signing a certificate request using CLI
by Fortunato
Hello again.
In advance, I apologize for the basic questions but I'm trying to follow along with the openssl examples.
Signing a CSR is relatively easy using openssl, so I'm wondering if there's a similar CLI command (with options) in DCS.
---
# openssl ca -in /root/CA/cisco1.csr -extensions x509v3_extensions -out /root/CA/cisco1.pem -notext
Using configuration from /root/CA/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName :PRINTABLE:'Stargate Command Domain'
commonName :PRINTABLE:'cisco1.stargatecommand.mil'
Certificate is to be certified until Apr 24 17:15:41 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
---
The only thing similar I can find is CMCenroll, but it looks like it can't specify the signing cert as specified in OPENSSL_CONF.
I'm doing reading on the end-entity (EE) versus agent services. Automation is great but I'd like to cover the basics using the CLI. It is Linux BTW. :)
16 years
Re: [Pki-users] certutil: unable to generate key(s)
by Fortunato
SOLVED.
That did the trick, but there were other plain-text items in the file. Additionally there are additional inputs involved when using certutil:
# certutil -R -k rsa -g 2048 -s "CN=cisco1.stargatecommand.mil" -o cisco1.cert -v 12 -d . -1 -3 -6
Enter Password or Pin for "NSS Certificate DB":
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
...
--
The bigger issue is that I wanted to create a Certificate Request using certutil.
-----Original Message-----
>From: Chandrasekar Kannan <ckannan(a)redhat.com>
>Sent: Apr 29, 2009 11:56 AM
>To: Fortunato <fortunato.montresor(a)earthlink.net>
>Cc: Marc Sauton <msauton(a)redhat.com>, pki-users(a)redhat.com
>Subject: Re: [Pki-users] certutil: unable to generate key(s)
>
>On Wed, 2009-04-29 at 11:52 -0700, Fortunato wrote:
>> Thanks!
>>
>> Fixed the -d option.
>>
>> Now I'm getting:
>>
>> Enter Password or Pin for "NSS Certificate DB":
>
> cat /var/lib/pki-sub-ca/conf/password.conf contains what you need.
> Look for internal token password.
>
>>
>> I did not set this Password/PIN. All the docs reference tksTool. I don't want to fubar more things but it looks like the following is needed:
>>
>> tksTool -N -d .
>>
>> I assume the tksTool is part of pki-tks.
>>
>> -----Original Message-----
>> >From: Marc Sauton <msauton(a)redhat.com>
>> >Sent: Apr 29, 2009 11:42 AM
>> >To: Fortunato <fortunato.montresor(a)earthlink.net>
>> >Cc: pki-users(a)redhat.com
>> >Subject: Re: [Pki-users] certutil: unable to generate key(s)
>> >
>> >Marc Sauton wrote:
>> >> Fortunato wrote:
>> >>> Hello,
>> >>>
>> >>> I haven't found information on the topic but it looks like there's a
>> >>> problem with certutil - using IPv4.
>> >>>
>> >>> [root@localhost alias]# certutil -R -k rsa -g 2048 -s
>> >>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d
>> >>> /var/lib/pki-sub-ca/ -1 -3 -6
>> >>> certutil: unable to generate key(s)
>> >>> : An I/O error occurred during security authorization.
>> >>>
>> >>> Any ideas would be welcome.
>> >>>
>> >>> _______________________________________________
>> >>> Pki-users mailing list
>> >>> Pki-users(a)redhat.com
>> >>> https://www.redhat.com/mailman/listinfo/pki-users
>> >>>
>> >> May want to tweak the -d option to point to the alias directory
>> >> <path-to-alias-dir>, not just /var/lib/pki-sub-ca/
>> >> M.
>> >>
>> >> _______________________________________________
>> >> Pki-users mailing list
>> >> Pki-users(a)redhat.com
>> >> https://www.redhat.com/mailman/listinfo/pki-users
>> >Side note: the i/o error happens because of the missing NSS db files,
>> >either wrong alias directory with -d, or need a certutil -N -d <path> to
>> >create them.
>> >M.
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>--
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Chandrasekar Kannan -- ckannan(a)redhat.com
>Quality Engineering -- http://www.redhat.com
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
16 years
Re: [Pki-users] certutil: unable to generate key(s)
by Fortunato
Thanks!
