Re: [Pki-users] Looking for a short path to auto signing server certificates.

Thanks again for the information. I have a couple more questions for you. first is that I have added a new 'Dogtag' ca in /var/lib/certmonger/cas/20150331194831-5 *id=Dogtagca_aka=Dogtag PKIca_is_default=0ca_type=EXTERNALca_external_helper=/usr/libexec/certmonger/dogtag-submitca_required_enroll_attributes=template-subjectca_required_renewal_attributes=template-subject* however, when I run getcert list-cas, it does not appear The next question is regarding the dogtag-submit helper itself. I'm trying to execute this: */usr/libexec/certmonger/dogtag-submit -vv -c ~/test.crt -k ~/test.key -E https://dogtag.test.org:8443/ca/ee/ca <https://dogtag.test.org:8443/ca/ee/ca> -A https://dogtag.test.org:8443/ca/agent/ca <https://dogtag.test.org:8443/ca/agent/ca> -T caServerCert -d /etc/httpd/alias -n caadmin -p /etc/pki/pki-tomcat/alias/pwdfile.txt -C /etc/pki/pki-tomcat/alias* and then I paste in my csr and hit 'ctrl-d' and I get: *code = 77code_text = "Problem with the SSL CA cert (path? access rights?)"results = "(null)"Error 77 connecting to https://dogtag.test.org:8443/ca/ee/ca/profileSubmit <https://dogtag.test.org:8443/ca/ee/ca/profileSubmit>;: Problem with the SSL CA cert (path? access rights?).* I guess I'm not sure what CA cert path it's talking about. I've tried the pki-tomcat alias path and I've tried pointing to the CAcert that I downloaded from the WebUI on the 'Import CA Certificate Chain' page but I always get the same error. Thanks for your help, --steve On Wed, Apr 1, 2015 at 4:43 PM, Nalin Dahyabhai <nalin(a)redhat.com&gt; wrote: > On Wed, Apr 01, 2015 at 03:37:58PM -0500, Steve Neuharth wrote: > > Hello everyone, > > > > I have a requirement to provide a service to our internal linux systems > to > > allow them to self-register and receive a certificate representing the > host > > itself and then a cert representing any application on that host. I have > > installed DogTag, it's up and running and seems to be working. > > > > I'd like to be able to use REST to request a certificate and have it > > auto-signed. I know that DogTag has a REST interface and while the > > interface is documented, there are no examples where I can see how it > would > > actually be used to post a CSR, fetch a cert, etc. > > > > Normally, I'd just sniff a request made with getcert but as I'm using > just > > dogtag as a standalone install and not as a part of FreeIPA, getcert > has no > > knowledge of my local DogTag CA: > > > > *[root@dogtag lib]# getcert list-casCA 'SelfSign': is-default: > > no ca-type: INTERNAL:SELF next-serial-number: 01CA > > 'IPA': is-default: no ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster': > > is-default: no ca-type: EXTERNAL helper-location: > > /usr/libexec/certmonger/certmaster-submitCA > > 'dogtag-ipa-renew-agent': is-default: no ca-type: > > EXTERNAL helper-location: > > /usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local': > > is-default: no ca-type: EXTERNAL helper-location: > > /usr/libexec/certmonger/local-submit* > > > > so... how do I make it aware? I'm using fedora21 so I'm at > > certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. It > > looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure > what > > to add. > > If you're after something you can use to poke at the server from the > command line, the 'pki' tool from the 'pki-tools' package may be closer > to what you're looking for. > > If not, well, here's more than you probably want to know. > > The CAs which certmonger knows about by default are the ones that don't > require any additional configuration to be passed to them. For example, > the ipa-submit helper can dig up all of the configuration that it needs > from the IPA configuration files. Along similar lines, the > dogtag-ipa-renew-agent-submit helper can dig through IPA's configuration > for some settings, and have hardwired defaults for the rest. > > The general-purpose dogtag-submit helper doesn't have that expectation, > and it hasn't seen much use yet, so you may find some bugs (well, more > than usual). Anyway, a new file telling certmonger how to invoke it > would look something like this: > > id=Dogtag > ca_type=EXTERNAL > ca_external_helper=/usr/libexec/certmonger/dogtag-submit ... > > The flags that would be passed to the dogtag-submit helper depend on > whether or not it's expected to use agent creds to use Dogtag's agent > services to approve the signing requests that it submits. Briefly: > -T caServerCert > The name of the Dogtag enrollment profile to use. > -E http://server:8080/ca/ee/ca > The location of Dogtag's end-user service. > -A https://server:8443/ca/agent/ca > The location of Dogtag's agent services, if agent creds will be used. > -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt > The location of the agent creds, if agent creds will be used. > > Some words of caution: the helper doesn't use the new REST API, but > rather the old forms-based one, due to a combination of wanting to > remain compatible with older versions of Dogtag and wanting to avoid > adding new dependencies to the server via the REST API. > > If you try to use agent creds to auto-approve things, but the enrollment > profile doesn't provide defaults for every extension value that it > populates, the logic in dogtag-submit that tries to use agent creds to > approve requests won't be able to tell the server to just use the > defaults, and things could go awry. The -O flag may help here. > > You may want to run dogtag-submit interactively to get the flags sorted > out, passing in previous output using the -S flag to mimic the > certmonger daemon running it iteratively. > > > I apologize in advance for the pedestrian questions. I have read the > docs > > and the getting started guide and while they provide examples for > > self-signed certs and for using FreeIPA, I don't see much info on using > > getcert with DogTag as a standalone product. I'd also like to explore > using > > SCEP for requesting certs from our MS PKI. Is there a guide or info > setting > > up certmonger/getcert to hit a SCEP URL? > > That functionality was new in 0.77, and I've just submitted a candidate > update build for F21, so hopefully some will be available in the > updates-testing tree this week. Anyway, the short version of how to use > an SCEP server is: > > * Use "getcert add-scep-ca -u $URL -c $NAME" to point the service at > your SCEP server's URL and give the CA a nickname. > * If it's an HTTPS URL, use the -R flag to point it to a PEM-formatted > copy of the CA's certificate. If not, use "getcert list" and > "getcert list-cas" to display request and certificate fingerprints > for manual verification. > * Use "getcert -c $NAME" to request a certificate. > * Use the -L or -l flag to supply the enrollment PIN or point to a > file that contains the enrollment PIN. > > A lot of the logic for supporting SCEP is new, so if you run into > problems in that area, please make sure to let us know. > > HTH, > > Nalin >