Hello everyone,
I have a requirement to provide a service to our internal linux systems to
allow them to self-register and receive a certificate representing the host
itself and then a cert representing any application on that host. I have
installed DogTag, it's up and running and seems to be working.
I'd like to be able to use REST to request a certificate and have it
auto-signed. I know that DogTag has a REST interface and while the
interface is documented, there are no examples where I can see how it would
actually be used to post a CSR, fetch a cert, etc.
Normally, I'd just sniff a request made with getcert but as I'm using just
dogtag as a standalone install and not as a part of FreeIPA, getcert has no
knowledge of my local DogTag CA:
*[root@dogtag lib]# getcert list-casCA 'SelfSign': is-default:
no ca-type: INTERNAL:SELF next-serial-number: 01CA
'IPA': is-default: no ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster':
is-default: no ca-type: EXTERNAL helper-location:
/usr/libexec/certmonger/certmaster-submitCA
'dogtag-ipa-renew-agent': is-default: no ca-type:
EXTERNAL helper-location:
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local':
is-default: no ca-type: EXTERNAL helper-location:
/usr/libexec/certmonger/local-submit*
so... how do I make it aware? I'm using fedora21 so I'm at
certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. It
looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure what
to add.
I apologize in advance for the pedestrian questions. I have read the docs
and the getting started guide and while they provide examples for
self-signed certs and for using FreeIPA, I don't see much info on using
getcert with DogTag as a standalone product. I'd also like to explore using
SCEP for requesting certs from our MS PKI. Is there a guide or info setting
up certmonger/getcert to hit a SCEP URL?
Thanks for your continued work on DogTag and certmonger. They ROCK and will
solve big problems for my client if I can just get them to work the way I
need them to.
--steve