Fixed the -d option.
Now I'm getting:
Enter Password or Pin for "NSS Certificate DB":
I did not set this Password/PIN. All the docs reference tksTool. I don't want to fubar more things but it looks like the following is needed:
tksTool -N -d .
I assume the tksTool is part of pki-tks.
-----Original Message-----
>From: Marc Sauton <msauton(a)redhat.com>
>Sent: Apr 29, 2009 11:42 AM
>To: Fortunato <fortunato.montresor(a)earthlink.net>
>Cc: pki-users(a)redhat.com
>Subject: Re: [Pki-users] certutil: unable to generate key(s)
>
>Marc Sauton wrote:
>> Fortunato wrote:
>>> Hello,
>>>
>>> I haven't found information on the topic but it looks like there's a
>>> problem with certutil - using IPv4.
>>>
>>> [root@localhost alias]# certutil -R -k rsa -g 2048 -s
>>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d
>>> /var/lib/pki-sub-ca/ -1 -3 -6
>>> certutil: unable to generate key(s)
>>> : An I/O error occurred during security authorization.
>>>
>>> Any ideas would be welcome.
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>> May want to tweak the -d option to point to the alias directory
>> <path-to-alias-dir>, not just /var/lib/pki-sub-ca/
>> M.
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>Side note: the i/o error happens because of the missing NSS db files,
>either wrong alias directory with -d, or need a certutil -N -d <path> to
>create them.
>M.
16 years
pkicreate and IPv6
by Fortunato
Hello again,
I just used pkicreate to create another CA instance and still don't see how to configure the new CA to use an IPv6 address. Is there a way to configure the new CA to use the IPv6 address?
# service pki-ca2 status
pki-ca2 (pid 7867) is running ...
Unsecure Port = http://fed10.tpn-af.mil:9280/ca/ee/ca
Secure Agent Port = https://fed10.tpn-af.mil:9544/ca/agent/ca
Secure EE Port = https://fed10.tpn-af.mil:9543/ca/ee/ca
Secure Admin Port = https://fed10.tpn-af.mil:9545/ca/services
Secure Admin Port = pkiconsole https://fed10.tpn-af.mil:9545/ca
Tomcat Port = 9801 (for shutdown)
Only the 1) Unsecure Port entry and 2) the Tomcat Port appears to be listening on IPv6.
# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 9061/java
tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN 9061/java
tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN 9061/java
tcp 0 0 0.0.0.0:9543 0.0.0.0:* LISTEN 7867/java
tcp 0 0 0.0.0.0:9544 0.0.0.0:* LISTEN 7867/java
tcp 0 0 0.0.0.0:9545 0.0.0.0:* LISTEN 7867/java
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2121/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2883/sshd
tcp 0 0 0.0.0.0:41495 0.0.0.0:* LISTEN 2134/rpc.statd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2900/sendmail: acce
tcp 0 0 :::9280 :::* LISTEN 7867/java
tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 9061/java
tcp 0 0 :::389 :::* LISTEN 2471/ns-slapd
tcp 0 0 :::9830 :::* LISTEN 2572/httpd.worker
tcp 0 0 ::ffff:127.0.0.1:9801 :::* LISTEN 7867/java
tcp 0 0 :::111 :::* LISTEN 2121/rpcbind
tcp 0 0 :::22 :::* LISTEN 2883/sshd
tcp 0 0 :::9180 :::* LISTEN 9061/java
The file /etc/pki-ca2/CS.cfg appears to have places for localhost or machinename (hostname) but the settings are sprinkled all over the file.
Any ideas?
As an observation, I so far see IPv6 support as somewhat limited and arbitrary considering the way 9180 was selected and the weird 9801 address.
16 years
certutil: unable to generate key(s)
by Fortunato
Hello,
I haven't found information on the topic but it looks like there's a problem with certutil - using IPv4.
[root@localhost alias]# certutil -R -k rsa -g 2048 -s "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d /var/lib/pki-sub-ca/ -1 -3 -6
certutil: unable to generate key(s)
: An I/O error occurred during security authorization.
Any ideas would be welcome.
16 years
Support for XKMS in Dogtag Certificate System
by Cyril Dangerville
Hello,
does Dogtag support XKMS (W3C XML Key Management Specification)? If not,
is it in the roadmap? What priority?
