Re: [Pki-users] Usage Clarification

On 01/19/2012 11:45 AM, Mike Helm wrote: > What is func? > > Is it this? > > https://fedorahosted.org/func/ Yes. >> #1 - given the above, is dog tag able to deal with these >> certificates (I >> am so far under the impression that indeed it can) > > Deal with - what do you mean? Do you mean, process requests and provide > a certificate that these apps can understand? (If so the answer is > probably > yes; we use certs in many services, but we don't happen to use puppet or > func, altho I would like to). Yeah, that's what I was asking. I'm fairly new to the intricacies of certificates, I've used them for https, but when looking at certificates for https based websites, and the certs used for/by puppet there were numerous differences. I presume though that most of the differences are in the certificate creation process, and not the signing. > >> #2 - How does one request a certificate from the installed pki-ca? > > There are a couple possibilities. You can essentially screen scrape& > script the posting of the requests to the request interface. > > You can use the RA and either adapt some of the existing scripts in > the RA or > just focus on the submission portion of the RA and build an appropriate > request. Usually, you have to adjust the profile to do the right > thing - > to expect the right variables from the PUT url. > > You can adapt the XML interface (I think - haven't explored that). >> >> requesting a certificate would submit some form of authentication. > > They could be authenticated or not. The RA would allow you to use > whatever authentication you wanted - eg you could accept any request > from designated IP addresses, or network masks, or you could probably > use OAuth or Kerberos, or something else entirely. > > Or you could leave the requests to queue up unauthenticated& have > an agent verify the requests before manually issuing them. > > Other possibilities exist probably. Great, that's some good information. >> don't expect any device to request a certificate without me knowing it >> needs one an initiating the process somehow, so the added >> authentication >> seems un-needed in my case. > >> At the moment I'm used to puppet or func you have a puppetca function >> that can tell me the certificate signing requests pending approval, is >> this workflow fundamentally different than dogtag? > > I don't know puppet or what sounds like its internal CA (puppetca) so > I couldn't > be sure how it works. You should get a response back from either the > dogtag > CA or RA that something happened to the request > (accepted/approved/rejected/error) > and you can act on that returned value. How flexible the app is would > determine how useful that message will be. > > Usual disclaimers - I could be wrong! So an additional issue, once I configured the CA, it gives me a link to a page that has XXXXXX Certificate System and lists "SSL End Users Services" as well as "Agent Services". All I did was go through the setup of the CA service. If I click on either of those, I get a white blank screen. I have no idea how to debug this, I can't seem to find any error messages in /var/log/pki-ca to even point me anywhere, when I do request those pages, *nothing* shows up in any of the many log files in that directory. Any pointers? The urls are: https://hostname:9445/ca/services which has links to: https://hostname:9444/ca/ee/ca https://hostname:9443/ca/agent/ca Pointers would be much appreciated.