thu Feb 25 04:41:41 2021 From: ricardoalx.perez at gmail.com (Alexander) Date: Wed, 24 Feb 2021 22:41:41 -0600 Subject: [Pki-users] Manual User Dual-Use Certificate Enrollment Message-ID: I'm trying generate a certificate from web console, but I receive this message: Warning: Please verify that this version of Chrome has not disabled functionality. For example, to enable on Chrome, create a new tab, type in "chrome://settings/content", find the section entitled "Key generation", select the radio button labeled "Allow all sites to use key generation in forms.", press the "Done" button, return to the previous tab, and reload this webpage. Warning: Currently, this profile is unable to successfully construct an ECC certificate request on Chrome. At this time, please use Firefox to generate ECC certificate requests. [image: dogtag.png] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dogtag.png Type: image/png Size: 46125 bytes Desc: not available URL: From ricardoalx.perez at gmail.com Thu Feb 25 04:49:07 2021 From: ricardoalx.perez at gmail.com (Alexander) Date: Wed, 24 Feb 2021 22:49:07 -0600 Subject: [Pki-users] Certificate request from Cert Manager Windows Message-ID: I'm trying generate CSR from Certificate Management Console in windows 10: But I'm not sure about the process to generate CSR . [image: certmgr1.png] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: certmgr1.png Type: image/png Size: 79581 bytes Desc: not available URL: