9:11 a.m.
Dear Marco, dear all,
I run Dogtag v11.5 and have possibly found a race condition error. The Github
actions you mentioned seem to be specific for version v11.6. The tests for
v11.5 use instead this script:
https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-a...
I copied the script over, adapted the passwords and gave it a try. I notice
the following:
This line 21 fails for me:
pki -u caadmin -w Secret.123 ca-cert-request-approve $REQUEST_ID --force | tee
output
Source:
https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-a...
Error:
Keypair private key id: 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4
Submitting CRMF request to pki-test.riemann.cc:8080
Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
Request Status: pending
Reason:
Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
BadRequestException: Request Sending DRM request failed check KRA log for
detail Rejected - {1}
Cert ID:
ERROR: Missing serial number
Workaround:
I add a "sleep 3" between the call to CRMFPopClient and the call to
"ca-cert-
request-approve".
Is it possible that a race condition is also responsible for the original
error?
2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
ProfileSubmitServlet: error in processing request: KRA Transport Certificate
needs to be imported into the CA nssdb for Server-Side Kegen Enrollment
KRA Transport Certificate needs to be imported into the CA nssdb for
Server-Side Kegen Enrollment
I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but couldn't find
any recent entry.
$ ls /var/log/pki/pki-tomcat/kra/
archive debug.2025-04-04.log selftests.log signedAudit
Best,
Robert
On Friday, 4 April 2025 19:43:27 Central European Summer Time Marco Fargetta
wrote:
Hi Robert,
I have not tested your configuration but it seems correct.
You can find documentation on dogtag KRA configuration in the folder:
https://github.com/dogtagpki/pki/tree/master/docs/installation/kra.
There are also several actions performing the operation. Have a look at:
https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048.
You can compare the installation steps with your case.
Thanks,
Marco
On Fri, 4 Apr 2025 at 17:55, Robert Riemann <robert-dogtag(a)riemann.cc>
wrote:
> Dears,
>
> I experience the same issue (KRA missing in CA nssdb) when attempting to
> enroll via the browser with the profile:
> Manual User Dual-Use Certificate Enrollment using server-side Key
> generation
>
> 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO:
> UserSubjectNameDefault: Subject:
> UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT
> 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> ProfileSubmitServlet: error in processing request: KRA Transport
> Certificate
> needs to be imported into the CA nssdb for Server-Side Kegen Enrollment
> KRA Transport Certificate needs to be imported into the CA nssdb for
> Server-
> Side Kegen Enrollment
>
> at
>
> com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey
> genUserKeyDefault.java: 501)
>
> at
>
> com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237
> )
>
> at
>
> com.netscape.cms.profile.common.Profile.populate(Profile.java:1261)
>
>
> The link
> https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_
> EE provided by
> Chris Zinda in 2021 is unfortunately broken/empty.
>
> What I have done so far:
>
> - I have setup the directory server and CA+KRA in the same pki-tomcat
> instance.
> - I have checked if the kra_transport certficate in in the CA nssdb:
>
> $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/
>
> XPI
>
> ca_signing CTu,Cu,Cu
> ca_ocsp_signing u,u,u
> sslserver u,u,u
> subsystem u,u,u
> ca_audit_signing u,u,Pu
> kra_transport u,u,u
> kra_storage u,u,u
> kra_audit_signing u,u,Pu
>
> - I have read https://docs.redhat.com/en/documentation/
>
> red_hat_certificate_system/10/html/planning_installation_and_deployment_gu
> ide/ configuring_key_recovery_authority
>
> - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add the line:
> "ca.connector.KRA.transportCertNickname=kra_transport"
> (However, ca.connector.KRA.transportCert was already set accurately)
>
> - Is the line "ca.connector.KRA.nickName=subsystem" in the same file ok?
>
> - I've tested with `pki -n caadmin ca-kraconnector-show`:
>
> Host: pki-test.riemann.cc:8443
> Enabled: true
> Local: false
> Timeout: 30
> URI: /kra/agent/kra/connector
> Transport Cert:
>
> MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk
> MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET
> […]
>
> What else could be wrong? Find my setup script here below.
>
> Best,
> Robert
>
>
> #!/usr/bin/sudo /bin/bash
>
> cat << EOF > /etc/security/limits.d/01-pki
> # Dogtag CA Settings
> root hard nofile 4096
> root soft nofile 4096
> EOF
>
> dnf update -y
> dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme
>
>
> # Create Directory Server Instance:
> #
> # https://github.com/dogtagpki/pki/blob/master/docs/installation/others/
> creating-ds-instance.adoc
> <https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre
> ating-ds-instance.adoc> #
> dscreate create-template ds-template.inf
>
> sed --silent \
>
> -e "s/;full_machine_name = .*/full_machine_name = $HOSTNAME/" \
> -e "s/;root_password = .*/root_password = $DS_PASSWORD/g" \
> -e "s/;suffix = .*/suffix = $SUFFIX/g" \
> -e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \
> -e "s/;self_sign_cert = .*/self_sign_cert = True/g" \
> -e "w ds.inf" \
> ds-template.inf
>
> dscreate from-file ds.inf
>
> ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w
"$DS_PASSWORD"
> <<
> EOF
> dn: dc=pki,$SUFFIX
> objectClass: domain
> dc: pki
> EOF
>
> systemctl status dirsrv(a)localhost.service
>
> # Create PKI CA Server
> #
> curl -o ca-template.cfg
> https://raw.githubusercontent.com/dogtagpki/pki/refs/
> heads/master/base/server/examples/installation/ca.cfg
> <https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se
> rver/examples/installation/ca.cfg> # cp
> /usr/share/pki/server/examples/installation/ca.cfg ca-template.cfg sed
> --silent \
>
> -e "s/pki_server_database_password=.*/
>
> pki_server_database_password=$PKI_SERVER_PASSWORD/" \
>
> -e "s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/" \
> -e "s/pki_client_pkcs12_password=.*/
>
> pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \
>
> -e "s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/" \
> -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> -e "w ca.cfg" \
> ca-template.cfg
>
> pkispawn -f ca.cfg -s CA
>
> pki-server cert-export ca_signing --cert-file ca_signing.crt
> sudo -u fedora pki client-cert-import "CA Signing Certificate" --ca-cert
> ./
> ca_signing.crt
> #
> https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI
> -CLI#importing-admin-certificate sudo -u fedora pki pkcs12-import --pkcs12
> ./ca_admin_cert.p12 --pkcs12- password "$PKI_CA_CLIENT_PASSWORD"
> sudo -u fedora pki info # for testing the setup
>
> # Create PKI KRA Server
> #
> cp /usr/share/pki/server/examples/installation/kra.cfg kra-template.cfg
> sed --silent \
>
> -e "s/pki_server_database_password=.*/
>
> pki_server_database_password=$PKI_SERVER_PASSWORD/" \
>
> -e "s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/" \
> -e "s/pki_client_pkcs12_password=.*/
>
> pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \
>
> -e "s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/" \
> -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> -e "s/pki_security_domain_password=.*/
>
> pki_security_domain_password=$PKI_CA_PASSWORD/" \
>
> -e "w kra.cfg" \
> kra-template.cfg
>
> pkispawn -f kra.cfg -s KRA
>
>
> _______________________________________________
> Pki-users mailing list -- users(a)lists.dogtagpki.org
> To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s