12:27 p.m.
Hi, I installed ca and kra in the same tomcat instance, but when I try to
enroll a certificate using server-side Key generation, the following
message appears: "KRA Transport Certificate needs to be imported into the
CA nssdb for Server-Side Kegen Enrollment". Do you know how I can i fix
this?
Thanks for your attention
1 p.m.
Tiago,
You will need to import the KRA Transport Cert into the CA's nssdb. Then
configure the CS.cfg with the nickname used for SS Keygen.
https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_EE
Hope that helps,
Chris Zinda
Senior Platform Technical Account Manager
Red Hat
Global Customer Success
czinda(a)redhat.com T: 212.510.4102 M: 717.360.1923
Partnering with you to help achieve your business goals
On Mon, Jun 14, 2021 at 1:37 PM Tiago Magalhães <leopardpresis(a)gmail.com>
wrote:
Hi, I installed ca and kra in the same tomcat instance, but when I
try to
enroll a certificate using server-side Key generation, the following
message appears: "KRA Transport Certificate needs to be imported into the
CA nssdb for Server-Side Kegen Enrollment". Do you know how I can i fix
this?
Thanks for your attention
_______________________________________________
Pki-users mailing list -- users(a)lists.dogtagpki.org
To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
10:54 a.m.
Dears,
I experience the same issue (KRA missing in CA nssdb) when attempting to
enroll via the browser with the profile:
Manual User Dual-Use Certificate Enrollment using server-side Key generation
2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO:
UserSubjectNameDefault: Subject:
UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT
2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
ProfileSubmitServlet: error in processing request: KRA Transport Certificate
needs to be imported into the CA nssdb for Server-Side Kegen Enrollment
KRA Transport Certificate needs to be imported into the CA nssdb for Server-
Side Kegen Enrollment
at
com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKeygenUserKeyDefault.java:
501)
at
com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237)
at com.netscape.cms.profile.common.Profile.populate(Profile.java:1261)
The link https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_EE
provided by
Chris Zinda in 2021 is unfortunately broken/empty.
What I have done so far:
- I have setup the directory server and CA+KRA in the same pki-tomcat
instance.
- I have checked if the kra_transport certficate in in the CA nssdb:
$ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/
XPI
ca_signing CTu,Cu,Cu
ca_ocsp_signing u,u,u
sslserver u,u,u
subsystem u,u,u
ca_audit_signing u,u,Pu
kra_transport u,u,u
kra_storage u,u,u
kra_audit_signing u,u,Pu
- I have read https://docs.redhat.com/en/documentation/
red_hat_certificate_system/10/html/planning_installation_and_deployment_guide/
configuring_key_recovery_authority
- I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add the line:
"ca.connector.KRA.transportCertNickname=kra_transport"
(However, ca.connector.KRA.transportCert was already set accurately)
- Is the line "ca.connector.KRA.nickName=subsystem" in the same file ok?
- I've tested with `pki -n caadmin ca-kraconnector-show`:
Host: pki-test.riemann.cc:8443
Enabled: true
Local: false
Timeout: 30
URI: /kra/agent/kra/connector
Transport Cert:
MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk
MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET
[…]
What else could be wrong? Find my setup script here below.
Best,
Robert
#!/usr/bin/sudo /bin/bash
cat << EOF > /etc/security/limits.d/01-pki
# Dogtag CA Settings
root hard nofile 4096
root soft nofile 4096
EOF
dnf update -y
dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme
# Create Directory Server Instance:
#
# https://github.com/dogtagpki/pki/blob/master/docs/installation/others/
creating-ds-instance.adoc
#
dscreate create-template ds-template.inf
sed --silent \
-e "s/;full_machine_name = .*/full_machine_name = $HOSTNAME/" \
-e "s/;root_password = .*/root_password = $DS_PASSWORD/g" \
-e "s/;suffix = .*/suffix = $SUFFIX/g" \
-e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \
-e "s/;self_sign_cert = .*/self_sign_cert = True/g" \
-e "w ds.inf" \
ds-template.inf
dscreate from-file ds.inf
ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w
"$DS_PASSWORD" <<
EOF
dn: dc=pki,$SUFFIX
objectClass: domain
dc: pki
EOF
systemctl status dirsrv(a)localhost.service
# Create PKI CA Server
#
curl -o ca-template.cfg https://raw.githubusercontent.com/dogtagpki/pki/refs/
heads/master/base/server/examples/installation/ca.cfg
# cp /usr/share/pki/server/examples/installation/ca.cfg ca-template.cfg
sed --silent \
-e "s/pki_server_database_password=.*/
pki_server_database_password=$PKI_SERVER_PASSWORD/" \
-e "s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/" \
-e "s/pki_client_pkcs12_password=.*/
pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \
-e "s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/" \
-e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
-e "w ca.cfg" \
ca-template.cfg
pkispawn -f ca.cfg -s CA
pki-server cert-export ca_signing --cert-file ca_signing.crt
sudo -u fedora pki client-cert-import "CA Signing Certificate" --ca-cert ./
ca_signing.crt
#
https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PK...
sudo -u fedora pki pkcs12-import --pkcs12 ./ca_admin_cert.p12 --pkcs12-
password "$PKI_CA_CLIENT_PASSWORD"
sudo -u fedora pki info # for testing the setup
# Create PKI KRA Server
#
cp /usr/share/pki/server/examples/installation/kra.cfg kra-template.cfg
sed --silent \
-e "s/pki_server_database_password=.*/
pki_server_database_password=$PKI_SERVER_PASSWORD/" \
-e "s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/" \
-e "s/pki_client_pkcs12_password=.*/
pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \
-e "s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/" \
-e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
-e "s/pki_security_domain_password=.*/
pki_security_domain_password=$PKI_CA_PASSWORD/" \
-e "w kra.cfg" \
kra-template.cfg
pkispawn -f kra.cfg -s KRA
15
days inactive
1405
days old
2 comments
3 participants
participants (3)
-
Chris Zinda -
Robert Riemann -
Tiago Magalhães