[PATCH] Move default location for client certificate database
by Matthew Harmsen
The attached patch addresses the following PKI issues:
* TRAC Ticket #395 - Dogtag 10: Add a Tomcat 7 runtime requirement to
'pki-server'
* TRAC Ticket #398 - Move default location for client certificate database
Note that this implementation of ticket #398 chose a slightly different
default for the client directory path,
"~/.pki/<pki_instance_id>_<pki_subsystem>" rather than the suggested
"~/.pki/certs/<instance>", so that the existing option to purge the
client directory could still be used as is to completely remove this
entire directory structure.
12 years, 3 months
[PATCH] 146 Added ACLInterceptor.
by Endi Sukma Dewata
Previously ACL checking was done in PKIRealm by matching the URL.
This code has been replaced by ACLInterceptor which will intercept
RESTEasy method invocations. This allows more precise mapping of
REST methods to ACL entries in acl.ldif.
Ticket #287
--
Endi S. Dewata
12 years, 3 months
[PATCH] Enable Subordinate CA
by Matthew Harmsen
The attached patch addresses the following PKI issue:
* TRAC Ticket #185 - Dogtag 10: Update PKI Deployment to handle
subordinate CA
The following tests were performed on this code where:
* *cadeployment.cfg --> pki-tomcat (standard CA deployment
configuration file with passwords)*
* *subcadeployment.cfg --> pki-sub-tomcat (simple Subordinate CA
deployment configuration file with passwords)*
* *sub-subcadeployment.cfg --> pki-sub-sub-tomcat ("complex"
Subordinate Subordinate CA deployment configuration file with
passwords)***
# diff cadeployment.cfg subcadeployment.cfg
109c109
< pki_ajp_port=8009
---
> pki_ajp_port=18009
119,121c119,121
< pki_http_port=8080
< pki_https_port=8443
< pki_instance_name=pki-tomcat
---
> pki_http_port=18080
> pki_https_port=18443
> pki_instance_name=pki-sub-tomcat
125c125
< pki_tomcat_server_port=8005
---
> pki_tomcat_server_port=18005
162c162
< pki_subordinate=False
---
> pki_subordinate=True
# diff subcadeployment.cfg sub-subcadeployment.cfg
60c60
< pki_issuing_ca=
---
> pki_issuing_ca=https://server.example.com:18443
109c109
< pki_ajp_port=18009
---
> pki_ajp_port=28009
119,121c119,121
< pki_http_port=18080
< pki_https_port=18443
< pki_instance_name=pki-sub-tomcat
---
> pki_http_port=28080
> pki_https_port=28443
> pki_instance_name=pki-sub-sub-tomcat
125c125
< pki_tomcat_server_port=18005
---
> pki_tomcat_server_port=28005
148c148
< pki_ca_signing_subject_dn=
---
> pki_ca_signing_subject_dn=CN=Sub-SubCA Subsystem
Certificate,O=example.com Security Domain
*pki-tomcat:
*# cd /var/lib/pki/pki-tomcat/alias
# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-tomcat CA CTu,Cu,Cu
Server-Cert cert-pki-tomcat u,u,u
auditSigningCert cert-pki-tomcat CA u,u,Pu
ocspSigningCert cert-pki-tomcat CA u,u,u
subsystemCert cert-pki-tomcat CA u,u,u
# certutil -d . -L -n "caSigningCert cert-pki-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
# certutil -d . -L -n "subsystemCert cert-pki-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=CA Subsystem Certificate,O=example.com Security Domain"
. . .
# certutil -d . -L -n "Server-Cert cert-pki-tomcat" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=server.example.com,O=example.com Security Domain"
. . .
# certutil -d . -L -n "ocspSigningCert cert-pki-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=CA OCSP Signing Certificate,O=example.com Security
Domain"
. . .
# certutil -d . -L -n "auditSigningCert cert-pki-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=CA Audit Signing Certificate,O=example.com Security
Domain"
. . .
Serial number Status Subject name
0x1 valid
CN=CA Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...>
0x2 valid
CN=CA OCSP Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...>
0x3 valid
CN=server.example.com,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...>
0x4 valid
CN=CA Subsystem Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...>
0x5 valid
CN=CA Audit Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...>
0x6 valid
CN=CA Administrator of Instance
pki-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com Security
Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...>
0x7 valid
CN=SubCA Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...>
0x8 valid
CN=SubCA Subsystem Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...>
0x9 valid
CN=SubCA Subsystem Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...>
0xa valid
UID=test CA
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d...>
*pki-sub-tomcat:**
*
# cd /var/lib/pki/pki-sub-tomcat/alias
# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - example.com Security Domain CT,c,
caSigningCert cert-pki-sub-tomcat CA CTu,Cu,Cu
ocspSigningCert cert-pki-sub-tomcat CA u,u,u
auditSigningCert cert-pki-sub-tomcat CA u,u,Pu
Server-Cert cert-pki-sub-tomcat u,u,u
subsystemCert cert-pki-sub-tomcat CA u,u,u
# certutil -d. -L -n "caSigningCert cert-pki-sub-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=SubCA Signing Certificate,O=example.com Security Domain"
. . .