Thanks for any tip.
regards
--
Cyril Dangerville
16 years
SCEP - FlatFileAuth and NullPointerException
by Fortunato
Hello again...
I just tried this with some an IPv6 address in:
/var/lib/rhpki-ca/conf/flatfile.txt
Explicitly:
--
UID=2001:a::1
PWD=123456
--
Here's the error trail...
---
# tail -f /var/log/pki-ca/debug
[23/Apr/2009:18:30:03][http-9180-Processor24]: operation=PKIOperation
[23/Apr/2009:18:30:03][http-9180-Processor24]: message=MIIHWQYJK
...
hK1frjNF9w+FCAIahXRKFlQmGEVJ8IU5bBRiS1hfjjybPD3XDWb0B4UZjyr/JFYcE/3gwnw==
[23/Apr/2009:18:30:03][http-9180-Processor24]: Processing PKCSReq
[23/Apr/2009:18:30:03][http-9180-Processor24]: getConn: mNumConns now 2
[23/Apr/2009:18:30:03][http-9180-Processor24]: returnConn: mNumConns now 3
[23/Apr/2009:18:30:03][http-9180-Processor24]: decryptedP10bytes:
30 82 01 cf 30 82 01 38 02 01 00 30 3e 31 16 30
...
3f ad 12 05 05 05 05 05
[23/Apr/2009:18:30:03][http-9180-Processor24]: Found profile=caRouterCert
[23/Apr/2009:18:30:03][http-9180-Processor24]: Retrieving authenticator
[23/Apr/2009:18:30:03][http-9180-Processor24]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth
[23/Apr/2009:18:30:03][http-9180-Processor24]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = UID
[23/Apr/2009:18:30:03][http-9180-Processor24]: FlatFileAuth: authenticating user: finding user from key: 2001:a:0:0:0:0:0:1
[23/Apr/2009:18:30:03][http-9180-Processor24]: handlePKIMessage exception java.lang.NullPointerException
java.lang.NullPointerException
at com.netscape.cms.authentication.FlatFileAuth.authenticate(FlatFileAuth.java:462)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.authenticate(CRSEnrollment.java:276)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.postRequest(CRSEnrollment.java:1378)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKCSReq(CRSEnrollment.java:1282)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:671)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:231)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:636)
[23/Apr/2009:18:30:03][http-9180-Processor24]: Service exception javax.servlet.ServletException: Failed to process message in CEP servlet: null
---
I tried with an IPv4 address again.
---
[23/Apr/2009:19:29:40][http-9180-Processor25]: Found profile=caRouterCert
[23/Apr/2009:19:29:40][http-9180-Processor25]: Retrieving authenticator
[23/Apr/2009:19:29:40][http-9180-Processor25]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth
[23/Apr/2009:19:29:40][http-9180-Processor25]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = UID
[23/Apr/2009:19:29:40][http-9180-Processor25]: FlatFileAuth: authenticating user: finding user from key: 200.1.0.1
[23/Apr/2009:19:29:40][http-9180-Processor25]: handlePKIMessage exception java.lang.NullPointerException
java.lang.NullPointerException
at com.netscape.cms.authentication.FlatFileAuth.authenticate(FlatFileAuth.java:462)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.authenticate(CRSEnrollment.java:276)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.postRequest(CRSEnrollment.java:1378)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKCSReq(CRSEnrollment.java:1282)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:671)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:231)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:636)
[23/Apr/2009:19:29:40][http-9180-Processor25]: Service exception javax.servlet.ServletException: Failed to process message in CEP servlet: null
--
Same NullPointerException even after restarting pki-ca.
Any ideas?
16 years
Re: [Pki-users] SSCEP enroll using CA
by Fortunato
Solved.
The /var/lib/rhpki-ca/conf/flatfile.txt needed to be configured. (At least that section of the manual makes sense now.)
And, mkrequest has to be run before the enroll request with the UID and PWD options, otherwise /var/log/rhpki-ca/debug complains about duplicate requests.
--
All this still begs the question, "How to use the RA to do this?" - but I'll leave that question alone for now.
Thanks all. And now I'm off to try this on IPv6...
