Pki-users March 2017

users@lists.dogtagpki.org

8 participants
5 discussions

by Turbo Fredriksson

I'm looking into setting up DogTag in my infrastructure, and I was wondering if it’s possible to scale it (for redundancy) behind a load balancer? I’m looking at implementing the CA and the RA. Possibly the OCSP and DRM as well, but I’m not sure I need them - loose the private key, create a new is the base I’m working from at the moment. About the OCSP it say “which takes the load of CAs”, which seems roughly what I need, although the “load” part isn’t really what I’m after. There will be very little load, but redundancy is a huge issue… I’m trying to understand the architecture of Dogtag, but I haven’t seen any architecture drawings or design document as of yet.

7 years, 9 months

2
1
0 / 0

Padding Scheme used in Fedora Dogtag

by Kaamel Periora

Dear All, It is required to identify the padding scheme used by the Fedora dogtag system. Appreciate of someone could shed some light on this requirement. Thanks Kaamel

7 years, 9 months

3
10
0 / 0

SubjectAltNameExt limited to 4 SANS?

by George Wash

Using CS 9.1 I'm sending SAN nametypes and values in my HTTP requests to the CA inspired by Section A.1.14 below https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... In general this is working, but I seem to be limited to 4 SANs maximum. The CA seems to only process $request_req_san_pattern_<0-3>$ Here's my setup and some logs #### SAN Profile Configuration - 10 SANs #### ... policyset.MySet.SAN.constraint.class_id=noConstraintImpl policyset.MySet.SAN.constraint.name=No Constraint policyset.MySet.SAN.default.class_id=subjectAltNameExtDefaultImpl policyset.MySet.SAN.default.name=Subject Alt Name Extension Default policyset.MySet.SAN.default.params.subjAltNameExtCritical=false policyset.MySet.SAN.default.params.subjAltNameNumGNs=10 policyset.MySet.SAN.default.params.subjAltExtGNEnable_0=true policyset.MySet.SAN.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ policyset.MySet.SAN.default.params.subjAltExtType_0=$request.req_san_type_0$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_1=true policyset.MySet.SAN.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ policyset.MySet.SAN.default.params.subjAltExtType_1=$request.req_san_type_1$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_2=true policyset.MySet.SAN.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ policyset.MySet.SAN.default.params.subjAltExtType_2=$request.req_san_type_2$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_3=true policyset.MySet.SAN.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$ policyset.MySet.SAN.default.params.subjAltExtType_3=$request.req_san_type_3$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_4=true policyset.MySet.SAN.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$ policyset.MySet.SAN.default.params.subjAltExtType_4=$request.req_san_type_4$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_5=true policyset.MySet.SAN.default.params.subjAltExtPattern_5=$request.req_san_pattern_5$ policyset.MySet.SAN.default.params.subjAltExtType_5=$request.req_san_type_5$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_6=true policyset.MySet.SAN.default.params.subjAltExtPattern_6=$request.req_san_pattern_6$ policyset.MySet.SAN.default.params.subjAltExtType_6=$request.req_san_type_6$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_7=true policyset.MySet.SAN.default.params.subjAltExtPattern_7=$request.req_san_pattern_7$ policyset.MySet.SAN.default.params.subjAltExtType_7=$request.req_san_type_7$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_8=true policyset.MySet.SAN.default.params.subjAltExtPattern_8=$request.req_san_pattern_8$ policyset.MySet.SAN.default.params.subjAltExtType_8=$request.req_san_type_8$ policyset.MySet.SAN.default.params.subjAltExtGNEnable_9=true policyset.MySet.SAN.default.params.subjAltExtPattern_9=$request.req_san_pattern_9$ policyset.MySet.SAN.default.params.subjAltExtType_9=$request.req_san_type_9$ #### Parsing from HTTP Request - SAN0 to SAN4 are received at the CA from client ##### ... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_0' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_0' value='myserver0.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_1' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_1' value='myserver1.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_2' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_2' value='myserver2.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_3' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_3' value='myserver3.example.com' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_type_4' value='DNSName' [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param name='req_san_pattern_4' value='myserver4.example.com' ### CAProcessor Has Dropped SAN4 #### [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:261:printParameterValues() CAProcessor: Input Parameters: .... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_0: DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_3: DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_1: DNSName ... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_2: DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_3: myserver3.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_1: myserver1.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_2: myserver2.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_pattern_0: myserver0.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: CAProcessor.java:286:printParameterValues() CAProcessor: - cert_request_type: pkcs10 ... ### SubjectAltNameExtDefault - no SAN4 - gname is empty as indicated previously in processing #### ... [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: EnrollDefault.java:220:populate() SubjectAltNameExtDefault: populate start [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=0 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_0$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver0.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver0.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=1 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_1$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver1.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver1.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=2 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_2$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver2.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver2.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=3 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_3$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:492:createExtension() SubjectAltNameExtDefault: createExtension got gname=myserver3.example.com with type=DNSName [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:496:createExtension() adding gname: myserver3.example.com [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:498:createExtension() SubjectAlternativeNameExtension: n not null [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=4 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_4$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=5 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_5$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=6 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_6$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=7 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_7$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=8 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_8$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:443:createExtension() SubjectAltNameExtDefault: createExtension i=9 [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:451:createExtension() SubjectAltNameExtDefault: createExtension() pattern=$request.req_san_pattern_9$ [14/Mar/2017:16:49:21][http-bio-8443-exec-1]: SubjectAltNameExtDefault.java:489:createExtension() SubjectAltNameExtDefault: gname is empty,not added. What's interesting is the SubjectAltNameExtDefault can take several extra hardcoded nametypes and values from the profile and populate them in the enrolled certificate. Any thoughts? Thanks GW

7 years, 9 months

2
1
0 / 0

restore rootCA

by Carlos Barrabes

Hello, I have a dogtag 10.2.3 acting as a rootCA on a Fedora 21 machine that I want to restore on another machine as part of a disaster recovery procedure. I have read and followed the procedures on migration and recovery described in the following links: http://pki.fedoraproject.org/wiki/Recovery#Overview http://pki.fedoraproject.org/wiki/Migrating_a_CA_using_existing_CA_mechanism http://pki.fedoraproject.org/wiki/Migrating_a_CA_using_general_mechanism I might obviously have been doing something wrong at some point because I end up with a CA that cant issue new certificates or cannot reissue the old certificates from the imported database. Having a DS db dump and the system certificates and keys exported via PKCS12Export, do I need any other elements backed up in order to restore the a root CA? Could someone please point me in the right direction on how to perform the restoration? Thanks in avance.

7 years, 9 months

1
0
0 / 0

Sunset of Fedorahosted.org Resources

by Matthew Harmsen

Everyone, February 28, 2017 marked the sunset of fedorahosted.org. As a consequence, many of the various ticketing, repositories, and Wikis were required to be moved. For the Dogtag PKI project and several of the closely associated projects have been relocated, and can be found at the following link: * RELOCATION OF PROJECT ISSUES, REPOSITORIES, AND WIKI INFORMATION <http://pki.fedoraproject.org/wiki/RELOCATION_OF_PROJECT_ISSUES,_REPOSITOR...> -- Matt

7 years, 9 months

1
0
0 / 0

← Newer
1
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users March 2017