September 2014 - Pki-users - Dogtag Pki List Archives

by Elliott William C OSS sIT

Hi all, Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming? We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded. Thanks and best regards, William Elliott s IT Solutions Open System Services

9 years, 2 months

4
6
0 / 0

SCEP Enrollment fails with Certificate not found .

by Elliott William C OSS sIT

Hello, We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs setup for SCEP enrollment. But, no matter whether we try the older HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a successful SCEP request. The following exception occurs in the debug log: [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation [29/Sep/2014:13:41:17][http-9180-1]: message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61 JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0 QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+ [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: token name: osstest' [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1' [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:701) [29/Sep/2014:13:41:17][http-9180-1]: ServletException javax.servlet.ServletException: Failed to process message in CEP servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 What stands out is the line with mNickname. After restarting the service, with the first request, the HSM token name appears to be listed twice in the mNickname string. Interestingly, with each new request, the number of token names increases by one in the string. i.e. with the 2nd attempt, the same exception occurs but the token name appears three times: [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: token name: osstest' [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:osstest:caSigningCert cert-pki-testca1' [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:701) [29/Sep/2014:13:41:17][http-9180-1]: ServletException javax.servlet.ServletException: Failed to process message in CEP servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 As mentioned, the exception occurs with both versions 4 and 5 of LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating with SCEP enrollment.) With local tokens, (no HSMs) the error does not occur. Any Ideas, how we can track this down? We definitely need to get this running. Best regards! William Elliott s IT Solutions Open System Services s IT Solutions AT Spardat GmbH A-1110 Wien, Geiselbergstraße 21 - 25 Phone: +43 (0)5 0100 - 39376 Fax: +43 (0)5 0100 9 - 39376 Mobile: +43 (0) 5 0100 6 - 39376 mailto:william.elliott at s-itsolutions.at<mailto:william.elliott%20at%20s-itsolutions.at> www.s-itsolutions.com<http://www.s-itsolutions.com/> Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna This message and any attached files are confidential and intended solely for the addressee(s). Any publication, transmission or other use of the information by a person or entity other than the intended addressee is prohibited. If you receive this in error please contact the sender and delete the material. The sender does not accept liability for any errors or omissions as a result of the transmission.

10 years, 10 months

2
5
0 / 0

Re: [Pki-users] Advance Biometric Signature using Digital Signature

by 'Fraser Tweedale'

On Mon, Sep 29, 2014 at 11:10:05AM -0500, Ricardo Alexander Perez Ricardez wrote: > Hi Fraser, > > Here more information about this: > > http://www.andxor.com/supported-signatures.html > > https://www.softpro.de/en/academy/electronic-signatures-security.aspx > Thanks Ricardo, So to clarify, your use case is production and/or verification of digitally signed PDF documents that include a biometric signature? Are you use any specific software that you hope to integrate with Dogtag to provide the digital signing capabilities? If the biometric signature is simply part of the data that gets digitally signed, then Dogtag fundamentally supports the required operations. The standards in play are paywalled so I cannot confirm this or comment on how the integration might work. I will try and get copies of the relevant standards to further the investigation. These include: - ISO/IEC 19794-7:2007 -- Biometric data interchange formats -- Part 7: Signature/sign time series data - ISO 19005-2:2011 -- Electronic document file format for long-term preservation -- Part 2: Use of ISO 32000-1 (PDF/A-2) Regards, Fraser > > -----Mensaje original----- > De: Fraser Tweedale [mailto:ftweedal@redhat.com] > Enviado el: domingo, 28 de septiembre de 2014 20:54 > Para: Ricardo Alexander Alexander Perez Ricardez > CC: pki-users(a)redhat.com > Asunto: Re: [Pki-users] Advance Biometric Signature using Digital Signature > > On Sat, Sep 27, 2014 at 02:06:40PM -0500, Ricardo Alexander Alexander Perez > Ricardez wrote: > > Advance Biometric Signature using Digital Signature > > > > Is possible use DogTag Certificate System with " Advance Biometric > Signature using Digital Signature" ? > > > > > Hi Ricardo, > > It would be helpful to know more about your use case (e.g., signed PDF > documents, S/MIME, something else?) and the particular standards involved (I > did a quick search but was unable to find any standards concerning the > graphometric/biometric signature information). > > Regards, > > Fraser > > > _______________________________________________ > > Pki-users mailing list > > Pki-users(a)redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users >