-----Original Message-----
>From: Marc Sauton <msauton(a)redhat.com>
>Sent: Apr 23, 2009 8:43 PM
>To: Fortunato <fortunato.montresor(a)earthlink.net>
>Cc: pki-users(a)redhat.com
>Subject: Re: [Pki-users] SSCEP enroll using CA
>
>Marc Sauton wrote:
>> Fortunato wrote:
>>> I'm making lots of progress, but there seems to be a lack (or at
>>> least its unclear to me still) in the way to configure SCEP
>>> enrollment on the CA.
>>>
>>> All the manual references use the RA thru:
>>>
>>> http://<fqdn>:12888/ee/scep/index.cgi
>>> to configure SCEP.
>>>
>>> But in order to get the CA cert and do a SCEP enroll, most examples use:
>>>
>>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>>
>>> Is there something similar to the RA on the CA web gui to create the
>>> SCEP requests?
>>>
>>> Lastly, I'm trying to use sscep as follows:
>>>
>>> # ./sscep getca -c ca.crt -u
>>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>> ...
>>> ./sscep: CA certificate written as ca.crt
>>>
>>> # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u
>>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>>
>>> But all that is returned is:
>>> ./sscep: sending certificate request
>>> ./sscep: valid response from server
>>> ./sscep: pkistatus: FAILURE
>>> ./sscep: reason: Transaction not permitted or supported
>>>
>>> Any helpful logs would be appreciated, but my guess is that I'm
>>> overlooking a web gui somewhere off port 9080. Is there something in
>>> the CA or RA that could help identify a more specific FAILURE reason?
>>>
>>>
>> Try to get a look at your /var/log/rhpki-ca/debug file, and check
>> /var/lib/rhpki-ca/conf/flatfile.txt
>> should be in the form of:
>> UID:x.x.x.x
>> PWD:password
>> See:
>> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu...
>>
>In some tests, I think I used mkrequest, and then something like below,
>with more verbose output:
>sscep enroll -v -d -k /var/tmp/local.key -r /var/tmp/local.csr -l
>/var/tmp/local.crt -t 15 -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>-c /var/tmp/ms-cs73-2.crt | tee /var/tmp/sscep.enroll.ca.test2local.txt
>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
16 years
SSCEP enroll using CA
by Fortunato
I'm making lots of progress, but there seems to be a lack (or at least its unclear to me still) in the way to configure SCEP enrollment on the CA.
All the manual references use the RA thru:
http://<fqdn>:12888/ee/scep/index.cgi
to configure SCEP.
But in order to get the CA cert and do a SCEP enroll, most examples use:
http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
Is there something similar to the RA on the CA web gui to create the SCEP requests?
Lastly, I'm trying to use sscep as follows:
# ./sscep getca -c ca.crt -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
...
./sscep: CA certificate written as ca.crt
# ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
But all that is returned is:
./sscep: sending certificate request
./sscep: valid response from server
./sscep: pkistatus: FAILURE
./sscep: reason: Transaction not permitted or supported
Any helpful logs would be appreciated, but my guess is that I'm overlooking a web gui somewhere off port 9080. Is there something in the CA or RA that could help identify a more specific FAILURE reason?
16 years
Re: [Pki-users] SSCEP client requesting CA cert
by Chandrasekar Kannan
On Thu, 2009-04-23 at 13:52 -0700, Fortunato wrote:
> Solved.
cool. thanks.
>
> I pointed sscep to the url:
>
> # ./sscep getca -c ca.crt -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>
> I know I'll run into issues with the rest... :) but I'll work on those bridges once I cross them.
>
> -----Original Message-----
> >From: Chandrasekar Kannan <ckannan(a)redhat.com>
> >Sent: Apr 23, 2009 1:09 PM
> >To: Fortunato <fortunato.montresor(a)earthlink.net>
> >Cc: pki-users(a)redhat.com
> >Subject: Re: [Pki-users] SSCEP client requesting CA cert
> >
> >On Thu, 2009-04-23 at 13:03 -0700, Chandrasekar Kannan wrote:
> >> On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote:
> >> > Thanks to all for your help so far. :)
> >> >
> >> > Lately I've been trying to request the CA cert using sscep and using the RA cgi url:
> >> >
> >> > http://<fqdn>:12888/ee/scep/pkiclient.cgi
> >> >
> >> > I get the following error message:
> >> >
> >> > ./sscep: cannot find data from http reply
> >> >
> >> > It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas?
