EST certificate enrollment
by Goeman, Stefan
Hello,
Is there any chance that the dogtag PKI will support the EST (Enrollment over Secure Transport) certificate enrollment protocol?
Much thanks in advance for your feedback!
Greetings,
Stefan Goeman
**************************************************************************************
This e-mail and any attachments thereto may contain confidential information and/or information protected by intellectual property rights for the exclusive attention of the intended addressees named above. If you have received this transmission in error, please immediately notify the sender by return e-mail and delete this message and its attachments. Unauthorized use, copying or further full or partial distribution of this e-mail or its contents is prohibited.
**************************************************************************************
6 years
scep certificate enrollment
by Goeman, Stefan
Hello,
I want to use SCEP certificate enrollment with dogtag PKI. I know more or less how to enable this.
However, in the dogtag PKI system there are so many certificate profiles enabled by default.
How do I know which certificate profile will be used with SCEP?
Or, are these two things unrelated?
Much thanks in advance for your feedback!
Greetings,
Stefan
**************************************************************************************
This e-mail and any attachments thereto may contain confidential information and/or information protected by intellectual property rights for the exclusive attention of the intended addressees named above. If you have received this transmission in error, please immediately notify the sender by return e-mail and delete this message and its attachments. Unauthorized use, copying or further full or partial distribution of this e-mail or its contents is prohibited.
**************************************************************************************
6 years
CRL Distribution Points
by Goeman, Stefan
Hello,
Is it possible with the dogtag PKI to issue certificates have contain a CRL Distribution Point certificate extension?
I would like to work with a CRL web server, instead of using OCSP.
Much thanks in advance for your feedback!
Greetings,
Stefan Goeman
**************************************************************************************
This e-mail and any attachments thereto may contain confidential information and/or information protected by intellectual property rights for the exclusive attention of the intended addressees named above. If you have received this transmission in error, please immediately notify the sender by return e-mail and delete this message and its attachments. Unauthorized use, copying or further full or partial distribution of this e-mail or its contents is prohibited.
**************************************************************************************
6 years
Adding a signing certificate to an existing Dogtag instance
by Allyson Bowles
Hey folks,
Awhile back, I set up an internal CA signing certificate for the purpose
of issuing certificates used for RabbitMQ connections, Sensu, Consul,
etc. I would now like to add that signing certificate to my existing
Dogtag instance (created as part of an IPA server installation), so that
I can configure clients to automatically renew these certificates using
Certmonger. This signing certificate would not be used for anything IPA
related, only the abovementioned third-party utilities requiring an
internally trusted SSL certificate for authentication.
I have managed to perform the pkispawn step using a PKCS12 file
containing the signing certificate and key as well as a pkispawn config
file that looks something like this:
####
[DEFAULT]
pki_instance_name=pki-tomcat
pki_admin_password=secret
pki_client_pkcs12_password=secret
pki_ds_password=secret
pki_ds_ldap_port=389
pki_existing=True
[CA]
pki_ca_signing_nickname=MyInternalCA
pki_ca_signing_csr_path=req/ca.csr
pki_pkcs12_path=ca.p12
pki_pkcs12_password=secret
pki_serial_number_range_start=90
pki_request_number_range_start=90
pki_master_crl_enable=False
pki_external_step_one=False
pki_external_step_two=True
###
The output I get is as follows:
```
# pkispawn -s CA -f pkispawn.cfg
Log file: /var/log/pki/pki-ca-spawn.20190611180347.log
Loading deployment configuration from pkispawn.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
---------------
Import complete
---------------
Installation failed:
com.netscape.certsrv.base.BadRequestException: System is already
configured
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
```
The pki-ca-spawn logfile doesn't contain anything interesting, and
neither could I find anything terribly noteworthy in either
/var/log/pki/pki-tomcat/ca/{debug,system}.
The certificate and key do show up in certutil -L and -K, so my plan was
to try carrying on with getting a client to use Certmonger to renew its
certificate against this signing certificate. To do /that/, it looks
like I need to create or modify an existing CA profile per
https://www.dogtagpki.org/wiki/PKI_CA_Profile_CLI. However, this doc
expects the operator to have a user certificate with the nickname
'caadmin' and a password. I don't seem to have a certificate with that
nickname and I'm not sure which certificate to look for. Further
documentation
https://www.dogtagpki.org/wiki/CA_Admin_Setup#Retrieving_CA_Admin_Certifi...
suggests that I could create a new CA admin user...but this requires
having access to the existing one.
Which brings us to my actual questions.
1) Am I trying to do a reasonable thing by importing an existing signing
certificate into an existing Dogtag instance? If not, what's a better
way to achieve the ability to autorenew client certificates?
2) How can I either reset the existing CA admin credentials (given that
I have system root) or force creation of a new user without nuking my
current instance? Ideas about where I could look for the existing CA
admin credentials would work as well but I understand this is highly
dependent on how the system was set up initially.
3) Is there something else I should be doing, after the pkispawn partial
failure, to troubleshoot? I figured attempting to carry on with an
autorenew might at least get me more information about what's happening,
but I'm very open to other approaches as well.
Thank you for your time,
Ally
--
Allyson Bowles | Senior Site Reliability Engineer
e: abowles(a)hireology.com | 7C2D 671B 08A2 0D8A AD52 540E 1FB2 B534 ECD5 4608
http://www.hireology.com
6 years