Dear John,
thanks for reply.
Is there a way to use different profiles for enrollment..
I tried to duplicate the default cmc profile and all entries belong to this profile
(web.xml).
If I start a request with HttpClient I get an Authentication error.
Here my config..
# /var/lib/pki-test/profiles/ca/caFullCMCWebCert.cfg
--------------------------------------------------
desc=Bla bla
enable=true
enableBy=admin
name=Signed CMC-Authenticated Webserver Certificate Enrollment
visible=true
auth.instance_id=CMCAuth
input.list=i1,i2
input.i1.class_id=cmcCertReqInputImpl
input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcWebserverCertSet
--------------------------------------------------
# /etc/pki-test/CS.conf
--------------------------------------------------
profile.caFullCMCWebCert.class_id=caEnrollImpl
profile.caFullCMCWebCert.config=/var/lib/pki-test/profiles/ca/caFullCMCWebCert.cfg
--------------------------------------------------
# web.xml
--------------------------------------------------
<servlet-mapping>
<servlet-name> caProfileSubmitCMCWeb </servlet-name>
<url-pattern> /ee/ca/profileSubmitCMCWeb </url-pattern>
</servlet-mapping>
<servlet>
<servlet-name> caProfileSubmitCMCWeb </servlet-name>
<servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet
</servlet-class>
<init-param><param-name> GetClientCert </param-name>
<param-value> false </param-value>
</init-param>
<init-param><param-name> cert_request_type </param-name>
<param-value> cmc </param-value>
</init-param>
<init-param><param-name> profileId </param-name>
<param-value> caFullCMCWebCert </param-value>
</init-param>
<init-param><param-name> AuthzMgr </param-name>
<param-value> BasicAclAuthz </param-value>
</init-param>
<init-param><param-name> authorityId </param-name>
<param-value> ca </param-value>
</init-param>
<init-param><param-name> ID </param-name>
<param-value> caProfileSubmitCMCWeb </param-value>
</init-param>
<init-param><param-name> templatePath </param-name>
<param-value> /ee/ca/ProfileSubmit.template
</param-value> </init-param>
<init-param><param-name> resourceID </param-name>
<param-value> certServer.ee.profile </param-value>
</init-param>
<init-param><param-name> interface </param-name>
<param-value> ee </param-value>
</init-param>
</servlet>
--------------------------------------------------
Any ideas?
Thanks
Br
Florian
-----Ursprüngliche Nachricht-----
Von: John Magne [mailto:jmagne@redhat.com]
Gesendet: Freitag, 16. Oktober 2015 20:44
An: Supper Florian OSS sIT
Cc: pki-users(a)redhat.com
Betreff: Re: [Pki-users] Automatic enrollment of certificate with different profiles on
Dogtag 9
I'm assuming you are using HttpClient to send the CMC requests.
Looking around it appears that the caProfileSubmitCMCFull servlet.
The servlet config for this has a profileID field.
So you COULD create a new profile based on mods to the caFullCMCUserCert
profile and set it in the web.xml.
Unless of course if you need to send individual requests to different profiles this would
not help.
----- Original Message -----
From: "Supper Florian OSS sIT" <Florian.Supper(a)s-itsolutions.at>
To: pki-users(a)redhat.com
Sent: Friday, October 16, 2015 1:38:06 AM
Subject: [Pki-users] Automatic enrollment of certificate with different profiles on Dogtag
9
Hi,
1)
I’m searching for a better solution to automate our enrollment process.
We’r using dogtag 9. We would like to use 10, but some features we need are not
implemented at the moment.
At the moment we’r using cmc requests for enrollment. Works pretty god, but the problem
is, that you just can use one profile for this type of enrollment.
So I tried to find a better solution, but I can’t find one.
At the moment i’m playing around with browser automation, but no luck till now….
Has anyone a better solution ( for dogtag 9 ) to enroll certificates with different
profiles?
2) Has anyone a valid link for downloading the windows auto enrollment proxy exe file?
Br
Florian
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users