Re: [Pki-users] Can OpensSSL be used as external CA ?

Hi Christina When using Dogtag as external CA I had provided only the self signed certificate as pkcs7 (the same way I did for OpenSSL) and it had worked. The idea behind this was we needed a constant trust anchor to be burnt into the devices(which will function as clients). Initially I tried to find a way to provide a static root certificate to dogtag so that even after the crash it will come up with the same certificate. Then I moved onto the l Sent from my iPhone On 07-Nov-2014, at 22:38, Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>> wrote: > Hi Kritee, > > I just looked closely. Your ca cert chain contains only one single > self-signed root cert. I think what you need is a chain down to the > dogtag CA cert that links up from the root, so in your case, you > should have both the root and the dogtag CA cert in the pkcs7. > > Hope that helps. > Christina > > > On 11/06/2014 01:25 AM, kritee jhawar wrote: >> Hi Christina >> >> Thanks for the response. PFA the typescript for pkispawn step1 and >> pkispawn step2. >> >> Thanks, >> Kritee >> >> On Thu, Nov 6, 2014 at 8:01 AM, Christina Fu <cfu(a)redhat.com >> <mailto:cfu@redhat.com>> wrote: >> >> Hi Kritee, >> I think we could use a bit more info. >> Could you try running pkispawn with script... something like the >> following: >> script -c 'pkispawn -s CA -f config-step2.txt -vvv' >> >> the resulting typescript file might give us some more clue. >> Christina >> >> >> On 10/31/2014 09:24 PM, kritee jhawar wrote: >>> Thanks Christina >>> >>> I checked out the master branch and built it. Now i can see the >>> added extensions in the CSR generated, however i am getting the >>> same error as earlier. >>> This time again, I tried the supply the certificate chain with >>> and without the headers. The chain is in a valid pkcs7 format. >>> Following is how the extensions look in the certificate signed >>> by openssl for dogtag: >>> >>> X509v3 extensions: >>> X509v3 Basic Constraints: critical >>> CA:TRUE >>> X509v3 Key Usage: critical >>> Digital Signature, Non Repudiation, Certificate >>> Sign, CRL Sign >>> 1.3.6.1.4.1.311.20.2: >>> . >>> .S.u.b.C.A >>> >>> The error i get in step 2 of pkispawn is as follows: >>> >>> pkispawn : INFO ....... BtoA >>> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin >>> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc >>> pkispawn : INFO ....... loading external CA signing >>> certificate from file: '/home/kjhawar/dogtag/dg_ca.cert' >>> pkispawn : INFO ....... loading external CA signing >>> certificate chain from file: '/home/kjhawar/dogtag/dg_chain.cert' >>> pkispawn : INFO ....... configuring PKI configuration data. >>> pkispawn : INFO ....... AtoB >>> /root/.dogtag/pki-tomcat/ca_admin.cert >>> /root/.dogtag/pki-tomcat/ca_admin.cert.der >>> pkispawn : INFO ....... certutil -A -d >>> /root/.dogtag/pki-tomcat/ca/alias -n PKI Administrator -t u,u,u >>> -i /root/.dogtag/pki-tomcat/ca_admin.cert.der -f >>> /root/.dogtag/pki-tomcat/ca/password.conf >>> Notice: Trust flag u is set automatically if the private key is >>> present. >>> pkispawn : INFO ....... pk12util -d >>> /root/.dogtag/pki-tomcat/ca/alias -o >>> /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -n PKI Administrator >>> -w /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf -k >>> /root/.dogtag/pki-tomcat/ca/password.conf >>> pkispawn : INFO ... finalizing >>> 'pki.server.deployment.scriptlets.finalization' >>> pkispawn : INFO ....... cp -p >>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg >>> /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141101020655 >>> pkispawn : INFO ....... generating manifest file called >>> '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest' >>> pkispawn : INFO ....... cp -p >>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest >>> /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141101020655 >>> pkispawn : INFO ....... executing 'systemctl daemon-reload' >>> pkispawn : INFO ....... executing 'systemctl restart >>> pki-tomcatd(a)pki-tomcat.service >>> <mailto:pki-tomcatd@pki-tomcat.service>' >>> Job for pki-tomcatd(a)pki-tomcat.service >>> <mailto:pki-tomcatd@pki-tomcat.service> canceled. >>> pkispawn : ERROR ....... subprocess.CalledProcessError: >>> Command '['systemctl', 'restart', >>> &#39;pki-tomcatd(a)pki-tomcat.service >>> <mailto:pki-tomcatd@pki-tomcat.service>']' returned non-zero >>> exit status 1! >>> >>> Installation failed. >>> >>> Kindly let me know if any specific configuration has to be done >>> in my openssl CA. Attaching the config file i am using currently >>> >>> Thanks >>> Kritee >>> >>> On Fri, Oct 31, 2014 at 10:36 PM, Christina Fu <cfu(a)redhat.com >>> <mailto:cfu@redhat.com>> wrote: >>> >>> Kritee, >>> >>> At the minimum, you need the fixes I talked about. They >>> were checked into the master but has not been built >>> officially so yum is not going to