Modify Certificate Profies
by Chris
Sorry, hit the send by mistake....
I've succesfully installed Dogtag. The documentation was clear and I didn't
have any issues.
My question is in regards to customizing certificate profiles. In the
current CA environment I manager, I deal with customizing profiles. Is there
a way to create customized certificate profiles?
The fields which apply are:
CertificatePolicies
- Policy Identifier
- User Notice with custom text
ExtendedKeyUsage
- New Key Usage OID
Also, in one profile, we've created a new field that programically ties to
the EKU
On our current CA software, a config file is modified to customize profiles.
Also there is some DER encoding required to convert the appropriate text.
Is this feature available?
17 years, 1 month
pkiconsole?
by Chris
Will there be an similar 'pkiconsole' application for dogtag as there is in
the Red Hat version?
17 years, 1 month
CMC enrolment
by Sam Morrison
I have an application that generates certificates using CMC to talk to
a CA server. I read that Dogtag supports CMC so I have downloaded and
installed it.
Problem I have is that I have no idea how to get my application and
Dogtag CA to talk. (and that I am just learning what CMC actually is!)
My application has an RFC2797 compliant CMC client and to configure it
I need to enter the url of the CA and some java keystore files.
Help would be greatly appreciated.
Thanks,
Sam Morrison
Systems Administrator
Victorian Partnership for Advanced Computing
110 Victoria St.
Carlton South, VIC, 3053
Australia
Phone: +61 3 9925 8372
17 years, 1 month
Invalid Credential / User not found
by Ebbe Hansen
After using the DogTag WEB Agent client once (based upon "preop.pin"
value) the WEB Agent fail to continue to operate with error message=
"Invalid Credential" .
The "/var/lib/<instance>/logs/system" file reports an "User not found"
error.
NOTE: During the CA configuration setup the following Alert is displayed
when the administrator certificate is installed:
"This certificate can't be verified and will not be imported. The
certificate issuer might be unknown or untrusted, the certificate might
have expired or been revoked, or the certificate might not have been
approved."
Suggestions on what to try next will be appreciated?
Ebbe Hansen @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
17 years, 1 month
Unable to complete setup
by caverett@corecodec.net
I am trying to get the pki-ca setup completed; however, I can't get the
"Administrator" section to complete.
I enter a UID,
name, email, and password, and hit next. Depending on the on the
browser, I get different things.
IE6: Spinning circle,
javascript error.
Line 267: Object doesn't support this property or
method: TheForm.uid.Value
Firefox: Just hangs
Safari: Spins forever
Anyone had something like this happen?
17 years, 1 month
CMC enrollment using CMS
by Sam Morrison
Hi,
I am currently testing out the Dogtag CA.
I am wanting to get a certificate automatically using CMC.
Is there an HTTPS interface where I can get a certificate from another
machine with a CMC client?
Does dogtag support CMS to be able to do this?
Thanks,
Sam Morrison
Systems Administrator
Victorian Partnership for Advanced Computing
110 Victoria St. Carlton South, VIC, 3053
Phone: (03) 9925 8372
17 years, 1 month
No CDP by default?
by Chris
Unable to get the CDP in the issuing certificates. Taking the caUserCert
profile, it looks like CDP isn't in the profiles by default, which appears
to be the default for all certificates.
Using the PKI Console, I added the CRL Distribution Points Extension Default
with No Constraints
* The information below was entered based on examples in the Red Hat
documentation (
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu...).
[Default] tab
crlDistPointsCritical = false
crlDistPointsPointType_0 = URIName
crlDistPointsPointName_0 = http://crl.company.com:80<http://crl.company.com/>
crlDistPointsReasons_0 = unused,superseded
crlDistPointsIssuerType_0 = http://pkica.corp.company.com
crlDistPointsIssueName_0 = URIName
crlDistPointsEnable_0 = true
When generating the certificate the CDP field is still not visible.I've
attached a summary of the profile below with the new CDP field added.
Any ideas?
Thanks.
Chris
--
------------------------------------
*Certificate Profile Information:*
Certificate Profile Id: caUserCert Certificate Profile Name: Manual User
Dual-Use Certificate Enrollment
<http://profileselect/?profileId=caUserCert> Description:
This certificate profile is for enrolling user certificates. Approved: false
Approved By:
*Policy Information:*
Policy Set: userCertSet
*#* *Extensions / Fields* *Constraints* 1 This default populates a
User-Supplied Certificate Subject Name to the request.
This constraint accepts the subject name that matches CN=.* 2 This default
populates a Certificate Validity to the request. The default values are
Range=180 in days
This constraint rejects the validity that is not between 365 days 3 This
default populates a User-Supplied Certificate Key to the request.
