October 2015 - Pki-users - Dogtag Pki List Archives

by pki tech

Hi all, Good day to you all. What is the process to renew all the four system certificates (SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when those existing certificates are currently expired. I cant access the pkiconsole also as the system is not up and running. I have used the certutil to generate the certificate requests and get it signed by the CA. But it didn't work as expected. I believe the procedure that i have followed to request generation or the signing profiles used for the generation, may have some issues. Cheers. Regards, Mark

8 years, 5 months

3
2
0 / 0

base64 CMC Request format

by Elliott William C OSS sIT

Hi all, Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming? We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded. Thanks and best regards, William Elliott s IT Solutions Open System Services

8 years, 5 months

4
6
0 / 0

X.509 preauth

by Pascal Jakobi

Hi there I am trying to run pkinit/X.509 with the standard MIT rpms delivered on CentOS/Fedora/RHEL. I have created the certificates with OpenSSL, everything looks fine - I have a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and the corresponding KDC cert and CA cert have been checked. I also modified the principal with kadmin : "modprinc +requires_preauth toto". I run kinit for the "toto" principal with KRB5_TRACE set. I can see that the KDC sends the following to the client : [6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133 PA-PK-AS-REQ (16), which I understand is for X.509 certificate preauthentication, is not in the list. I guess something is therefore wrong on my KDC configuration, but I cannot see what. Can someone enlight me ? Thanks in advance -- Pascal Jakobi <mailto:pascal.jakobi@gmail.com> 116 rue de Stalingrad, 93100 Montreuil France Tel : +33 6 87 47 58 19

9 years, 1 month

2
1
0 / 0

CRMF aka CMP format reader or howto get private key from crmf with proof of possesion

by Marcin Mierzejewski

I'm trying to generate new .p12 file for renewed certificate, becouse old version p12 file after that renewation has private key linked to certificate which is not the latest one(however keypair and all subject data are the same) What is my idea? - create "caManualRenewal" enrollment - read crmf from enrollment - get private key from crmf - approve renewal request - return new p12 file with new cert and this privkey to user It's even possible to do something like this? It makes sense to recreate that file or user can use old p12 file even after renewal?

9 years, 1 month

3
4
0 / 0

Dogtag is changing my renewal request after enrollment

by Marcin Mierzejewski

I got method which creates renewal request for given certificate > private CertEnrollmentRequest createUserEncryptionArchivedCertRenewalEnrollment(int oldCertificateId) { > > CertEnrollmentRequest data = new CertEnrollmentRequest(); > data.setProfileId("caManualRenewal"); > data.setRenewal(true); > > ProfileInput certReq = data.createInput("Serial Number of Certificate to Renew"); > certReq.addAttribute(new ProfileAttribute("serial_num", Integer.toString(oldCertificateId), null)); > > return data; > } > > but after enroll this request I get request for renewal of PKI Administrator for localdomain. If I choose not to loging in as PKI Admin, there is a error telling me that I don't have any certificates to renewal or certificate is corupted.That's weird becouse it works via dogtag enduser entity, even without loggin in.

9 years, 1 month

1
1
0 / 0

Is secret sharing used in DRM to store keys?

by janina777kg

I am wondering what is usage of secret sharing in dogtag. I found that key restore operations may be approved by few admins/agents (found that option in pki-console for /kra). It's no secret what algorithm is used to share this secret to encode keys in drm? Is secret sharing used in DRM to store keys?

9 years, 1 month

1
0
0 / 0

Automatic enrollment of certificate with different profiles on Dogtag 9

by Supper Florian OSS sIT

Hi, 1) I'm searching for a better solution to automate our enrollment process. We'r using dogtag 9. We would like to use 10, but some features we need are not implemented at the moment. At the moment we'r using cmc requests for enrollment. Works pretty god, but the problem is, that you just can use one profile for this type of enrollment. So I tried to find a better solution, but I can't find one. At the moment i'm playing around with browser automation, but no luck till now.... Has anyone a better solution ( for dogtag 9 ) to enroll certificates with different profiles? 2) Has anyone a valid link for downloading the windows auto enrollment proxy exe file? Br Florian

9 years, 1 month

2
2
0 / 0

Creating recovery privatekey(asymetric key) in DRM

by Marcin Mierzejewski

Which certificate should be given for last argument of function from KeyClient.java public KeyRequestResponse <http://pki.fedoraproject.org/pki/javadocs/dogtag_10_2_6/pki/com/netscape/...> recoverKey(KeyId <http://pki.fedoraproject.org/pki/javadocs/dogtag_10_2_6/pki/com/netscape/...> keyId, byte[] sessionWrappedPassphrase, byte[] transWrappedSessionKey, byte[] nonceData, java.lang.String b64Certificate) a. Transport cert b. Subject which key belongs to cert c. Agent who is actually logged in via CryptoManager cert d. Person who should be able to retrieve this key cert ? And another question, can user add some message for Kra agents with this request?

9 years, 1 month

2
1
0 / 0

Export keyPair and certificate to .p12 (private key with certificate) and .der (public key and certificate)

by Marcin Mierzejewski

After creation certficate in application I have to return a certificate with private key. That file could be in .p12 format, am I right? Can I found example of create that file in existing code? there is a PKCS12Export command line tool but it propably works with existing creditentials on nssdatabase. Eventually I can get code from PKCS12Export and make addKeyBag() and few other methods public. Ok soo i have first part. And second part .der file is the same as certificate.getEncoded() if yes, thats allready done^^

9 years, 1 month

2
4
0 / 0

Cannot revoke user certificate becouse of nonce

by Marcin Mierzejewski

I try to revoke certificate from code I got exception with info about nonce. public void revokeAndApprove(int certificateId) { CertId certId = new CertId(certificateId); long nonce = new Random().nextLong(); CertRevokeRequest revokeRequest = new CertRevokeRequest(); revokeRequest.setReason(RevocationReason.KEY_COMPROMISE); revokeRequest.setComments("user request revoke"); revokeRequest.setNonce(nonce); *CertRequestInfo revokeInfo = certClient.revokeCert(certId, revokeRequest);// here comes an exception* CertReviewResponse reviewData = certClient .reviewRequest(revokeInfo.getRequestId()); reviewData.setNonce(""+nonce); log(reviewData.toString()); reviewData.setRequestNotes("revoke approved"); certClient.approveRequest(reviewData.getRequestId(), reviewData); } when I use this I get exception on line(certClient.revokeCert(...)) > > com.netscape.certsrv.base.BadRequestException: Nonce for cert-revoke 64 does not exist. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) at com.company.CAManager.revokeAndApprove(CAManager.java:186) and few other options I'v tried 1. Long nonce = transportCert.getNonce(); // null > > 2. Long nonce = certClient.getCert(certId).getNonce() //also a null > > puting null to setNonce, or not setting it at all give me: com.netscape.certsrv.base.BadRequestException: Missing nonce. > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) > at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) > at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) > at com.company.CAManager.revokeAndApprove(CAManager.java:187) > at com.company.Main.main(Main.java:21) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140) > I check browser form from enduser entity and nonce value looks like this:"certId:someLongRandomNumber" Am I not understanding usage of nonce or something in my code is wrong?

9 years, 1 month

2
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users October 2015