> >> >
> >> > Additionally all the examples for retrieving the CA are for:
> >> >
> >> > http://<fqdn>:9180/ca/cgi.bin
> >> >
> >> > I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors:
> >> >
> >> > ./sscep: wrong (or missing) MIME content type
> >> > ./sscep: error while sending message
> >> >
> >> > which looks even more hopeless.
> >> >
> >> > Any help is appreciated.
> >>
> >> Here's a perl module that we use for simple scep testing.
> >> I'll try to dig out the url and pin soon for a sample ...
> >
> >
> >some sample results from this. might be useful for you.
> >##########################################################################
> >
> >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l
> >root /bin/rm -f local.csr
> > local.key ca.crt cert.crt
> >scep3 : [2007:5:9 12:44:7] : result =
> >scep3 : [2007:5:9 12:44:7] : ########################################################
> >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/mkrequest
> > -ip 10.14.1.89 netscape
> >Generating RSA private key, 1024 bit long modulus
> >..............++++++
> >...........++++++
> >e is 65537 (0x10001)
> >scep3 : [2007:5:9 12:44:7] : result =
> >scep3 : [2007:5:9 12:44:7] : ########################################################
> >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep getca
> > -c ca.crt -u http://tank:9007/ca/cgi-bin/pkiclient.exe
> >scep3 : [2007:5:9 12:44:8] : result = /usr/bin/sscep: requesting CA certificate
> > /usr/bin/sscep: valid response from server
> > /usr/bin/sscep: MD5 fingerprint: AC:B6:11:DF:97:8C:E5:77:E2:A8:21:EE:A0:C5:76:D5
> > /usr/bin/sscep: CA certificate written as ca.crt
> >scep3 : [2007:5:9 12:44:8] : ########################################################
> >scep3 : [2007:5:9 12:44:8] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep enroll
> > -c ca.crt -k local.key -r local.csr -l cert.crt -u
> > http://tank:9007/ca/cgi-bin/pkiclient.exe
> >scep3 : [2007:5:9 12:44:9] : result = /usr/bin/sscep: sending certificate request
> > /usr/bin/sscep: valid response from server
> > /usr/bin/sscep: pkistatus: SUCCESS
> > /usr/bin/sscep: certificate written as cert.crt
> >scep3 : [2007:5:9 12:44:9] : ########################################################
> >scep3 : [2007:5:9 12:44:9] : TestCaseResult scep3 PASS
> >##########################################################################
> >
> >
> >>
> >>
> >> ######################################################################
> >> # This perl module serves as a perl interface for the RHCS
> >> # SCEP - Enrollment
> >>
> >> ######################################################################
> >> package scep_enroll;
> >> require Exporter;
> >> @ISA = qw(Exporter);
> >> @EXPORT = qw(scep_do_enroll_with_sscep
> >> );
> >>
> >> ######################################################################
> >> use strict;
> >> use baserc;
> >> use baselib;
> >> use applib;
> >> #use Net::Telnet::Cisco;
> >> ######################################################################
> >> #sub scep_do_enroll
> >> #{
> >> # my ($scep_enroll_pin,$scep_enroll_url) = @_;
> >> #
> >> # # scep_host/password are hardcoded here.
