OCSP Installation Problem
by Nadeera Galagedara
Dear,
I have Root CA and Issue CA in my network. The issue CA is signed by the Root CA. Both these CAs are installed in CentOS 7 and Dogtag Version 10.5. Now I am going to Install the OCSP for the Issue CA. There is no OCSP for the CentOS 7, so I installed the OCSP (10.8) in fedora. I tried to connect the OCSP to Issue CA with both Interactive and Manual configuration method. I still got an error.
Error comes while tried to install the OCSP
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfgINFO: Checking existing SSL server cert: Server-Cert cert-pki-tomcatINFO: Creating temp SSL server cert for ocsp.mycompany.lkNotice: Trust flag u is set automatically if the private key is present.INFO: Joining existing domainINFO: Getting token for installing OCSP on ocsp.mycompany.lk
Installation failed:com.netscape.certsrv.base.PKIException: error result
Please check the OCSP logs in /var/log/pki/pki-tomcat/ocsp.
There is no error shows in the log file. If I use the pkispawn it also generate the same error.
My OCSP configuration
[DEFAULT]pki_server_database_password=Secret.123
[OCSP]pki_admin_cert_file=/home/user/Desktop/ca_admin_cert.p12 [ i used the p12 admin file from issue ca server]pki_admin_email=ocspadmin@example.compki_admin_name=ocspadminpki_admin_nickname=ocspadminpki_admin_password=Secret.123pki_admin_uid=ocspadmin
pki_client_database_password=Secret.123pki_client_database_purge=Falsepki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=ocsp,dc=mycompany,dc=lkpki_ds_database=ocsppki_ds_password=Secret.123
pki_clone_pkcs12_password=Secret.123
pki_security_domain_name=MYDOMAINpki_security_domain_user=caadminpki_security_domain_password=Secret.123
pki_token_password=Secret.123
pki_security_domain_hostname=issueca.mycompany.lk
My Issue CA configuration.
[CA]pki_admin_email=caadmin@example.compki_admin_name=caadminpki_admin_nickname=caadminpki_admin_password=Secret.123pki_admin_uid=caadmin
pki_client_database_password=Secret.123pki_client_database_purge=Falsepki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=issueca,dc=mycompany,dc=lkpki_ds_database=capki_ds_password=Secret.123
pki_security_domain_name=MYDOMAINpki_token_password=Secret.123
pki_external=Truepki_external_step_two=True
pki_ca_signing_csr_path=ca_signing.csrpki_ca_signing_cert_path=ca_signing.crt
4 years, 7 months
How to renew CA root signing certificate?
by Matt Magoffin
Hello,
I have a Dogtag 10.0 CA system where the root self-signed certificate is set to expire next year. I plan to upgrade to Dogtag 10.7, but after that it is not clear to me what procedure I should follow to renew the root signing certificate.
I understand the general process for renewing system certificates as outlined here:
https://www.dogtagpki.org/wiki/System_Certificate_Renewal <https://www.dogtagpki.org/wiki/System_Certificate_Renewal>
However the examples there are all for system certificates other than the root certificate, so I wanted to be clear on the steps needed.
In my testing, I found that I can renew & approve the root signing certificate as documented:
$ pki ca-cert-request-submit --profile caManualRenewal --serial 0x1 —renewal
If I use the web GUI’s “Bypass CA notAfter constraint” option to approve the request I can get the expiration date of the approved certificate set to the distant future. Is there a way to do this with the pki command line tool? When I tried, the expiration date gets capped to the current CA root certificate’s expiration date.
Then, assuming that approved root certificate is what I need, do I just run
$ systemctl stop pki-tomcatd(a)pki-tomcat.service
$ pki-server subsystem-cert-update ca <nickname> —cert <renewed-cert-file>
$ systemctl start pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>
And then will I be able to renew the other system certificates normally later (before they expire)?
Thanks for any advice,
Matt
4 years, 7 months
Centos 8 Install error pki-core
by Alexander
$ sudo dnf module install pki-core: 10.6
There are no default profiles for the pki-core module: 10.6
Error: Problems in the request:
missing modules or groups: pki-core: 10.6
4 years, 7 months
