those steps come from an older article at
https://access.redhat.com/solutions/44042 , originally on RHEL-5 for RHCS-8
( and my fault).
I think the the perl command in the step 4 after the loop on PKCS10Client ,
is now incorrect, the goal was to remove the header and footer of the CSR,
but it seems the resulting file with several CSR is now incorrect with
mangled headers.
so I would change the step 4 from
"
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
${f}.${i} -s "cn=testms${i}.example.com"; cat ${f}.${i} >> ${f}; done
perl -pi -e 's/\r\n//;s/\+/%2B/g;s/\//%2F/g' ${f}
wc -l ${f}
"
to create a request and make it one line without header and footer within
the loop:
"
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
${f}.${i} -n "cn=testms${i}.example.com"; sed -i.orig -rn '/^-----BEGIN
CERTIFICATE REQUEST-----$/{:1;n;/^-----END CERTIFICATE
REQUEST-----$/b2;H;b1};:2;${x;s/\s//g;p}' ${f}.${i} ; cat ${f}.${i} >>
${f}; done
wc -l ${f}
"
and the sslget command did work ok for me.
and note the CA restart is not needed in the step 1 ( is not in the
original article)
There are different ways to create and submit CSR, this was one example.
I am going to correct the article and open a doc bug.
Thanks for pointing this out, and your patience.
M.
On Wed, Sep 22, 2021 at 2:25 PM Hank Hotz <Hank_Hotz(a)na.honda.com> wrote:
I’m trying to demonstrate that Dogtag could support issuing certs to
a
Linux version which I can’t get information on. Using Fedora 34 for initial
proof-of-concept.
I’ve managed to work through a lot of the errors in
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/....
(The page doesn’t seem to be maintained. Where can I submit corrections?)
I’m stuck on the last step though. Until I get a working example, I can’t
tell what’s wrong with the format of the request. The error I get follows.
If other info would be useful, like the full traceback, or the request as
actually formatted by the perl command, just let me know.
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] WARNING: CertProcessor:
No authenticator credentials required
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: DBSSession:
reading cn=8,ou=certificateRepository, ou=ca, o=pki-tomcat-CA
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO:
AgentCertAuthentication: authenticated
uid=newcaagent,ou=people,o=pki-tomcat-CA
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: EnrollProfile:
Parsing PKCS #10 request:
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE: Unable to parse
PKCS #10 request: Sequence tag error -1
java.io.IOException: Sequence tag error -1
at
org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)
[ . . . traceback with no explicit errors . . . ]
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE:
ProfileSubmitServlet: error in processing request: Invalid Request
Invalid Request
at
com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:247)
[ . . . traceback including . . . ]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.io.IOException: Sequence tag error -1
at
org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)
at
org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:143)
at
org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:234)
at
com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:238)
... 50 more
Thanks for any help. If I get past proof of concept, I can engage Honda’s
support contract with IBM, but I’m not there yet.
Confidentiality Notice: This transmission (including any attachments) may
contain confidential information belonging to the sender and is intended
only for the use of the party or entity to which it is addressed. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, retention or the taking of action in
reliance on the contents of this transmission is strictly prohibited. If
you have received this transmission in error, please immediately notify the
sender and erase all information and attachments.
_______________________________________________
Pki-users mailing list -- users(a)lists.dogtagpki.org
To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s