Dogtag Cert Lauch Page Renewal
by Rafael Leiva-Ochoa
Hi Everyone,
I am was looking through the Dogtag CA documentation, and I was not
able to find the process for renewing the Dogtag Web page certificate. I
wanted to update the cert since all browser now required a SAN on the cert.
Any help would be great.
Thanks,
Rafael
7 years, 6 months
Use Dogtag with external Root CA - CS.cfg is missing
by Moritz Wirth
Hello,
I installed Dogtag and tried to create a new PKI Instance for the intermediate CA. I used this tutorial (http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_...)
with the same configuration file (I changed the passwords and the ldap/ds configuration). The Root CA is stored offline and not managed through Dogtag.
I ran pkispawn which failed with the following error:
[root@ca ~]# pkispawn -f flanga-ssl-g1.conf
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: CA
Begin installation (Yes/No/Quit)? yes
Log file: /var/log/pki/pki-ca-spawn.20170507183908.log
Loading deployment configuration from flanga-ssl-g1.conf.
pkispawn : ERROR ....... File '/etc/pki/pki-tomcat/ca/CS.cfg' is either missing or is NOT a regular file!
Traceback (most recent call last):
File "/usr/sbin/pkispawn", line 817, in <module>
main(sys.argv)
File "/usr/sbin/pkispawn", line 501, in main
create_master_dictionary(parser)
File "/usr/sbin/pkispawn", line 641, in create_master_dictionary
parser.compose_pki_master_dictionary()
File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 690, in compose_pki_master_dictionary
raise Exception(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1)
Exception: File '%s' is either missing or is NOT a regular file!
I did not create another Dogtag instance before.
Thank you for the help!
Best regards,
Moritz
7 years, 7 months
Subject Alt names concate
by Supper Florian 6342 sIT
Hi,
related to RFC6125 ( Best practice checking server identities) i have to create a cert profile which adds the Common name from the subject into a SAN.
So far so good, this works now with this config.
policyset.cmcServerCert.10.constraint.class_id=noConstraintImpl
policyset. cmcServerCert.10.constraint.name=No Constraint
policyset. cmcServerCert.10.default.class_id=subjectAltNameExtDefaultImpl
policyset. cmcServerCert.10.default.name=Subject Alt Name Constraint
policyset. cmcServerCert.10.default.params.subjAltNameExtCritical=false
policyset. cmcServerCert.10.default.params.subjAltExtGNEnable=true
policyset. cmcServerCert.10.default.params.subjAltExtGNEnable_0=true
policyset. cmcServerCert.10.default.params.subjAltExtType_0=DNSName
policyset. cmcServerCert.10.default.params.subjAltExtPattern_0=$request.req_subject_name.cn$
policyset. cmcServerCert.10.default.params.subjAltNameNumGNs=1
Now I have to add additional SANS if the user sends them in the request.
CSR part:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:mywebservice.example.com, DNS:mywebservicealias.example.com
With this config, it is possible to take the SANS out of the csr and bring that in the cert..
policyset. cmcServerCert.9.constraint.class_id=noConstraintImpl
policyset. cmcServerCert.9.constraint.name=No Constraint
policyset. cmcServerCert.9.constraint.subjAltNameExtCritical=false
policyset. cmcServerCert.9.default.class_id=userExtensionDefaultImpl
policyset. cmcServerCert.9.default.name=User Supplied Extension Default
policyset. cmcServerCert.9.default.params.userExtOID=2.5.29.17
The problem what I had is that I had to take the SANS out of the request and then ADD the cn out of the subjet as SAN too.
I'm not able to get this working.
Please help.
Thanks in advanced.
Br
florian
7 years, 7 months
Dogtag rootCA or subCA
by Pieter Baele
We will start setting up IDM/FreeIPA for a specific linux subdomain in our
enterprise.
But how can we best integrate Dogtag with the enterprise CA infrastructure
(MS Certificate Services)?
Option 1: Dogtag as the rootCA (?)
We can use FreeIPA for all certificates where we need to encrypt end-to-end
communication between servers (as example)
And websites by external CA's or the the enterprise CA infrastructure for
which the issuing subca's are published to all cleints...
What about the principle of an offline rootCA in that case? Is that
possible with Dogtag?
Option 2: Dogtag (RH IDM) as a subordinate CA of MS CA.
Is there a specific reason that a subordinate CA is a better idea?
Our PKI administrator's do not really like an additional subCA, because it
is difficult to limit exposure/risks?
We still need to publish the subca to clients?
What's your opinion: rootCA, or subordinate CA signed by the existing MS
Certificate Services PKI?
-- Pieter
7 years, 7 months