get you the right rpm. >>> However, you can check it out and build it yourself. >>> Here is how you check out the master: >>> >>> git clone git://git.fedorahosted.org/git/pki.git <http://git.fedorahosted.org/git/pki.git> >>> >>> You can then use the build scripts to build. >>> >>> Finally, I apologize that we are not supposed to respond to >>> private emails. Dogtag is a community where we share our >>> knowledge. In the future please send requests to the >>> mailing list. >>> I took the exception this time to look at your CSR and >>> certs and I could see that you need the fixes I talked >>> about. I don't know if you have other issues though, but >>> AFAIK you need those two fixes. >>> >>> Hope this helps. >>> Christina >>> >>> >>> On 10/29/2014 01:16 AM, kritee jhawar wrote: >>>> Hi Christina >>>> >>>> I have done the default configuration for 389ds and >>>> haven't specifically turned on ssl for it. >>>> >>>> Initially I tried using Microsoft and OpenSSL CA as >>>> external CAs. This is about a month back and I pull the >>>> Rpms using yum (so I assume they are the latest ones with >>>> the fix you mentioned). >>>> With this, my pki spawn went fine. Infect the admin cert >>>> got generated using the externally provided root cert as >>>> well. But dogtag couldn't connect to the ds. As mentioned >>>> earlier it gave me a PKIException error listing the certs >>>> with error code 500. >>>> Looking at the ds logs I found that the error was 'bad >>>> search filter'. >>>> However when I tried the same steps with dogtag as >>>> external CA the setup went through without a glitch. The >>>> chain I imported was directly from the GUI of dogtag. In >>>> fact I included the header and footer as well. >>>> >>>> When I tried to reverse engineer the chain, I took the >>>> root cert of external dogtag ca and used OpenSSL to >>>> convert it into pkcs7. This chain was not the same as >>>> provided from the GUI. Hence I thought that there is some >>>> particular format for the chain because of which the other >>>> CAs aren't working. >>>> >>>> Also, I updated the Rpms using yum and tried to generate >>>> the CSR with the extra attributes. My csr still doesn't >>>> reflect those added attributes. >>>> >>>> Is yum not the correct way to get the latest code ? >>>> >>>> I am very new to this, really appreciate your assistance >>>> and time. >>>> >>>> Regards >>>> Kritee >>>> >>>> On Wednesday, 29 October 2014, Christina Fu >>>> <cfu(a)redhat.com <mailto:cfu@redhat.com>> wrote: >>>> >>>> the cert chain you provide in the file specified under >>>> pki_external_ca_cert_chain_path >>>> should be just pkcs7 without header/footer. >>>> >>>> I don't know why it would not talk to the DS (did you >>>> turn on ssl for the ds?). >>>> Not sure if you build your Dogtag from the master, if >>>> you do, I'd suggest you get the most updated so you >>>> get fixes from the tickets I provided previously which >>>> would address at least two issues relating to external CA. >>>> >>>> Christina >>>> >>>> On 10/27/2014 07:55 PM, kritee jhawar wrote: >>>>> Hi Christina >>>>> >>>>> I was undertaking this activity last month where >>>>> Microsoft CA didn't work out but Dogtag as external >>>>> CA did. >>>>> >>>>> While using Microsoft CA or OpenSSL CA, pki spawn >>>>> goes through without any error but dogtag stops >>>>> communications to 389ds. Upon calling the rest Api >>>>> /ca/rest/certs I get a "PKIException error listing >>>>> the certs". >>>>> >>>>> Is there a particular format for the ca cert chain >>>>> that we need to provide ? I was trying to reverse >>>>> engineer the chain provided by dogtag. >>>>> >>>>> Thanks >>>>> Kritee >>>>> >>>>> >>>>> >>>>> On Monday, 27 October 2014, Christina Fu >>>>> <cfu(a)redhat.com&gt; wrote: >>>>> >>>>> If you meant the following two: >>>>> https://fedorahosted.org/pki/ticket/1190 CA: >>>>> issuer DN encoding not preserved at issuance with >>>>> signing cert signed by an external CA >>>>> https://fedorahosted.org/pki/ticket/1110 - >>>>> pkispawn (configuration) does not provide CA >>>>> extensions in subordinate certificate signing >>>>> requests (CSR) >>>>> >>>>> They have just recently been fixed upstream so I >>>>> imagine you could use Microsoft CA now. >>>>> Theoretically any other CA can be used as an >>>>> external CA, but if you run into issues, please >>>>> feel free to report. >>>>> >>>>> Christina >>>>> >>>>> >>>>> On 10/27/2014 12:15 AM, kritee jhawar wrote: >>>>>> Hi >>>>>> >>>>>> In my recent thread i read that there is a bug >>>>>> due to which Microsoft CA can't work as external >>>>>> CA for dogtag. >>>>>> Can OpenSSL be used ? >>>>>> >>>>>> Thanks >>>>>> Kritee >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Pki-users mailing list >>>>>> Pki-users(a)redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>> >>>> >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com> >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >> >> >