SubjectAltName - how?
by Ian Koenig
Hi all,
I have Dogtag 10.3.3 installed from COPR @pki effort onto a CentOS 7.2
(build 1511) system.
I can request and approve various different certs through the system
successfully and have it working properly with SSL client certificates in
Chrome.
What I haven't been able to figure out is how to generate a server SSL Cert
that has SubjectAltName entries in it. An example cnf file I have tried
is
[...]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = demo.myhome.com
DNS.2 = demo
DNS.3 = demo.prod.myhome.com
[...]
This generates a valid CSR with the SubjectAltNames in it. However when I
send it through to be approved on Dogtag, the SAN gets removed. How do I
setup a profile in Dogtag to allow this CSR with SAN get approved?
Thanks
ian
8 years, 1 month
- 2
- 8
How to update old/incorrect certificates on Dirsrv so Dogtag can connect to it?
by Vladyslav Frolov
Hi,
I have a problem with FreeIPA state. At some point, PKI certificates were
regenerated from scratch, but Dirsrv and HTTPD are still using old
certificates, and Dogtag cannot connect to them because of this, here is
`/var/log/pki/pki-tomcat/ca/debug`:
```
[02/Nov/2016:22:18:53][localhost-startStop-1]: ===== DEBUG SUBSYSTEM
INITIALIZED =======
[02/Nov/2016:22:18:53][localhost-startStop-1]:
============================================
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=debug
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized debug
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem
id=log
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init
id=log
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=log
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized log
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem
id=jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init
id=jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem
id=dbs
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init
id=dbs
[02/Nov/2016:22:18:53][localhost-startStop-1]: DBSubsystem: init()
mEnableSerialMgmt=false
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating
LdapBoundConnFactor(DBSubsystem)
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapBoundConnFactory: init
[02/Nov/2016:22:18:53][localhost-startStop-1]:
LdapBoundConnFactory:doCloning true
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init()
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init begins
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init ends
[02/Nov/2016:22:18:53][localhost-startStop-1]: init: before makeConnection
errorIfDown is true
[02/Nov/2016:22:18:53][localhost-startStop-1]: makeConnection: errorIfDown
true
[02/Nov/2016:22:18:53][localhost-startStop-1]:
SSLClientCertificateSelectionCB: Setting desired cert nickname to:
subsystemCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapJssSSLSocket: set client
auth cert nickname subsystemCert cert-pki-ca
Internal Database Error encountered: Could not connect to LDAP server host
freeipa.sparky.salford-systems.com port 636 Error
netscape.ldap.LDAPException: IO Error creating JSS SSL Socket: org
.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8179)
Peer's Certificate issuer is not recognized. (-1)
at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5027)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5337)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine.shutdown()
```
I am running FreeIPA in a Docker container with Fedora 24:
pki-base-10.3.5-6.fc24.noarch
pki-base-java-10.3.5-6.fc24.noarch
pki-kra-10.3.5-6.fc24.noarch
pki-tools-10.3.5-6.fc24.x86_64
pki-ca-10.3.5-6.fc24.noarch
pki-server-10.3.5-6.fc24.noarch
How can I regenerate and push the certificates for Dirsrv and HTTPD?
Thank you in advance,
Vlad
8 years, 1 month
- 1
- 0
- ← Newer
- 1
- Older →