November 2012 - Pki-devel - Dogtag Pki List Archives

[PATCH] 82 - Remove-unused-respawn-code

by Ade Lee

Removing almost all respawn code. Please review. Ade

11 years, 5 months

2
2
0 / 0

[PATCH] fix issue with pki_external being referenced when not a CA

by Ade Lee

Please review. Ade

11 years, 5 months

2
2
0 / 0

[PATCH] 182 Removed CA, KRA, OCSP, TKS theme packages.

by Endi Sukma Dewata

The build scripts and spec files have been updated to no longer create the theme packages for CA, KRA, OCSP, and TKS. Ticket #407 -- Endi S. Dewata

11 years, 5 months

1
1
0 / 0

[PATCH] Move default location for client certificate database

by Matthew Harmsen

The attached patch addresses the following PKI issues: * TRAC Ticket #395 - Dogtag 10: Add a Tomcat 7 runtime requirement to 'pki-server' * TRAC Ticket #398 - Move default location for client certificate database Note that this implementation of ticket #398 chose a slightly different default for the client directory path, "~/.pki/<pki_instance_id>_<pki_subsystem>" rather than the suggested "~/.pki/certs/<instance>", so that the existing option to purge the client directory could still be used as is to completely remove this entire directory structure.

11 years, 5 months

1
0
0 / 0

[PATCH] 146 Added ACLInterceptor.

by Endi Sukma Dewata

Previously ACL checking was done in PKIRealm by matching the URL. This code has been replaced by ACLInterceptor which will intercept RESTEasy method invocations. This allows more precise mapping of REST methods to ACL entries in acl.ldif. Ticket #287 -- Endi S. Dewata

