Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
8 years, 5 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
8 years, 5 months
SAN Feild in the MSCE profile
by Rafael Leiva-Ochoa
Hi Pki-Users,
I am trying to create a cert using a CSR that has more then one CN
using the Manuel Server Certificate Enrollment (MSCE) profile, but it seem
that it does not support a SAN Feild by default. Can I create a custom
profile that duplicates the MSCE profile, but adds the SAN Feild? Is so,
what is the process for doing that?
Thanks,
Rafael
9 years, 1 month
Re: [Pki-users] SAN Feild in the MSCE profile
by John Magne
Hi:
I"m a bit swamped right now but look at this if not seen already:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
This has more specific info on how to set up subjectName and subjectAltName. There is a link in that piece of document that points to the subjectAltName defaults specifically.
----- Original Message -----
From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
To: "John Magne" <jmagne(a)redhat.com>
Sent: Friday, November 6, 2015 11:01:02 PM
Subject: Re: SAN Feild in the MSCE profile
Here you go.
On Fri, Nov 6, 2015 at 5:47 PM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
wrote:
> ok. I will run one tonight.
>
> Thanks
>
> On Fri, Nov 6, 2015 at 5:41 PM, John Magne <jmagne(a)redhat.com> wrote:
>
>> If you could possibly give us the "debug" log, the failure could possibly
>> be isolated more easily.
>>
>> ----- Original Message -----
>> From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
>> To: "John Magne" <jmagne(a)redhat.com>
>> Cc: pki-users(a)redhat.com
>> Sent: Friday, November 6, 2015 5:29:40 PM
>> Subject: Re: SAN Feild in the MSCE profile
>>
>> Still not working:
>>
>> This is what I put on the new profile
>>
>> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
>>
>> policyset.serverCertSet.9.constraint.name=No Constraint
>>
>> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
>>
>> policyset.serverCertSet.9.default.name=Subject Alternative Name Extension
>> Default
>>
>> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
>>
>> policyset.serverCertSet.9.default.params.subjAltExtPattern_0=
>>
>> policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
>>
>> policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
>>
>> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
>>
>>
>> The CSR looks like this:
>>
>> *Common Name:* node1.example.com
>>
>> *Subject Alternative Names:* test.example.com, test1.example.com,
>> test2.example.com
>>
>> *Organization:* Test Corp
>>
>> *Organization Unit:* IT Department
>>
>> *Locality:* LA
>>
>> *State:* OR
>>
>> *Country:* US
>>
>> On Thu, Nov 5, 2015 at 4:40 PM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
>> wrote:
>>
>> > Thx, I will give that a try.
>> >
>> >
>> > On Thursday, November 5, 2015, John Magne <jmagne(a)redhat.com> wrote:
>> >
>> >> You should be able to do this:
>> >>
>> >> First for info on profiles and how to make new ones start here:
>> >>
>> >>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
>> >>
>> >>
>> >>
>> >> If you look in this directory:
>> >>
>> >> /var/lib/pki/pki-tomcat/ca/profiles/ca
>> >>
>> >> This is where the raw profile files are. Looking through these should
>> >> provide an example of somebody using the subject alt name extension.
>> >> Whatever happening there can be created in a new profile.
>> >>
>> >>
>> >> ----- Original Message -----
>> >> From: "Rafael Leiva-Ochoa" <spawn(a)rloteck.net>
>> >> To: pki-users(a)redhat.com
>> >> Sent: Thursday, November 5, 2015 12:52:38 PM
>> >> Subject: [Pki-users] SAN Feild in the MSCE profile
>> >>
>> >> Hi Pki-Users,
>> >>
>> >> I am trying to create a cert using a CSR that has more then one CN
>> using
>> >> the Manuel Server Certificate Enrollment (MSCE) profile, but it seem
>> that
>> >> it does not support a SAN Feild by default. Can I create a custom
>> profile
>> >> that duplicates the MSCE profile, but adds the SAN Feild? Is so, what
>> is
>> >> the process for doing that?
>> >>
>> >> Thanks,
>> >>
>> >> Rafael
>> >>
>> >> _______________________________________________
>> >> Pki-users mailing list
>> >> Pki-users(a)redhat.com
>> >> https://www.redhat.com/mailman/listinfo/pki-users
>> >>
>> >
>>
>
>
9 years, 1 month
How to find private key by owner certificate?
by Marcin Mierzejewski
Hello Dogtag users.
Maybe You know how to find private key by owner certificate?
On user side it can be done in data recovery manager -> search for keys ->
show the key that corresponds to the following certificate. I download
dogtag sources but all I found is some query building and resend it to this
same page but I can't find where exactly this arguments are parsed and used
for filtering results.
