4:15 a.m.
Hi Guys,
I am new to Dogtag PKI and have installed it on fedora 33. I am able to
send a PKCS#10 certificate, approve and then get the issued certificate. I
need to know a way to generate the certificate without manual approval
hence when PKCS#10 request is sent ,the certificate is generated right
away. I have looked at profiles, CA configuration but couldn't see a way. I
am using Dogtag 10.9. Is this possible? Any guidance is appreciated.
Regards,
Wahaj
5:21 p.m.
yes, it works by having SSL client authentication for an "agent" user, or
LDAP basic authentication (without or with a pre-defined pin), or CMC:
example for SSL server cert, look at the profile caAgentServerCert.cfg
example for SSL server cert using CMC, see
https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with...
for end user cert, examples with caDirPinUserCert.cfg , caDirUserCert.cfg
from the pki command line with LDAP basic authentication , look for the
command cert-request-submit with the --username
either
pki cert-request-submit --help
or
pki ca-cert-request-submit --help
see
https://www.dogtagpki.org/wiki/Directory-Authenticated_Profiles
On Wed, Oct 28, 2020 at 2:20 AM Wahaj K <mwahaj3120(a)gmail.com> wrote:
Hi Guys,
I am new to Dogtag PKI and have installed it on fedora 33. I am able to
send a PKCS#10 certificate, approve and then get the issued certificate. I
need to know a way to generate the certificate without manual approval
hence when PKCS#10 request is sent ,the certificate is generated right
away. I have looked at profiles, CA configuration but couldn't see a way. I
am using Dogtag 10.9. Is this possible? Any guidance is appreciated.
Regards,
Wahaj
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
10:42 a.m.
Thanks for your response. I was more looking for a server side
configuration to enable it like Microsoft CA has got. It seems there is no
configuration and one has to trigger approval separately. Probably doing
via RestAPI is more quick hence I saw this:
https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-...
I am able to make calls to get a certificate i.e.
https://192.168.56.103:8443/ca/rest/certs/0xd successfully but when I try
to approve a pending request I get an error.
If I don't set *Content-Type* I get *Unsupported media type *and when I set
it to *application/xml *I get *400 Bad Request* with following exception:
javax.xml.bind.JAXBException
- with linked exception:
[java.security.PrivilegedActionException: javax.xml.bind.UnmarshalException
- with linked exception:
[org.xml.sax.SAXParseException; Premature end of file.]]
[image: image.png]
Do I need to login and pass some token to the *approve* call as hinted
here: https://www.dogtagpki.org/wiki/PKI_REST_API? I am using the admin
cert for client auth and testing using Postman which comes as default and
hence should be able to approve. Having said, I can trigger approve via CLI
command while authenticated by the same admin cert: pki -c
*Secret.123* -n "*PKI
Administrator for localhost.localdomain*" ca-cert-request-review *40*
--action *approve*
In short I can achieve approval via sending P10 cert request via Java SDK
and then approving via CLI but I would prefer the RestFul API approach if
possible. Any Hint on why Restful API could be failing?
Regards,
WK
On Thu, Oct 29, 2020 at 3:21 AM Marc Sauton <msauton(a)redhat.com> wrote:
yes, it works by having SSL client authentication for an
"agent" user, or
LDAP basic authentication (without or with a pre-defined pin), or CMC:
example for SSL server cert, look at the profile caAgentServerCert.cfg
example for SSL server cert using CMC, see
https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with...
for end user cert, examples with caDirPinUserCert.cfg , caDirUserCert.cfg
from the pki command line with LDAP basic authentication , look for the
command cert-request-submit with the --username
either
pki cert-request-submit --help
or
pki ca-cert-request-submit --help
see
https://www.dogtagpki.org/wiki/Directory-Authenticated_Profiles
On Wed, Oct 28, 2020 at 2:20 AM Wahaj K <mwahaj3120(a)gmail.com> wrote:
> Hi Guys,
>
> I am new to Dogtag PKI and have installed it on fedora 33. I am able to
> send a PKCS#10 certificate, approve and then get the issued certificate. I
> need to know a way to generate the certificate without manual approval
> hence when PKCS#10 request is sent ,the certificate is generated right
> away. I have looked at profiles, CA configuration but couldn't see a way. I
> am using Dogtag 10.9. Is this possible? Any guidance is appreciated.
>
> Regards,
> Wahaj
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
5:43 p.m.
On Wed, Oct 28, 2020 at 02:15:04PM +0500, Wahaj K wrote:
Hi Guys,
I am new to Dogtag PKI and have installed it on fedora 33. I am able to
send a PKCS#10 certificate, approve and then get the issued certificate. I
need to know a way to generate the certificate without manual approval
hence when PKCS#10 request is sent ,the certificate is generated right
away. I have looked at profiles, CA configuration but couldn't see a way. I
am using Dogtag 10.9. Is this possible? Any guidance is appreciated.
Regards,
Wahaj
Hi Wahaj,
What is your use case? For service certificates, ACME could be a
good solution.
Cheers,
Fraser
1507
days inactive
1515
days old
3 comments
3 participants
participants (3)
-
Fraser Tweedale -
Marc Sauton -
Wahaj K