11 years, 5 months

2
3
0 / 0

[PATCH] Enable Subordinate CA

by Matthew Harmsen

The attached patch addresses the following PKI issue: * TRAC Ticket #185 - Dogtag 10: Update PKI Deployment to handle subordinate CA The following tests were performed on this code where: * *cadeployment.cfg --> pki-tomcat (standard CA deployment configuration file with passwords)* * *subcadeployment.cfg --> pki-sub-tomcat (simple Subordinate CA deployment configuration file with passwords)* * *sub-subcadeployment.cfg --> pki-sub-sub-tomcat ("complex" Subordinate Subordinate CA deployment configuration file with passwords)*** # diff cadeployment.cfg subcadeployment.cfg 109c109 < pki_ajp_port=8009 --- > pki_ajp_port=18009 119,121c119,121 < pki_http_port=8080 < pki_https_port=8443 < pki_instance_name=pki-tomcat --- > pki_http_port=18080 > pki_https_port=18443 > pki_instance_name=pki-sub-tomcat 125c125 < pki_tomcat_server_port=8005 --- > pki_tomcat_server_port=18005 162c162 < pki_subordinate=False --- > pki_subordinate=True # diff subcadeployment.cfg sub-subcadeployment.cfg 60c60 < pki_issuing_ca= --- > pki_issuing_ca=https://server.example.com:18443 109c109 < pki_ajp_port=18009 --- > pki_ajp_port=28009 119,121c119,121 < pki_http_port=18080 < pki_https_port=18443 < pki_instance_name=pki-sub-tomcat --- > pki_http_port=28080 > pki_https_port=28443 > pki_instance_name=pki-sub-sub-tomcat 125c125 < pki_tomcat_server_port=18005 --- > pki_tomcat_server_port=28005 148c148 < pki_ca_signing_subject_dn= --- > pki_ca_signing_subject_dn=CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain *pki-tomcat: *# cd /var/lib/pki/pki-tomcat/alias # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-tomcat CA CTu,Cu,Cu Server-Cert cert-pki-tomcat u,u,u auditSigningCert cert-pki-tomcat CA u,u,Pu ocspSigningCert cert-pki-tomcat CA u,u,u subsystemCert cert-pki-tomcat CA u,u,u # certutil -d . -L -n "caSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Signing Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "subsystemCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "Server-Cert cert-pki-tomcat" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . . # certutil -d . -L -n "ocspSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA OCSP Signing Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "auditSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Audit Signing Certificate,O=example.com Security Domain" . . . Serial number Status Subject name 0x1 valid CN=CA Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...> 0x2 valid CN=CA OCSP Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...> 0x3 valid CN=server.example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...> 0x4 valid CN=CA Subsystem Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...> 0x5 valid CN=CA Audit Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...> 0x6 valid CN=CA Administrator of Instance pki-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...> 0x7 valid CN=SubCA Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...> 0x8 valid CN=SubCA Subsystem Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...> 0x9 valid CN=SubCA Subsystem Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...> 0xa valid UID=test CA <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...> *pki-sub-tomcat:** * # cd /var/lib/pki/pki-sub-tomcat/alias # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - example.com Security Domain CT,c, caSigningCert cert-pki-sub-tomcat CA CTu,Cu,Cu ocspSigningCert cert-pki-sub-tomcat CA u,u,u auditSigningCert cert-pki-sub-tomcat CA u,u,Pu Server-Cert cert-pki-sub-tomcat u,u,u subsystemCert cert-pki-sub-tomcat CA u,u,u # certutil -d. -L -n "caSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . # certutil -d. -L -n "subsystemCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d. -L -n "Server-Cert cert-pki-sub-tomcat" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . . # certutil -d. -L -n "ocspSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA OCSP Signing Certificate,O=example.com Security Domain" . . . # certutil -d. -L -n "auditSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Audit Signing Certificate,O=example.com Security Domain" . . . Serial number Status Subject name 0x1 valid CN=SubCA OCSP Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...> 0x2 valid CN=server.example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...> 0x3 valid CN=SubCA Audit Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...> 0x4 valid CN=CA Administrator of Instance pki-sub-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...> 0x5 valid CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...> 0x6 valid UID=test SUBCA <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...> *pki-sub-sub-tomcat:** * # cd /var/lib/pki/pki-sub-sub-tomcat/alias # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - example.com Security Domain CT,c, SubCA Signing Certificate - example.com Security Domain c,c, caSigningCert cert-pki-sub-sub-tomcat CA CTu,Cu,Cu Server-Cert cert-pki-sub-sub-tomcat u,u,u subsystemCert cert-pki-sub-sub-tomcat CA u,u,u ocspSigningCert cert-pki-sub-sub-tomcat CA u,u,u auditSigningCert cert-pki-sub-sub-tomcat CA u,u,Pu # certutil -d . -L -n "caSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "subsystemCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "Server-Cert cert-pki-sub-sub-tomcat" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . . # certutil -d . -L -n "ocspSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA OCSP Signing Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "auditSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Audit Signing Certificate,O=example.com Security Domain" . . . Serial number Status Subject name 0x1 valid CN=SubCA OCSP Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...> 0x2 valid CN=server.example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...> 0x3 valid CN=SubCA Audit Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...> 0x4 valid CN=CA Administrator of Instance pki-sub-sub-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...> 0x5 valid UID=test SUB-SUBCA <https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...>

11 years, 5 months

2
1
0 / 0

[PATCH] 150-168 Updating theme images and CSS paths

by Endi Sukma Dewata

These patches update the paths of the theme images and CSS files to use the merged location under /pki. Ticket #328 -- Endi S. Dewata

11 years, 5 months

1
1
0 / 0

[PATCH] 149 Merged theme files.

by Endi Sukma Dewata

Currently the theme files are copied into each subsystem during deployment creating duplicates. To reduce the problem the files should be combined into a common folder /pki. The process will be done over several patches. Initially this patch will copy the images and CSS files into /pki/images and /pki/css. Subsequent patches will update references to these files to the new location. When it's done, the files no longer need to be copied into each subsystem. Ticket #328 -- Endi S. Dewata

11 years, 5 months

2
3
0 / 0

Fwd: Re: [Freeipa-users] Updating the CA certificate

by Rob Crittenden

Here is the same question I asked last week, this time by someone planning ahead. They have an externally-signed IPA dogtag CA whose external CA expires soon. How do they go about renewing things? I assume they need to renew the external CA first. Does it make a difference if the external CA is rekeyed? rob

11 years, 5 months

2
1
0 / 0

[PATCH] 80 default instances

by Ade Lee

Set paths for default instance With this patch, it will be possible to install a default instance simply by adding the passwords in the pkideployment.cfg. This file can then be used without additional alteration to add subsystems to the same instance, by re-running pkispawn against the config file. The patch makes sure that cert nicknames, database and baseDN , admin users and client db are unique per subsystem. An option is added to reuse the existing server cert generated by the first subsystem and copy the required data to all subsystems. Ticket 379, 385 Please review. Ade

11 years, 5 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-devel November 2012