Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
8 years, 5 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
8 years, 5 months
Unable to format smart card
by Javier Gallart
Hello all
first question in the list. I recently installed Dogtag version 10.2.1.
Testing is going fine so far, with the exception of the smart card format
stage.
Let me give you the specs of the system:
-Dogtag runs on a Fedora20 x86_64
-ESC (version esc-1.1.0-14.el5.centos1) runs on a Centos 5.11 x86_64
-Smart Card Model:SmartCafe Expert 3.2 72K from G&D with 72K on-board EEPROM
When I push the format button, the authentication looks good; however the
operation fails throwing this message: "The Smart Card Server cannot
establish a secure channel with the smart card".
Looking at the logs:
----TPS----
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSEngine.computeSessionKey:
Non zero status result: 1
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: Message
processing failed: TPSProcessor.setupSecureChannel: Can't set up secure
channel: TPSEngine.computeSessionKey: invalid returned status: 1
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSMessage.write: Writing:
s=43&msg_type=13&operation=5&result=1&message=17
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: leaving:
result: 1 status: STATUS_ERROR_SECURE_CHANNEL
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: After session.process()
exiting ...
----TKS----
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
ComputeSessionKey(): xkeyInfo[0] = 0x1, xkeyInfo[1] = 0x2
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >=
0x0
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD.
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet about to try
ComputeSessionKey selectedToken=Internal Key Storage Token
keyNickName=#01#02
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:Tried
ComputeSessionKey, got NULL
java.lang.Exception: Can't compute session key!
(...)
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet Computing
Session Key: java.lang.Exception: Can't compute session key!
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]:
TokenServlet:outputString.encode status=1
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]:
TokenServlet:outputString.length 8
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: SignedAuditEventFactory:
create()
message=[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded=00002161960056514505][KDD_decoded=00002161960056514505][Outcome=Failure][status=1][AgentID=xxxxx-8443][IsCryptoValidate=true][IsServerSideKeygen=false][SelectedToken=Internal
Key Storage
Token][KeyNickName=#01#02][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x1][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false][Error=Problem
generating session key info.] TKS Compute session key request failed
Any idea about the where the problem might be?
Thanks in advance
Regards
Javi
9 years, 10 months
initial setup difficulties with dogtag ca instance
by marcin kowalski
Hi, i am testing out dogtag and i wanted to setup a simple local ca to take
it for a spin.
Following the docs, i created a directory server, pkispawn'ed the ca and
kra instances and after importing the certificate into my browser for
administrative access the difficulties started.
Most guides i found refer to different versions of dogtag apparently,
because they show output of pkicreate command which seems no longer to
exist, and then they lead the user to "CA Setup WIzard" page where all CA
configuration happens. I somehow do not get any access to such page, so
probably the procedure is different now.
I cannot find any such option in the web interface, and i am not exactly
sure what am i missing here. It must be something obvious.
Everything was done on current Fedora installation, with no extra
repositories configured.
9 years, 11 months
Fwd: Unable to format smart card
by Javier Gallart
Forgot to copy the list....
Javi
---------- Forwarded message ----------
From: Javier Gallart <jgallartm(a)gmail.com>
Date: Mon, Jan 26, 2015 at 12:21 PM
Subject: Re: [Pki-users] Unable to format smart card
To: John Magne <jmagne(a)redhat.com>
Thanks Jack
my replies:
On Fri, Jan 23, 2015 at 6:24 PM, John Magne <jmagne(a)redhat.com> wrote:
> Hi:
>
> Interesting..
>
> Couple of questions.
>
>
> Are you using the developer key set to start out or have you already
> attempted
> symmetric key changeover?
>
I am using the developer key set
>
>
>
> Have you tried to at least establish a secure channel with "gpshell"?
>
Yes, I've been able to establish a secure channel with gpshell.
>
> Is this a gp2.1.1 card per chance or 2.0.1, which is what we support right
> this minute?
>
-I am using a gps2.1.1 card, I guess this is the problem.?
>
> My quick advice would be to try first to get a secure channel with gpshell.
>
> If you fail in this fashion 3 times or more, your card is toast.
>
> Also, your CS.cfg might be helpful.