This constraint accepts the key only if Key Type=-, Key Min Length=256, Key
Max Length=4096 4 This default populates an Authority Key Identifier
Extension (2.5.29.35) to the request.
No Constraint 5 This default populates a Authority Info Access Extension
(1.3.6.1.5.5.7.1.1) to the request. The default values are
Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location
Type:URIName,Location:,Enable:true}
No Constraint 6 This default populates a Key Usage Extension (2.5.29.15) to
the request. The default values are Criticality=true, Digital
Signature=true, Non-Repudiation=true, Key Encipherment=true, Data
Encipherment=false, Key Agreement=false, Key Certificate Sign=false, Key CRL
Sign=false, Encipher Only=false, Decipher Only=false
This constraint accepts the Key Usage extension, if present, only when
Criticality=true, Digital Signature=true, Non-Repudiation=true, Key
Encipherment=true, Data Encipherment=false, Key Agreement=false, Key
Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher
Only=false 7 This default populates an Extended Key Usage Extension () to
the request. The default values are Criticality=false,
OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
No Constraint 9 This default populates the Certificate Signing Algorithm.
The default values are Algorithm=SHA1withRSA
This constraint accepts only the Signing Algorithms of
SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC 12
This default populates a CRL Distribution Points Extension (2.5.29.31) to
the request. The default values are Criticality=false, Record #0{Point Type:
http://crl.company.com:80 <http://crl.company.com/>,Point
Name:URIName,Reasons:unused,superseded,Issuer
Type:http://pkica.company.com,Issuer
Name:URIName,Enable:true}Record #1{Point Type:,Point Name:,Reasons:,Issuer
Type:,Issuer Name:,Enable:false}Record #2{Point Type:,Point
Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record #3{Point
Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}Record
#4{Point Type:,Point Name:,Reasons:,Issuer Type:,Issuer Name:,Enable:false}
No Constraint
17 years, 1 month
Importing existing CA chain into new dogtag instance
by Jonathan Barber
Hi, I've been playing with Dogtag for the last couple of days, and want
to test it with our existing CA cert that we use locally. So I've been
seting them up as subordinate CA's.
I hit a minor glitch in setup when connecting to a remote FDS instance,
it won't connect via SSL and I just get the error "Failed to connect to
the internal database", presumably because the the SSL cert doesn't pass
validation.
After configuring the CA as a subordinate, I sign the CA cert CSR with
our local CA, then provide our CA cert in PKSC7 form - generated with
with the command:
openssl crl2pkcs7 -nocrl -certfile cacert.pem
Upon restarting the CA instance, everything works, but I can't find any
trace of the issuer certificate in the certutil DB so I presume it
failed. Where should it go?
After setup, when I try and use the pkiconsole to load the CA cert (in
PEM format) into the DB (as a CA or Local Certificate) I get the error
"Certificate Error: Failed to decode", and PrettyPrintCrt gives me:
PrettyPrintCert: Error encountered on parsing certificate : java.security.cert.CertificateParsingException: java.io.IOException: java.io.IOException: IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: No data available in passed DER encoded value.
null
I can load it into the instance certutil DB, but can't then see it in
the pkiconsole.
