Re: [Pki-users] Can OpensSSL be used as external CA ?

Hi Kritee, I think we could use a bit more info. Could you try running pkispawn with script... something like the following: script -c 'pkispawn -s CA -f config-step2.txt -vvv' the resulting typescript file might give us some more clue. Christina On 10/31/2014 09:24 PM, kritee jhawar wrote: Thanks Christina I checked out the master branch and built it. Now i can see the added extensions in the CSR generated, however i am getting the same error as earlier. This time again, I tried the supply the certificate chain with and without the headers. The chain is in a valid pkcs7 format. Following is how the extensions look in the certificate signed by openssl for dogtag: X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign 1.3.6.1.4.1.311.20.2: . .S.u.b.C.A The error i get in step 2 of pkispawn is as follows: pkispawn : INFO ....... BtoA /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc pkispawn : INFO ....... loading external CA signing certificate from file: '/home/kjhawar/dogtag/dg_ca.cert' pkispawn : INFO ....... loading external CA signing certificate chain from file: '/home/kjhawar/dogtag/dg_chain.cert' pkispawn : INFO ....... configuring PKI configuration data. pkispawn : INFO ....... AtoB /root/.dogtag/pki-tomcat/ca_admin.cert /root/.dogtag/pki-tomcat/ca_admin.cert.der pkispawn : INFO ....... certutil -A -d /root/.dogtag/pki-tomcat/ca/alias -n PKI Administrator -t u,u,u -i /root/.dogtag/pki-tomcat/ca_admin.cert.der -f /root/.dogtag/pki-tomcat/ca/password.conf Notice: Trust flag u is set automatically if the private key is present. pkispawn : INFO ....... pk12util -d /root/.dogtag/pki-tomcat/ca/alias -o /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -n PKI Administrator -w /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf -k /root/.dogtag/pki-tomcat/ca/password.conf pkispawn : INFO ... finalizing 'pki.server.deployment.scriptlets.finalization' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141101020655 pkispawn : INFO ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141101020655 pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl restart pki-tomcatd(a)pki-tomcat.service&#39; Job for pki-tomcatd(a)pki-tomcat.service canceled. pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['systemctl', 'restart', &#39;pki-tomcatd(a)pki-tomcat.service&#39;]&#39; returned non-zero exit status 1! Installation failed. Kindly let me know if any specific configuration has to be done in my openssl CA. Attaching the config file i am using currently Thanks Kritee On Fri, Oct 31, 2014 at 10:36 PM, Christina Fu <cfu(a)redhat.com&gt; wrote: > Kritee, > > At the minimum, you need the fixes I talked about. They were checked into > the master but has not been built officially so yum is not going to get you > the right rpm. However, you can check it out and build it yourself. > Here is how you check out the master: > > git clone git://git.fedorahosted.org/git/pki.git > > You can then use the build scripts to build. > > Finally, I apologize that we are not supposed to respond to private > emails. Dogtag is a community where we share our knowledge. In the future > please send requests to the mailing list. > I took the exception this time to look at your CSR and certs and I could > see that you need the fixes I talked about. I don't know if you have other > issues though, but AFAIK you need those two fixes. > > Hope this helps. > Christina > > > On 10/29/2014 01:16 AM, kritee jhawar wrote: > > Hi Christina > > I have done the default configuration for 389ds and haven't > specifically turned on ssl for it. > > Initially I tried using Microsoft and OpenSSL CA as external CAs. This > is about a month back and I pull the Rpms using yum (so I assume they are > the latest ones with the fix you mentioned). > With this, my pki spawn went fine. Infect the admin cert got generated > using the externally provided root cert as well. But dogtag couldn't > connect to the ds. As mentioned earlier it gave me a PKIException error > listing the certs with error code 500. > Looking at the ds logs I found that the error was 'bad search filter'. > However when I tried the same steps with dogtag as external CA the setup > went through without a glitch. The chain I imported was directly from the > GUI of dogtag. In fact I included the header and footer as well. > > When I tried to reverse engineer the chain, I took the root cert of > external dogtag ca and used OpenSSL to convert it into pkcs7. This chain > was not the same as provided from the GUI. Hence I thought that there is > some particular format for the chain because of which the other CAs aren't > working. > > Also, I updated the Rpms using yum and tried to generate the CSR with > the extra attributes. My csr still doesn't reflect those added attributes. > > Is yum not the correct way to get the latest code ? > > I am very new to this, really appreciate your assistance and time. > > Regards > Kritee > > On Wednesday, 29 October 2014, Christina Fu <cfu(a)redhat.com&gt; wrote: > >> the cert chain you provide in the file specified under >> pki_external_ca_cert_chain_path >> should be just pkcs7 without header/footer. >> >> I don't know why it would not talk to the DS (did you turn on ssl for >> the ds?). >> Not sure if you build your Dogtag from the master, if you do, I'd >> suggest you get the most updated so you get fixes from the tickets I >> provided previously which would address at least two issues relating to >> external CA. >> >> Christina >> >> On 10/27/2014 07:55 PM, kritee jhawar wrote: >> >> Hi Christina >> >> I was undertaking this activity last month where Microsoft CA didn't >> work out but Dogtag as external CA did. >> >> While using Microsoft CA or OpenSSL CA, pki spawn goes through >> without any error but dogtag stops communications to 389ds. Upon calling >> the rest Api /ca/rest/certs I get a "PKIException error listing the certs". >> >> Is there a particular format for the ca cert chain that we need to >> provide ? I was trying to reverse engineer the chain provided by dogtag. >> >> Thanks >> Kritee >> >> >> >> On Monday, 27 October 2014, Christina Fu <cfu(a)redhat.com&gt; wrote: >> >>> If you meant the following two: >>> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not >>> preserved at issuance with signing cert signed by an external CA >>> https://fedorahosted.org/pki/ticket/1110 - pkispawn (configuration) >>> does not provide CA extensions in subordinate certificate signing requests >>> (CSR) >>> >>> They have just recently been fixed upstream so I imagine you could use >>> Microsoft CA now. Theoretically any other CA can be used as an external >>> CA, but if you run into issues, please feel free to report. >>> >>> Christina >>> >>> >>> On 10/27/2014 12:15 AM, kritee jhawar wrote: >>> >>> Hi >>> >>> In my recent thread i read that there is a bug due to which Microsoft >>> CA can't work as external CA for dogtag. >>> Can OpenSSL be used ? >>> >>> Thanks >>> Kritee >>> >>> >>> _______________________________________________ >>> Pki-users mailing listPki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users >>> >>> >>> >> > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users >