11 years

1
0
0 / 0

Re: [Pki-users] End-Of-Life Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2)

by Philip Shuman

Just wanted to update this thread: we just got off the phone with our Gemalto rep and they say the Gemalto TOP IM FIPS CY2 is not End-Of-Life and is still available in quantity. > ----- Original Message ----- > From: "Fabian Bertholm" <fabeisageek googlemail com> > To: "pki-users" <pki-users redhat com> > Sent: Monday, May 6, 2013 12:33:53 AM > Subject: [Pki-users] End-Of-Life Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) > > Hi, > > I got a message from my smartard dealer that the Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) ist now EOL. > > Which other smartcard is officially supported? I need something with at least 64k. Anyone with an idea? > > best regards > Fabian

11 years

1
0
0 / 0

Advance Biometric Signature using Digital Signature

by Ricardo Alexander Alexander Perez Ricardez

Advance Biometric Signature using Digital Signature Is possible use DogTag Certificate System with " Advance Biometric Signature using Digital Signature" ?

11 years

2
1
0 / 0

Graphometric Dynamic Signature (Advanced Electronic Signature)

by Ricardo Alexander Alexander Perez Ricardez

Hi, Is possible use this characteristic with DogTag Certificate System? Graphometric Dynamic Signature (Advanced Electronic Signature) Including in the document graphometric information captured during the signature execution and embedding everything with digital signature. More info here: http://www.andxor.com/supported-signatures.html How Graphometric Signature and Verification is performed When the user perform a Graphometric Signature the following information are captured: * the image of the signature, * the position and direction * the pressure (1024 levels) * the time * the curvature * the acceleration During a Graphometric Signature the important element is not the graphical mage (like during 2D normal ink signature) but the biometric characteristics of the image. Including the time and the pressure, the x,y position the velocity and direction we can have spatial dynamic information not available during a normal ink signature. In the next picture you can see a normal ink signature in a 2Dimensional space and the same signature in a 3Dimensional space including the time. In fact " ONLY the the biometric information without the image of the signature " are stored and are useful for matching a future signature. This allow more security and dynamic verification This is the typical verification process. All these information will be included in the digital signature creating and Advanced Electronic Signature. Once the Advanced Electronic Signature using Biometrical information is bonded with the document via a Digital Signature the final final receive the Persistent Security to allow legal verification of authenticity, presence in time and Integrity as well as non repudiation.

11 years

1
0
0 / 0

Use of graphometric data by digitizing handwritten signature.

by Ricardo Alexander Alexander Perez Ricardez

Hi ... I am using a wacom tablet to sign documents by digitizing handwritten signature. ¿DogTag Certificate System supports the use of graphometric data? As in the image attached to the email ...

11 years

1
0
0 / 0

profiles for generating server and client certificates

by Jindrich Dolezal

hi, can anyone advice me how to configure dogtag (having 9.0.3) to have 2 profiles for generating server and client certificate. for cert generating im currently using /var/lib/pki-ca/profiles/ca/caRouterCert.cfg where there is line: policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 OID 1.3.6.1.5.5.7.3.2 is for client, 1.3.6.1.5.5.7.3.1 is for server so for generating the server certificate, i have to reconfigure and restart ca which is very annoying for test env and unthinkable in production env. i have configured clients to be able to get their own certificates via scep. and for server i generate certs manually with the use of jscep-cli tool. is there a way/is it possible to configure dogtag so that i can get me server certificate without reconfiguring? thanks a lot jd *****************************************This email and any files transmitted with are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error then please delete it and notify the sender. Do not make a copy or forward it to anyone. This footnote also confirms that this email message has been swept for the presence of computer viruses. Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK). Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O*****************************************

11 years

1
0
0 / 0

Generating certificates with DSA signatures

by Fraser Tweedale

Hi all, Is there some documentation somewhere about how to set up / configure a CA subsystem such that it can sign requests with DSA rather than RSA? I guess that you need to spawn an instance with a DSA signing key or somehow configure one after the spawning, but I'm not sure how to do this. Cheers, Fraser

11 years

2
2
0 / 0

ERROR: Package pki-ocsp is NOT installed!

by Ricardo Alexander Alexander Perez Ricardez

I get: ERROR: Package pki-ocsp is NOT installed! When I try create an OCSP instance with pkispawn

11 years, 1 month

2
1
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users September 2014