Hi all,
Newbie, I'm testing pki features but end user cannot access
http://server_ip:9180/ca/ee/ca for a certicate request.
A "netstat -anp" show service is listening on port 9180 but maybe only
on locahost.
An "nmap" show only ssh port open.
How to give access to the end user for a certificate request ?
My configuration is F11 and all features are installed (ca,ra,..). I've
flushed all filters "iptables -F".
Thank for any help
Philippe
Is this the correct format for the subject directory extenstion format
with no constraint?
policyset.xxx.11.constraint.class_id=noConstraintImpl
policyset.xxx.11.constraint.name=No Constraint
policyset.xxx.11.default.class_id=subjectDirAttributesExtDefaultImpl
policyset.xxx.11.default.name=Subject Directory Attributes Extension
Default
policyset.xxx.11.default.params.subjDirAttrEnable_0=true
policyset.xxx.11.default.params.subjDirAttrName_0=cn
policyset.xxx.11.default.params.subjDirAttrPattern_0=$request.cn$
policyset.xxx.11.default.params.subjDirAttrsCritical=true
I correctly see the subject directory populated but the logs doesn't
like the name supplied.
[23/Nov/2009:14:29:50][http-9444-Processor25]:
SubjectDirAttributesExtDefault: populate start
[23/Nov/2009:14:29:50][http-9444-Processor25]:
SubjectDirAttributesExtDefault: invalid OID syntax: cn
[23/Nov/2009:14:29:50][http-9444-Processor25]:
SubjectDirAttributesExtDefault: populate end
The admin guide implies it can be any LDAP attribute.
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Certificat
e_and_CRL_Extensions.html#Subject_Directory_Attributes_Extension_Default
Also, I've extended inetorg person with to add my own custom attributes.
The data can be correctly found by the certificate, but
subjectDirAttributes is giving a another error as this snippit of logs
show. Can you use custom attributes or are you limted to what is in
inetorgperson object class? In this case the certificate is not
generated.
[23/Nov/2009:15:01:29][http-9444-Processor25]:
nsTokenUserKeySubjectNameDefault: getSubjectName(): got attribute:
edipi=1605353424
...
[23/Nov/2009:15:01:29][http-9444-Processor25]:
SubjectDirAttributesExtDefault: populate start
[23/Nov/2009:15:01:29][http-9444-Processor25]:
SubjectDirAttributesExtDefault: invalid OID syntax: edipi
[23/Nov/2009:15:01:29][http-9444-Processor25]: ProfileSubmitServlet:
populate Invalid attribute edipi
Thanks
Sean
Hello,
I'm trying to enable ssl client authentication with the internal
database for the TPS.
Using the Administrator Guide chapter 13.5.2, I've successully enabled
ssl client authenticatoin to the internal database for the CA, DRM, and
TKS.
However, the final step 11 of 13.5.2 requires the modification of CS.cfg
paremeters:
internaldb.ldapauth.authtype
internaldb.ldapauth.clientCertNickname
internaldb.ldapconn.port
Internaldb.ldapconn.secureConn
All of which are missing from TPS CS.cfg, and I can't seem to find any
corresponding parameters.
First off, has this feature been implemented with the TPS?
If so, what are the corresponding CS.cfg parameters? Or what parameters
should I change elsewhere?
Thanks
Sean
Hi,
I am in a process to set up a CA which requires to use a FIPS certified HSM.
I plan to use dogtag certificate system. Can anyone recommend a HSM
which
will work with dogtag system?
Thanks in advance,
John
I might have messed up when managing pki-users and this did not come
through. Hence the forward.
Christina
Subject:
Help needed on dogtag
From:
John Dorovski <johndorovski(a)googlemail.com>
Date:
Tue, 17 Nov 2009 10:58:18 -0500
To:
pki-users(a)redhat.com
Hi,
I just installed a dogtag (1.2.0) instance on my Fedora 10 system.
I used a SafeNet ProtectServer Gold HSM as keystore.
The dogtag system installation and configuration were fine. No error was
reported.
All keys and certificates were generated inside the HSM.
But when I tried to access the secure admin interface at
https://localhost:localdomain:9545
I got error message:
Secure Connection Failed
An error occurred during a connection to localhost.localdomain:8445
SSL peer reports incorrect Message Authentication Code.
(Error code: ssl_error_bad_mac_alert)
I checked the server certificate (viewed it with IE on a Windows box).
It seems fine.
Does any body know what is wrong and how can I fix it?
Thanks,
John
Can a Redhat CA profile be created for Attributes certificate?
Has anyone tried this or what problems will not allow it to be usable?
From: Julius Adewumi
@GDC4S.com
Ph:480-441-6768
Contract Corp:MTSI
Hi,
Is is possible for to configure a CA so the CRLs are generated every X
time (say every 1 day) but Next Update specified for a longer time, say
every 5 days?
If so, how do you do that?
Thanks
Sean
