Hi Arshad,
I'm glad I asked the question. I have been reading the REdhat manuals to understand
about dogtag - I knew these were not on the latest dogtag release i.e 1.3; but that was
the most detailed documentation available.
I have been trying to determine how to bring up the pkiconsole for the RA - but it eludes
me.
When I start the RA using 'service pki-rad create <instance-name> '. I do
not see the pki console listed - it lists the URLs associated with the RA for agent, EE,
etc.
However, when I start the CA in a similar manner, the command for starting the PKI console
is listed. So I am confused.
So the question is, how do I bring up the PKI RA Console?
Thanks!
Shanthi
-----Original Message-----
From: Arshad Noor [mailto:arshad.noor@strongauth.com]
Sent: Mon 3/22/2010 3:33 PM
To: Thomas Shanthi-LST016
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] CErtificate profile validation
Hmmm... unless something has changed in a new version of the PKI software
(it has been a few months since I last looked at DogTag), I've never had
to modify a .vm or .cgi file to change a profile.
The certificate profiles were always accessible through the PKI Console,
regardless of whether it was an RA or CA instance.
Arshad Noor
StrongAuth, Inc.
----- Original Message -----
From: "Thomas Shanthi-LST016" <Shanthi.Thomas(a)motorola.com>
To: "Arshad Noor" <arshad.noor(a)strongauth.com>
Cc: pki-users(a)redhat.com
Sent: Monday, March 22, 2010 12:22:35 PM (GMT-0800) America/Los_Angeles
Subject: RE: [Pki-users] CErtificate profile validation
Thanks again for the prompt reply, Arshad.
I had created the profile at the CA but had not configured it on the RA
(just to check if the CA was validating it). But I will try it out
completely and get back again.
Also, to confirm - when you say profile configuration at the RA and CA,
I'm assuming you mean the modification of the .vm and .cgi files at the
RA, and at the CA the profile configuration is specified via the
PKI-console.
Thanks,
Shanthi
>-----Original Message-----
>From: Arshad Noor [mailto:arshad.noor@strongauth.com]
>Sent: Monday, March 22, 2010 12:36 PM
>To: Thomas Shanthi-LST016
>Cc: pki-users(a)redhat.com
>Subject: Re: [Pki-users] CErtificate profile validation
>
>In order to accomplish what you're doing, Shanthi, what you
>need to do is have two profiles - one at the RA that performs
>verification tasks, and one at the CA that performs
>modifications. So, for example, you were creating a custom
>profile for a "Basic Assurance Signing Profile"
>(the name is just an example), you would use the same profile
>at the RA and the CA instances, but configure the profile at
>the RA to only verify the information you were expecting from
>the end-entity (such as name-form, key-size, key-type, etc.)
>and then send it to the CA where the profile adds the
>required extensions and constraints.
>
>What is confusing for many RHCS/DogTag users is that while
>the same profile can exist on the RA and the CA, they do not
>see each others'
>profile configurations - they only see their own
>configurations. You likely configured the profile at the RA
>instance, which the CA is logically ignoring. Modify/create
>your profile at the CA instance and you will get the
>certificates you want.
>
>Arshad Noor
>StrongAuth, Inc.
>
>----- Original Message -----
>From: "Thomas Shanthi-LST016" <Shanthi.Thomas(a)motorola.com>
>To: "Arshad Noor" <arshad.noor(a)strongauth.com>
>Cc: pki-users(a)redhat.com
>Sent: Monday, March 22, 2010 9:48:28 AM (GMT-0800) America/Los_Angeles
>Subject: RE: [Pki-users] CErtificate profile validation
>
>Thanks, Arshad. Is there some way to enforce the CA to
>cross-check the CSR against the profile when the RA is also
>present? Or is this automatically enabled?
>
>I must have missed something when I set the cert preofile...
>When I tried this, it seemed as if the CA was not verifying
>correctness of the issued certificate against the cert
>profile. It seemed to be just adding its signature. Also it
>added the Authority Key Indentifier but not the subject key
>identifier (as per RFC 5280 it looks the CA adds this field)
>- though both were mentioned in the profile.
>
>>>-----Original Message-----
>>>From: Arshad Noor [mailto:arshad.noor@strongauth.com]
>>>Sent: Monday, March 22, 2010 11:43 AM
>>>To: Thomas Shanthi-LST016
>>>Cc: pki-users(a)redhat.com
>>>Subject: Re: [Pki-users] CErtificate profile validation
>>>
>>>Technically, it can occur at either or both locations.
>>>However, from a business and operational point-of-view,
>most PKIs do
>>>the verification at the RA. This is because it allows
>different RA's
>>>to use different policies, procedures and tools to do the
>>>key-generation, verification, etc., before sending the
>verified CSR to
>>>the CA for signing.
>>>
>>>From an operational point of view, having RAs do the verification
>>>allows you to scale a CA to sign more certificates in a
>given unit of
>>>time if it only had to sign certificates and CRLs instead
>of verifying
>>>and signing.
>>>
>>>Yes, the CA can indeed add all the required
>constraints/extensions as
>>>needed to the certificate based on the profile, before it signs the
>>>CSR.
>>>
>>>Arshad Noor
>>>StrongAuth, Inc.
>>>
>>>----- Original Message -----
>>>From: "Thomas Shanthi-LST016" <Shanthi.Thomas(a)motorola.com>
>>>To: pki-users(a)redhat.com
>>>Sent: Monday, March 22, 2010 9:00:59 AM (GMT-0800)
>America/Los_Angeles
>>>Subject: [Pki-users] CErtificate profile validation
>>>
>>>_______________________________________________
>>>Pki-users mailing list
>>>Pki-users(a)redhat.com
>>>https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>
>