>
Attaching CS.cfg for tps and tks
Regards
Javi
>
> thanks,
> jack
>
>
>
>
> ----- Original Message -----
> > From: "Javier Gallart" <jgallartm(a)gmail.com>
> > To: pki-users(a)redhat.com
> > Sent: Friday, January 23, 2015 8:14:42 AM
> > Subject: [Pki-users] Unable to format smart card
> >
> > Hello all
> >
> > first question in the list. I recently installed Dogtag version 10.2.1.
> > Testing is going fine so far, with the exception of the smart card format
> > stage.
> > Let me give you the specs of the system:
> > -Dogtag runs on a Fedora20 x86_64
> > -ESC (version esc-1.1.0-14.el5.centos1) runs on a Centos 5.11 x86_64
> > -Smart Card Model:SmartCafe Expert 3.2 72K from G&D with 72K on-board
> EEPROM
> >
> > When I push the format button, the authentication looks good; however the
> > operation fails throwing this message: "The Smart Card Server cannot
> > establish a secure channel with the smart card".
> >
> > Looking at the logs:
> > ----TPS----
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]:
> TPSEngine.computeSessionKey:
> > Non zero status result: 1
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process:
> Message
> > processing failed: TPSProcessor.setupSecureChannel: Can't set up secure
> > channel: TPSEngine.computeSessionKey: invalid returned status: 1
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSMessage.write: Writing:
> > s=43&msg_type=13&operation=5&result=1&message=17
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process:
> leaving:
> > result: 1 status: STATUS_ERROR_SECURE_CHANNEL
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: After session.process()
> > exiting ...
> >
> >
> > ----TKS----
> >
> >
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
> > ComputeSessionKey(): xkeyInfo[0] = 0x1, xkeyInfo[1] = 0x2
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
> > ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >=
> 0x0
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
> > ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD.
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet about to try
> > ComputeSessionKey selectedToken=Internal Key Storage Token
> > keyNickName=#01#02
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:Tried
> > ComputeSessionKey, got NULL
> > java.lang.Exception: Can't compute session key!
> >
> > (...)
> >
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet Computing
> Session
> > Key: java.lang.Exception: Can't compute session key!
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]:
> > TokenServlet:outputString.encode status=1
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]:
> > TokenServlet:outputString.length 8
> > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: SignedAuditEventFactory:
> > create()
> >
> message=[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded=00002161960056514505][KDD_decoded=00002161960056514505][Outcome=Failure][status=1][AgentID=xxxxx-8443][IsCryptoValidate=true][IsServerSideKeygen=false][SelectedToken=Internal
> > Key Storage
> >
> Token][KeyNickName=#01#02][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x1][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false][Error=Problem
> > generating session key info.] TKS Compute session key request failed
> >
> > Any idea about the where the problem might be?
> >
> > Thanks in advance
> >
> > Regards
> >
> > Javi
> >
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
9 years, 11 months
error 207 (net::err_cert_invalid)
by Ricardo Alexander Alexander Perez Ricardez
When I try import a certificate I get this message:
error 207 (net::err_cert_invalid)
I use google chrome browser on linux
9 years, 11 months
Setup Issue - Admin user creation
by Kobus Bensch
Hi
I installed dogtag 4 times today and everytime i get to a certain point
and the same issue.
When I get to creating the admin user, the system just sits there not
finishing the action. Has anybody come across this issue and if so, how
did you fix it?
I installed the system on Centos 6.6
Thanks
Kobus
--
Trustpay Global Limited is an authorised Electronic Money Institution
regulated by the Financial Conduct Authority registration number 900043.
Company No 07427913 Registered in England and Wales with registered address
130 Wood Street, London, EC2V 6DL, United Kingdom.
For further details please visit our website at www.trustpayglobal.com.
The information in this email and any attachments are confidential and
remain the property of Trustpay Global Ltd unless agreed by contract. It is
intended solely for the person to whom or the entity to which it is
addressed. If you are not the intended recipient you may not use, disclose,
copy, distribute, print or rely on the content of this email or its
attachments. If this email has been received by you in error please advise
the sender and delete the email from your system. Trustpay Global Ltd does
not accept any liability for any personal view expressed in this message.
9 years, 11 months