> >> # my $scep_host = "scep.dsdev.sjc.redhat.com";
> >> # my $scep_host_ip = "10.14.1.94";
> >> # my $scep_password = "netscape";
> >> # my $scep_ethernet = "Ethernet0/0";
> >> #
> >> # my $session = Net::Telnet::Cisco->new(Host => "$scep_host" );
> >> # $session->login('', "$scep_password");
> >> # $session->ignore_warnings("1");
> >> #
> >> # # Execute a command
> >> # &message_ts;
> >> # my @output = $session->cmd('show version');
> >> # log_entry(@output);
> >> #
> >> # # Enable mode
> >> # if ($session->enable("$scep_password") )
> >> # {
> >> # @output = $session->cmd('show privilege');
> >> # log_entry("My privileges: @output\n");
> >> # }
> >> # else
> >> # {
> >> # log_entry("Can't enable: " . "$session->errmsg");
> >> # }
> >> #
> >> # # enter conf t mode
> >> # log_entry("Executing command = conf t\n");
> >> # @output = $session->cmd("conf t");
> >> # log_entry("result =@output \n");
> >> #
> >> # # perform crypto cleanup first
> >> # log_entry("Executing command = crypto key zeroize rsa \n");
> >> # @output = $session->cmd("crypto key zeroize rsa\nyes");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = no crypto ca identity CA\n");
> >> # @output = $session->cmd("no crypto ca identity CA\nyes");
> >> # log_entry("result = @output\n");
> >> #
> >> # # setup CA identity
> >> # log_entry("Executing command = crypto ca identity CA\n");
> >> # @output = $session->cmd("crypto ca identity CA");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = enrollment url $scep_enroll_url \n");
> >> # @output = $session->cmd("enrollment url $scep_enroll_url ");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = crl optional\n");
> >> # @output = $session->cmd("crl optional");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = exit \n");
> >> # @output = $session->cmd("exit");
> >> # log_entry("result = @output\n");
> >> #
> >> # # authenticate CA
> >> # log_entry("Executing command = crypto ca authenticate CA\n");
> >> # @output = $session->cmd("crypto ca authenticate CA\nyes");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = crypto key generate rsa\n");
> >> # @output = $session->cmd("crypto key generate rsa\n512");
> >> # log_entry("result = @output\n");
> >> # sleep(60);
> >> #
> >> # log_entry("Executing command = crypto ca enroll CA \n");
> >> # @output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n
> >> $scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = exit \n");
> >> # @output = $session->cmd("exit");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = show crypto CA certificate\nq\n");
> >> # @output = $session->cmd("show crypto CA certificate\nq\n");
> >> # log_entry("result = @output\n");
> >> #
> >> # foreach(@output)
> >> # {
> >> # if( /$scep_host/ || /Key Usage: General Purpose/ )
> >> # {
> >> # return 0;
> >> # }
> >> # }
> >> #
> >> #
> >> ##########################################################################
> >> # # close the session object
> >> # $session->close;
> >> #
> >> # return 1;
> >> #}
> >> ######################################################################
> >> sub scep_do_enroll_with_sscep
> >> {
> >> # This sub-routine uses the Simple SCEP client to do scep enrollments.
> >> # this can be used as an alternative if we don't have the router
> >> # the scep client is installed on tank.dsdev.sjc.redhat.com
> >>
> >> my ($scep_enroll_pin,$scep_enroll_url) = @_;
> >>
> >> # scep_host/password are hardcoded here.
> >> my $scep_host = "tank.dsdev.sjc.redhat.com";
> >> my $uid = "root";
> >> my $ipaddress = os_getip();
> >>
> >> # clean up
> >> log_entry("########################################################
> >> \n");
> >> log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr
> >> local.key ca.crt cert.crt \n");
> >> my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key
> >> ca.crt cert.crt`;
> >> log_entry("result = $result\n");
> >>
> >> # generate a key
> >> log_entry("########################################################
> >> \n");
> >> log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip
> >> $ipaddress $scep_enroll_pin \n");
> >> $result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress
> >> $scep_enroll_pin `;
> >> log_entry("result = $result\n");
> >>
> >> # get ca cert
> >> log_entry("########################################################
> >> \n");
> >> log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c
> >> ca.crt -u $scep_enroll_url\n");
> >> $result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u
> >> $scep_enroll_url`;
> >> log_entry("result = $result\n");
> >>
> >> # submit enrollment request
> >> log_entry("########################################################
> >> \n");
> >> log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c
> >> ca.crt -k local.key -r local.csr -l cert.crt -u $scep_enroll_url \n");
> >> my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k
> >> local.key -r local.csr -l cert.crt -u $scep_enroll_url `;
> >> log_entry("result = @output \n");
> >>
> >> # parse for success
> >> log_entry("########################################################
> >> \n");
> >> foreach(@output)
> >> {
> >> if(/pkistatus: SUCCESS/ || /certificate written as/ )
> >> {
> >> return 0;
> >> }
> >> }
> >>
> >> # failure
> >> return 1;
> >> }
> >> #########################################################################
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Pki-users mailing list
> >> > Pki-users(a)redhat.com
> >> > https://www.redhat.com/mailman/listinfo/pki-users
> >--
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >Chandrasekar Kannan -- ckannan(a)redhat.com
> >Quality Engineering -- http://www.redhat.com
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan -- ckannan(a)redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
16 years
