Re: [Pki-users] SAN for Launch page.
by Marc Sauton
opened ticket
https://pagure.io/dogtagpki/issue/2979
SAN in internal SSL server certificate in pkispawn configuration step
community comments welcome.
On Fri, Mar 30, 2018 at 8:24 AM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
wrote:
> Yes, Making this a default will make it much easier.
>
> On Fri, Mar 30, 2018 at 8:14 AM Marc Sauton <msauton(a)redhat.com> wrote:
>
>> Yes,sorry, I forgot to mention the profile used for the internal SSL
>> server certificate at configuration needed to be copied
>> from /usr/share/pki/ca/conf/serverCert.profile.exampleWithSAN
>> Should we make this a default setting?
>> Thanks,
>> M.
>>
>> On Thu, Mar 29, 2018 at 10:05 PM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
>> wrote:
>>
>>> Found the solution here...Thanks again!
>>>
>>> https://www.redhat.com/archives/pki-devel/2015-April/msg00077.html
>>>
>>> On Thu, Mar 29, 2018 at 8:06 PM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
>>> wrote:
>>>
>>>> sending to alias also...
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Rafael Leiva-Ochoa <spawn(a)rloteck.net>
>>>> Date: Thu, Mar 29, 2018 at 3:35 PM
>>>> Subject: Re: [Pki-users] SAN for Launch page.
>>>> To: Marc Sauton <msauton(a)redhat.com>
>>>>
>>>>
>>>> It did not work. I am still getting SAN errors when using the Launch
>>>> page. I viewed the Cert that was issued to the launch page, and it is still
>>>> missing the SAN. Here is my ca.cfg:
>>>>
>>>> [CA]
>>>>
>>>> pki_admin_email=caadmin(a)test.com
>>>>
>>>> pki_admin_name=caadmin
>>>>
>>>> pki_admin_nickname=caadmin
>>>>
>>>> pki_admin_password=xxxxxxxx
>>>>
>>>> pki_admin_uid=caadmin
>>>>
>>>>
>>>> pki_san_inject=True
>>>>
>>>> pki_san_for_server_cert=dogtag-ca-root.test.com
>>>>
>>>>
>>>> pki_client_database_password=xxxxxxxx
>>>>
>>>> pki_client_database_purge=False
>>>>
>>>> pki_client_pkcs12_password=xxxxxxxxxx
>>>>
>>>>
>>>> pki_ds_base_dn=dc=test,dc=com
>>>>
>>>> pki_ds_database=pki-tomcat
>>>>
>>>> pki_ds_password=xxxxxxx
>>>>
>>>>
>>>> pki_ca_signing_subject_dn=cn=TEST Root CA,ou=TEST Certification
>>>> Authority,c=US
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Rafael
>>>>
>>>> On Thu, Mar 29, 2018 at 2:50 PM, Rafael Leiva-Ochoa <spawn(a)rloteck.net>
>>>> wrote:
>>>>
>>>>> Thanks, I will give that a try.
>>>>>
>>>>> On Thu, Mar 29, 2018 at 12:57 PM, Marc Sauton <msauton(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Try to add to the pkispawn config file, for example:
>>>>>> pki_san_inject=True
>>>>>> pki_san_for_server_cert=ca01.example.com,ca02.example.com,c
>>>>>> a.example.com
>>>>>>
>>>>>> Note for the "non-internal" certificates, there is a way to modify
>>>>>> enrollment profiles to add a SAN, but a recent updated feature is described
>>>>>> in the page at
>>>>>> http://www.dogtagpki.org/wiki/PKI_10.4_Copy_CN_To_SAN
>>>>>>
>>>>>> Thanks,
>>>>>> M.
>>>>>>
>>>>>> On Thu, Mar 29, 2018 at 11:42 AM, Rafael Leiva-Ochoa <
>>>>>> spawn(a)rloteck.net> wrote:
>>>>>>
>>>>>>> Hi Everyone,
>>>>>>>
>>>>>>> I am trying to build a new CA, and I am using the ca.cfg file to
>>>>>>> create the CA, but when I create the CA, the SAN is missing from the
>>>>>>> website cert (:8443). I am trying to look for the right value to put on the
>>>>>>> ca.cfg file for the SAN, so the the launch page does not give me SAN
>>>>>>> errors. Here is what I found, but nothing relating to the SAN:
>>>>>>>
>>>>>>> [CA]
>>>>>>> pki_admin_email=caadmin(a)example.com
>>>>>>> pki_admin_name=caadmin
>>>>>>> pki_admin_nickname=caadmin
>>>>>>> pki_admin_password=Secret.123
>>>>>>> pki_admin_uid=caadmin
>>>>>>>
>>>>>>> pki_client_database_password=Secret.123
>>>>>>> pki_client_database_purge=False
>>>>>>> pki_client_pkcs12_password=Secret.123
>>>>>>>
>>>>>>> pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
>>>>>>> pki_ds_database=ca
>>>>>>> pki_ds_password=Secret.123
>>>>>>>
>>>>>>> pki_security_domain_name=EXAMPLE
>>>>>>>
>>>>>>> Any ideas?
>>>>>>>
>>>>>>> Rafael
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Pki-users mailing list
>>>>>>> Pki-users(a)redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
6 years, 8 months
SAN for Launch page.
by Rafael Leiva-Ochoa
Hi Everyone,
I am trying to build a new CA, and I am using the ca.cfg file to create
the CA, but when I create the CA, the SAN is missing from the website cert
(:8443). I am trying to look for the right value to put on the ca.cfg file
for the SAN, so the the launch page does not give me SAN errors. Here is
what I found, but nothing relating to the SAN:
[CA]
pki_admin_email=caadmin(a)example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin
pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret.123
pki_security_domain_name=EXAMPLE
Any ideas?
Rafael
6 years, 8 months
Dogtag PKI Website URL
by Endi Sukma Dewata
Hi,
The Dogtag PKI Website URL has changed as follows:
* Old URL: http://pki.fedoraproject.org
* New URL: http://www.dogtagpki.org
Please use the new URL whenever possible. The old URL should
automatically be redirected to the new URL, so all existing links
should continue to work.
Unfortunately, there was a glitch during the transition yesterday
causing it to be redirected to redhat.com. If you are experiencing
this, you may need to clear the browser cache/history. Please refer
to your browser's documentation since the steps are browser-specific.
Sorry for the inconvenience. Thanks!
--
Endi S. Dewata
6 years, 9 months
compatibility with other LDAP servers?
by Hadmut Danisch
Hi,
just a question I found no answer for in the docs and faqs:
The dogtag-pki is always described together with the 389 directory
server.
Is there a particular reason for that, does it require that for some
special feature, or does it work with standard LDAP servers as well?
regards
Hadmut
6 years, 9 months