Any ideas? The certicate in question is:
-----BEGIN CERTIFICATE-----
MIIH4DCCBcigAwIBAgIJAKxtGsvJnqGGMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
VQQGEwJHQjERMA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsG
A1UEChMUVW5pdmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2Yg
TGlmZSBTY2llbmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsx
JjAkBgkqhkiG9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrMB4XDTA3MDIx
NjEwNTMzMFoXDTE3MDIxMzEwNTMzMFowgb0xCzAJBgNVBAYTAkdCMREwDwYDVQQI
EwhTY290bGFuZDEPMA0GA1UEBxMGRHVuZGVlMR0wGwYDVQQKExRVbml2ZXJzaXR5
IG9mIER1bmRlZTEhMB8GA1UECxMYQ29sbGVnZSBvZiBMaWZlIFNjaWVuY2VzMSAw
HgYDVQQDExdjYS5saWZlc2NpLmR1bmRlZS5hYy51azEmMCQGCSqGSIb3DQEJARYX
Y2FAbGlmZXNjaS5kdW5kZWUuYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQC3tIfCIag41x63OQF2etPa3gHFxT4JlGfEO0a8fV+tfqpSrwlWWqeR
w8zOO/UCxAi0FNVBmB1peeQZU/026FZ8MWu1IhJyy5OF3PIjtKxzgEuVWD7pQw7Y
i32dthr5pg6GnXB/dx3P5hEVgci/Gh9fij0BLF6iPsy6CkJB3/sD2OEHN3CKMgE7
kIQKZEM2XrSCNQ5KGCBzFqpowJQneVTi65pcVKIDpp56F1qrimIrFBgUbsJnswfI
1Kxi8FvSj7fuTibIyiPz9QUguRNjjbQzHlkOQJKy0j2ENxdqDN9vNoeQjGDh2RXL
4xovgkxW1YYHdxt5PdNtpwX8Vb7uYsZXGp5CB8xeLKSnvgZrms9EAvZvQHzMdIhb
th9zCOPXAZTfeSEyMcsFY8bK+ic/JlWk/7Oo/em1dMPMi+UmXdYUD33F7Z5N9xsH
x9Laz3YSuflrW8WrriVAe0xAWRjP9X205pnJbmJDgnUzHI9+qqkz7GQBxQenUjEu
vTO0Dx4Psvby2j6sS0b0dVxAtZfnDutnRXc9+/9PSsSr+YLpbZh+7sPRWYynpDzy
wjmBPClv+rm8o9MdkAE+8U9XoXXSU+5FG/TpzJmEFR65BYPR9BDKn8CVfhgE3flE
n2l7V1hOzYFWMBu42byJx8tHzCvFPVjLbaPIMs6o1zmKC/2a+B6T+QIDAQABo4IB
3zCCAdswHQYDVR0OBBYEFKOZNeS+xtTc6reYfP8IT4HhvcskMIHyBgNVHSMEgeow
geeAFKOZNeS+xtTc6reYfP8IT4HhvcskoYHDpIHAMIG9MQswCQYDVQQGEwJHQjER
MA8GA1UECBMIU2NvdGxhbmQxDzANBgNVBAcTBkR1bmRlZTEdMBsGA1UEChMUVW5p
dmVyc2l0eSBvZiBEdW5kZWUxITAfBgNVBAsTGENvbGxlZ2Ugb2YgTGlmZSBTY2ll
bmNlczEgMB4GA1UEAxMXY2EubGlmZXNjaS5kdW5kZWUuYWMudWsxJjAkBgkqhkiG
9w0BCQEWF2NhQGxpZmVzY2kuZHVuZGVlLmFjLnVrggkArG0ay8meoYYwDwYDVR0T
AQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADArBglghkgB
hvhCAQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTA4BglghkgBhvhC
AQMEKxYpaHR0cDovL2NhLmxpZmVzY2kuZHVuZGVlLmFjLnVrL2NybC12MS5jcmww
IgYDVR0RBBswGYEXY2FAbGlmZXNjaS5kdW5kZWUuYWMudWswCwYDVR0PBAQDAgEG
MA0GCSqGSIb3DQEBBQUAA4ICAQBWXSsapjd27zrz/5v7OSOQkFu7ZgiQK9oFT82M
V8GyIH6KB86u17rpPZOPu3kr9M5YaY8Jil2ytKhR2/YacOYGMemUPf+dKvwIvu+J
9a7WIqVReCHl4S8j9amzLGqowJYHgvefNGJuSpFDsQpHkOo5wrZgP8KRn0SYDJf9
fbN+n5Rsr9SOPRs26LVuFamUX7//rYrQU42O8JR61nTZN0iFCsKLTc/ofFEgoW63
wzn0NEagnSAFDJMI5/YIcouwWbu64YXPL84jvn69LANWf7G2YnXwyeOF3TM71Jl3
3z5Qu7qOp56uLPZ9vTYuwkyAFzVqfwNJUEWybTbtp7s/SrBGbSLYv7Q6ZYpEq1mY
diNPHhwfkXM2xjgaSom0kQf19rhBInrzsdb4yxNRceZuRQgh4A0zrL4vuTED9BEp
rh9Rx3+UZB9+TQbeC8BqRxQYBP/Mh++OYqrmJRsG5ecm/OhD9zB+ikEx9xKoIEPx
KocwtdUqOdWdS78QSmi+O/e7cBkApc/wCfpX4FZoBwvSVr4qtz71xMFqhxjx6ahm
tT15+MQeaPUL2FDwKOcLTUp5N/dFLy8Dh2OKf2Qg+pXni0Ee4Jy9QP3xDS65XDeJ
fx5I426trWldYtFwwlQ902/9/YRqFbzb9qzysqez1nW1Kdea5XTxl2A2I2o024sC
Yan4Hw==
-----END CERTIFICATE-----
--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389
17 years, 2 months
