Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
8 years, 5 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
8 years, 5 months
How to setup PKI Administrator user
by Jain, Mahendra
Hello All,
When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin).
What is the procedure to setup additional PKI Administrator users so that they can also access agent interface?
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.”
9 years, 8 months
Fedora 21 + Quickstart guide = non functional dogtag server
by Steve Neuharth
Hello,
I'm trying to test DogTag server and I'm unable to get the web UI to
function. I've installed a fresh fedora server and I'm following the
instructions here <http://pki.fedoraproject.org/wiki/Quick_Start>. When I
hit the url https://dogtag.test.org/ca, it redirects me back to root '/'
and I get the error:
*Mar 29, 2015 1:17:20 PM org.apache.catalina.core.StandardWrapperValve
invokeSEVERE: Servlet.service() for servlet [jsp] in context with path []
threw exception [java.lang.NullPointerException] with root
causejava.lang.NullPointerException at
org.apache.jsp.index_jsp._jspService(index_jsp.java:208) at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497) at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273)
at java.security.AccessController.doPrivileged(Native Method) at
javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:168)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method) at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497) at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273)
at java.security.AccessController.doPrivileged(Native Method) at
javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:248)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:238)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method) at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)*
can anyone tell me what I did wrong? I doubt that the rpm is bad or the
install guide is wrong so I suspect that it's user error. I get no errors
at install time and I've attempted this about 4 times, always with the same
result.
WTF?
--steve
9 years, 8 months
Renew PKI Administrator (caadmin) certificate
by Jain, Mahendra
Hello All,
When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin) and it’s certificate expires in 2 years.
How do I renew the certificate for the PKI Administrator user?
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.”
9 years, 8 months
Re: [Pki-users] Issues Installing an externally signed CA configuration
by Jain, Mahendra
After providing the valid certificate chain to ‘pki_external_ca_cert_chain_path’ parameter, the installation was successful and I’m also able to launch pkiconsole successfully.
From: <Jain>, "Jain, Mahendra" <majain(a)verisign.com<mailto:majain@verisign.com>>
Date: Thursday, March 26, 2015 at 12:10 PM
To: "pki-users(a)redhat.com<mailto:pki-users@redhat.com>" <pki-users(a)redhat.com<mailto:pki-users@redhat.com>>
Subject: [Pki-users] Issues Installing an externally signed CA configuration
Hello All,
I’ve been able to successfully install and test Dogtag Certificate Enrollment and Approval APIs using self signed CA available with standard Dogtag installation.
Also, the java based pkiconsole works perfectly fine without any issues.
However, I’m unable to do so Installing an externally signed CA configuration.
I’ve Dogtag 10.1 version installed.
I followed the exact instructions outlined in the section 'Installing an externally signed CA’ at the link below:
http://man.sourcentral.org/f18/8+pkispawn
While the installation seems to succeed, I’m seeing following errors in logs (/var/lib/pki/pki-tomcat/logs/ca/debug) when I launch pkiconsole (java based console) and provide username/password (caadmin/password123):
---------------------------------------------------------------------------------
[26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet:service() uri = /ca/auths
[26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet::service() param name='OP_TYPE' value='OP_AUTH'
[26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet::service() param name='OP_SCOPE' value='authType'
[26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet:service() uri = /ca/auths
[26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet::service() param name='OP_TYPE' value='OP_AUTH'
[26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet::service() param name='OP_SCOPE' value='auths'
[26/Mar/2015:15:54:47][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure
[26/Mar/2015:15:54:47][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure
---------------------------------------------------------------------------------
Any help is greatly appreciated.
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.”
9 years, 8 months
Best, stable release of Dogtag?
by Steve Neuharth
Hello,
My company is in need of an internal PKI and we're considering using
Dogtag. I have tried installing version 10.2.0-5 on fedora 21, following
the quick start guide, accepting the defaults and receive only
nullPointerException when attempting to use the web UI.
I understand that 10.x is alpha so should I be using version 9.x? We do
have redhat licenses so I'd really prefer RHEL over fedora. So, what is the
best production ready configuration for Dogtag? I just need a PKI that
works, preferably with a REST api that can auto-sign certificates.
thanks for your help
--steve
9 years, 9 months
Best, stable release of Dogtag
by Steve Neuharth
Hello,
My company is in need of an internal PKI and we're considering using
Dogtag. I have tried installing version 10.2.0-5 on fedora 21, following
the quick start guide, accepting the defaults and receive only
nullPointerException when attempting to use the web UI.
I understand that 10.x is alpha so should I be using version 9.x? We do
have redhat licenses so I'd really prefer RHEL over fedora. So, what is the
best production ready configuration for Dogtag? I just need a PKI that
works, preferably with a REST api that can auto-sign certificates.
thanks for your help
--steve
9 years, 9 months
Issues Installing an externally signed CA configuration
by Jain, Mahendra
Hello All,
I’ve been able to successfully install and test Dogtag Certificate Enrollment and Approval APIs using self signed CA available with standard Dogtag installation.
Also, the java based pkiconsole works perfectly fine without any issues.
However, I’m unable to do so Installing an externally signed CA configuration.
I’ve Dogtag 10.1 version installed.
I followed the exact instructions outlined in the section 'Installing an externally signed CA’ at the link below:
http://man.sourcentral.org/f18/8+pkispawn
While the installation seems to succeed, I’m seeing following errors in logs (/var/lib/pki/pki-tomcat/logs/ca/debug) when I launch pkiconsole (java based console) and provide username/password (caadmin/password123):
---------------------------------------------------------------------------------
[26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet:service() uri = /ca/auths
[26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet::service() param name='OP_TYPE' value='OP_AUTH'
[26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet::service() param name='OP_SCOPE' value='authType'
[26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet:service() uri = /ca/auths
[26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet::service() param name='OP_TYPE' value='OP_AUTH'
[26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet::service() param name='OP_SCOPE' value='auths'
[26/Mar/2015:15:54:47][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure
[26/Mar/2015:15:54:47][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure
---------------------------------------------------------------------------------
Any help is greatly appreciated.
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.”
9 years, 9 months
Install Dogtag CS on JBoss
by Ricardo Alexander Perez Ricardez
Is posible install Dogtag Certificate System on Jboss instead of Tomcat
application server?
9 years, 9 months