# certutil -d. -L -n "subsystemCert cert-pki-sub-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=SubCA Subsystem Certificate,O=example.com Security
Domain"
. . .
# certutil -d. -L -n "Server-Cert cert-pki-sub-tomcat" | more
. . .
Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=server.example.com,O=example.com Security Domain"
. . .
# certutil -d. -L -n "ocspSigningCert cert-pki-sub-tomcat CA" | more
. . .
Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=SubCA OCSP Signing Certificate,O=example.com
Security Domain"
. . .
# certutil -d. -L -n "auditSigningCert cert-pki-sub-tomcat CA" | more
. . .
Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=SubCA Audit Signing Certificate,O=example.com
Security Domain"
. . .
Serial number Status Subject name
0x1 valid
CN=SubCA OCSP Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...>
0x2 valid
CN=server.example.com,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...>
0x3 valid
CN=SubCA Audit Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...>
0x4 valid
CN=CA Administrator of Instance
pki-sub-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com
Security Domain
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...>
0x5 valid
CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...>
0x6 valid
UID=test SUBCA
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=...>
*pki-sub-sub-tomcat:**
*
# cd /var/lib/pki/pki-sub-sub-tomcat/alias
# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - example.com Security Domain CT,c,
SubCA Signing Certificate - example.com Security Domain c,c,
caSigningCert cert-pki-sub-sub-tomcat CA CTu,Cu,Cu
Server-Cert cert-pki-sub-sub-tomcat u,u,u
subsystemCert cert-pki-sub-sub-tomcat CA u,u,u
ocspSigningCert cert-pki-sub-sub-tomcat CA u,u,u
auditSigningCert cert-pki-sub-sub-tomcat CA u,u,Pu
# certutil -d . -L -n "caSigningCert cert-pki-sub-sub-tomcat CA" | more
. . .
Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=Sub-SubCA Subsystem Certificate,O=example.com
Security Domain"
. . .
# certutil -d . -L -n "subsystemCert cert-pki-sub-sub-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=SubCA Subsystem Certificate,O=example.com Security
Domain"
. . .
# certutil -d . -L -n "Server-Cert cert-pki-sub-sub-tomcat" | more
. . .
Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com
Security Domain"
. . .
Subject: "CN=server.example.com,O=example.com Security Domain"
. . .
# certutil -d . -L -n "ocspSigningCert cert-pki-sub-sub-tomcat CA" |
more
. . .
Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com
Security Domain"
. . .
Subject: "CN=SubCA OCSP Signing Certificate,O=example.com
Security Domain"
. . .
# certutil -d . -L -n "auditSigningCert cert-pki-sub-sub-tomcat CA"
| more
. . .
Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com
Security Domain"
. . .
Subject: "CN=SubCA Audit Signing Certificate,O=example.com
Security Domain"
. . .
Serial number Status Subject name
0x1 valid
CN=SubCA OCSP Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...>
0x2 valid
CN=server.example.com,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...>
0x3 valid
CN=SubCA Audit Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...>
0x4 valid
CN=CA Administrator of Instance
pki-sub-sub-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com
Security Domain
<https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...>
0x5 valid
UID=test SUB-SUBCA
<https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...>
12 years, 3 months
[PATCH] 149 Merged theme files.
by Endi Sukma Dewata
Currently the theme files are copied into each subsystem during
deployment creating duplicates. To reduce the problem the files
should be combined into a common folder /pki.
The process will be done over several patches. Initially this patch
will copy the images and CSS files into /pki/images and /pki/css.
Subsequent patches will update references to these files to the new
location. When it's done, the files no longer need to be copied
into each subsystem.
Ticket #328
--
Endi S. Dewata
12 years, 3 months
Fwd: Re: [Freeipa-users] Updating the CA certificate
by Rob Crittenden
Here is the same question I asked last week, this time by someone
planning ahead.
They have an externally-signed IPA dogtag CA whose external CA expires
soon. How do they go about renewing things? I assume they need to renew
the external CA first. Does it make a difference if the external CA is
rekeyed?
rob
12 years, 3 months
[PATCH] 80 default instances
by Ade Lee
Set paths for default instance
With this patch, it will be possible to install a default instance
simply by adding the passwords in the pkideployment.cfg. This file
can then be used without additional alteration to add subsystems to the
same instance, by re-running pkispawn against the config file.
The patch makes sure that cert nicknames, database and baseDN , admin users
and client db are unique per subsystem. An option is added to reuse the
existing server cert generated by the first subsystem and copy the
required data to all subsystems.
Ticket 379, 385
Please review.
Ade
12 years, 3 months