[Pki-users] Approve Certificate Request with curl
Perig Bouenou
pseite35 at gmail.com
Mon Feb 8 21:17:04 UTC 2021
Actually, I forgot to include the session coolie in the requests... Here is
a script that works:
curl -I -c /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD
https://dogtag.org:8443/ca/rest/account/login
curl -s -b /tmp/cookie -H "Accept: application/xml" --cert-type P12 --cert
ca_admin_cert.p12:$PWD
https://dogtag.org:8443/ca/rest/agent/certrequests/$ID | xmllint --format -
> review.xml
curl -X POST -s -b /tmp/cookie --cert-type P12 --cert
ca_admin_cert.p12:$PWD
https://dogtag.org:8443/ca/rest/agent/certrequests/$ID/approve --header
"Content-Type:application/xml" -H "Accept: application/json" -d @review.xml
| jq
Hopefully it can be useful for someone else...
Le lun. 8 févr. 2021 à 18:40, Perig Bouenou <pseite35 at gmail.com> a écrit :
> according to the debug logs in /var/log/pki/pki-tomcat/ca/, it seems that
> login permission for certServer.ca.account are not set and the session is
> not created.
>
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO:
> CertUserDBAuthentication: UID caadmin authenticated.
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User ID:
> caadmin
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem:
> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User DN:
> uid=caadmin,ou=people,dc=ca,dc=pki,dc=nono,dc=org
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: Roles:
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
> Certificate Manager Agents
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
> Administrators
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
> Security Domain Administrators
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
> Enterprise CA Administrators
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
> Enterprise KRA Administrators
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
> Enterprise OCSP Administrators
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
> Enterprise TKS Administrators
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
> Enterprise RA Administrators
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
> Enterprise TPS Administrators
>
> Here, Granting login permission for certServer.ca.account and Creating
> session are missing...
>
>
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem:
> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz:
> Granting execute permission for certServer.ca.certrequests
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO:
> CertRequestService: Validating certificate request 12
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: DBSSession:
> reading cn=12,ou=ca,ou=requests,dc=ca,dc=pki,dc=nono,dc=org
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem:
> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz:
> Granting approve permission for certServer.ca.request.profile
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CAProcessor:
> Nonce: 2691022150130176365
> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] WARNING: CAProcessor:
> Nonce for cert-request 12 does not exist
>
> Le lun. 8 févr. 2021 à 16:57, Perig Bouenou <pseite35 at gmail.com> a écrit :
>
>> BTW, it is similar issue than raised in
>> https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ...
>>
>> Le lun. 8 févr. 2021 à 16:51, Perig Bouenou <pseite35 at gmail.com> a
>> écrit :
>>
>>> Hi,
>>>
>>> Thanks for the hint. Now, I make with curl the same queries than "a pki
>>> -U http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review
>>> 8 --action approve" (I'm using unsecure port to be able to capture
>>> unencrypted queries to the API):
>>>
>>> I start with a login and a review to get a nonce:
>>>
>>> curl -s --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd>
>>> https://dogtag.org:8443/ca/rest/account/login
>>> curl -s -H "Accept: application/xml" --cert-type P12 --cert
>>> ca_admin_cert.p12:<pkc12pwd>
>>> https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint
>>> --format - > 08.xml
>>>
>>> The nonce is well generated:
>>>
>>> $ grep nonce 08.xml
>>> <nonce>-8605088983470492766</nonce>
>>>
>>> Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but the
>>> request returns the error "Nonce for cert-request 8 does not exist"
>>>
>>> curl -X POST --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd>
>>> https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header
>>> "Content-Type:application/xml" -H "Accept: application/json"
>>> {
>>> "Attributes": {
>>> "Attribute": []
>>> },
>>> "ClassName": "com.netscape.certsrv.base.BadRequestException",
>>> "Code": 400,
>>> "Message": "Nonce for cert-request 8 does not exist"
>>> }
>>>
>>> Something is missing... any ideas?
>>>
>>> BR
>>>
>>> Le jeu. 4 févr. 2021 à 23:38, Marc Sauton <msauton at redhat.com> a écrit :
>>>
>>>> or use the pki command like tool with the option ca-cert-request-review
>>>> :
>>>> https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request
>>>> for example:
>>>> pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C
>>>> ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011
>>>> --action approve
>>>>
>>>> and after successful authentication, the URI is in the form
>>>> of /ca/rest/agent/certrequests/xx/approve
>>>> where xx is the request id
>>>> it is a HTTPS POST operation
>>>>
>>>> Thanks,
>>>> M.
>>>>
>>>>
>>>> On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou <pseite35 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hello
>>>>>
>>>>>
>>>>> I'm trying to approve certificate requests by using curl as in
>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API
>>>>>
>>>>> I manage to submit certificate requests by posting an xml request
>>>>> template, I can retrieve the list of requests, the curl command for a
>>>>> review works fine, but I'm stuck with approval by using curl (I can approve
>>>>> CSR with pki tool but I still don't know do the same with curl).
>>>>>
>>>>> BTW, here is my command for reviewing request:
>>>>>
>>>>> curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12:<password>
>>>>> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header
>>>>> "Content-Type:application/xml" | xmllint --format -
>>>>>
>>>>>
>>>>> Can someone tell me what's the correct curl command to approve cr? or
>>>>> is there any example of request approval (with curl) somewhere? or even
>>>>> something more detailed than
>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API
>>>>> ?
>>>>>
>>>>> PS: I had a look at the JAVA API (
>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request)
>>>>> but it didn't help me so much.
>>>>>
>>>>> Regards,
>>>>> Pier
>>>>> _______________________________________________
>>>>> Pki-users mailing list
>>>>> Pki-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20210208/26aea1d8/attachment.htm>
More information about the Pki-users
mailing list