KeyClient has only method called listKeys(type,state,max,size,time)(not
sure about order) but I can't find method which takes more specific
arguments. When I list all keys in drm, none of them have publicKey(so my
idea to get public key from cert and looking for same key in all key list
is not possible). Any ideas? It can be done within console interface? I
tried with pki key-find but that doesnt work.
9 years, 1 month
X.509 preauth
by Pascal Jakobi
Hi there
I am trying to run pkinit/X.509 with the standard MIT rpms delivered on
CentOS/Fedora/RHEL.
I have created the certificates with OpenSSL, everything looks fine - I
have a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and
the corresponding KDC cert and CA cert have been checked.
I also modified the principal with kadmin : "modprinc +requires_preauth
toto".
I run kinit for the "toto" principal with KRB5_TRACE set. I can see that
the KDC sends the following to the client :
[6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133
PA-PK-AS-REQ (16), which I understand is for X.509 certificate
preauthentication, is not in the list.
I guess something is therefore wrong on my KDC configuration, but I
cannot see what.
Can someone enlight me ?
Thanks in advance
--
Pascal Jakobi <mailto:pascal.jakobi@gmail.com>
116 rue de Stalingrad, 93100 Montreuil
France
Tel : +33 6 87 47 58 19
9 years, 1 month
How to retrieve private key in DRM
by Marcin Mierzejewski
Hi all, I got lots of problems with dogtag(ekhmmm... almost 20 threads in
october : ) if somebody not notice) but this is propably the last one:D
It happens if recovery needs more than one agent approval.
I get request accepted by admins and problem is I can retrieve private key
from browser code, but if I am trying to do this in code it throws PKI
Exception and creates new recovery request
//creates new recovery request "recover" throws: PKIException
"Unauthorized request."
Key recoveredX509Key = keyClient.retrieveKeyByPKCS12(keyid,cert,password);
//creates new recovery request "securityDataRecovery" and throws:
"RuntimeException com.netscape.certsrv.base.PKIException: Unauthorized
request. Recovery request not approved."
Key recoveredX509Key = keyClient.retrieveKey(keyid);
but for this same key when I open it in browser I got form to retrieve
key to pk12 and it works perfectly. I check logs and it shows me where
this form data goes:
[01/lis/2015:13:29:04][http-bio-8443-exec-2]:
CMSServlet:service() uri = /kra/agent/kra/getAsyncPk12
[01/lis/2015:13:29:04][http-bio-8443-exec-2]:
CMSServlet::service() param name='seqNum' value='339'
[01/lis/2015:13:29:04][http-bio-8443-exec-2]:
CMSServlet::service() param name='p12Password' value='(sensitive)'
[01/lis/2015:13:29:04][http-bio-8443-exec-2]:
CMSServlet::service() param name='p12PasswordAgain'
value='(sensitive)'
[01/lis/2015:13:29:04][http-bio-8443-exec-2]:
CMSServlet::service() param name='op' value='getAsyncPk12'
[01/lis/2015:13:29:04][http-bio-8443-exec-2]:
CMSServlet::service() param name='reqID' value='339'
Anyone have idea what I'm doing wrong? Is there any way to execute
getAsyncPk12 service from code? If You need more code or context, give
me a note.
9 years, 1 month
CRMF aka CMP format reader or howto get private key from crmf with proof of possesion
by Marcin Mierzejewski
I'm trying to generate new .p12 file for renewed certificate, becouse old
version p12 file after that renewation has private key linked to
certificate which is not the latest one(however keypair and all subject
data are the same)
What is my idea?
- create "caManualRenewal" enrollment
- read crmf from enrollment
- get private key from crmf
- approve renewal request
- return new p12 file with new cert and this privkey to user
It's even possible to do something like this? It makes sense to recreate
that file or user can use old p12 file even after renewal?
9 years, 1 month
Dogtag is changing my renewal request after enrollment
by Marcin Mierzejewski
I got method which creates renewal request for given certificate
> private CertEnrollmentRequest createUserEncryptionArchivedCertRenewalEnrollment(int oldCertificateId) {
>
> CertEnrollmentRequest data = new CertEnrollmentRequest();
> data.setProfileId("caManualRenewal");
> data.setRenewal(true);
>
> ProfileInput certReq = data.createInput("Serial Number of Certificate to Renew");
> certReq.addAttribute(new ProfileAttribute("serial_num", Integer.toString(oldCertificateId), null));
>
> return data;
> }
>
> but after enroll this request I get request for renewal of PKI
Administrator for localdomain. If I choose not to loging in as PKI Admin,
there is a error telling me that I don't have any certificates to renewal
or certificate is corupted.That's weird becouse it works via dogtag enduser
entity, even without loggin in.
9 years, 1 month
