SSCEP client requesting CA cert
by Fortunato
Thanks to all for your help so far. :)
Lately I've been trying to request the CA cert using sscep and using the RA cgi url:
http://<fqdn>:12888/ee/scep/pkiclient.cgi
I get the following error message:
./sscep: cannot find data from http reply
It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas?
Additionally all the examples for retrieving the CA are for:
http://<fqdn>:9180/ca/cgi.bin
I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors:
./sscep: wrong (or missing) MIME content type
./sscep: error while sending message
which looks even more hopeless.
Any help is appreciated.
16 years, 2 months
Re: [Pki-users] No SCEP Enrollment option in the SSL End Users Services page
by Fortunato
>From: Marc Sauton <msauton(a)redhat.com>
>Sent: Apr 20, 2009 1:31 PM
>To: Fortunato <fortunato.montresor(a)earthlink.net>
>Cc: pki-users(a)redhat.com
>Subject: Re: [Pki-users] No SCEP Enrollment option in the SSL End Users Services page
>
>Fortunato wrote:
>> Hello list,
>>
>> I don't know exactly where the differences are between Dogtag 1.1.0 and the documentation (currently 7.3)
>Dogtag 1.1.0 is the open source development project of the released
>commercial product RHCS 7.3.
>One way to get an idea of the changes, is to go through the archive lists:
>https://www.redhat.com/mailman/private/pki-commits/
I'm not a big coder, so going thru the commits is kind of torturous for me. :(
But I subscribed to pki-commits list and will try. Part of my interest revolves around the IPv6 configuration, on which the documentation is rather scarce. I'd like to get the cert manager to listen on IPv6 addresses. LDAP is listening on localhost6, but how about the other CA services?
# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 3411/java
tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN 3411/java
tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN 3411/java
tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 2452/httpd.worker
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2017/rpcbind
tcp 0 0 0.0.0.0:11443 0.0.0.0:* LISTEN 4025/java
tcp 0 0 0.0.0.0:11444 0.0.0.0:* LISTEN 4025/java
tcp 0 0 0.0.0.0:11445 0.0.0.0:* LISTEN 4025/java
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2766/sshd
tcp 0 0 0.0.0.0:33558 0.0.0.0:* LISTEN 2030/rpc.statd
tcp 0 0 0.0.0.0:12888 0.0.0.0:* LISTEN 4445/httpd.worker
tcp 0 0 0.0.0.0:12889 0.0.0.0:* LISTEN 4445/httpd.worker
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2800/sendmail: acce
tcp 0 0 0.0.0.0:12890 0.0.0.0:* LISTEN 4445/httpd.worker
tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 3411/java
tcp 0 0 :::389 :::* LISTEN 2350/ns-slapd
tcp 0 0 :::11180 :::* LISTEN 4025/java
tcp 0 0 :::111 :::* LISTEN 2017/rpcbind
tcp 0 0 ::ffff:127.0.0.1:11701 :::* LISTEN 4025/java
tcp 0 0 :::22 :::* LISTEN 2766/sshd
tcp 0 0 :::9180 :::* LISTEN 3411/java
>> , but under SSL End Users Services there's no SCEP Enrollment option.
>In the RA's "SSL End Users Services" page, there should be a "SCEP
>Enrollment" link, url looks like this:
>https://<fqdn:port>/ee/index.cgi (default port 12899)
>Also by default, a CA EE enrollment pages and "List Certificate
>Profiles" will list the caRouterCert and caRARouterCert profiles.
>**
I was looking at the wrong http[s]:://<fqdn:port>
I have the SCEP web gui now under: https://<fqdn>:12889/ee/scep/index.cgi
>> Am I missing an option/config?
>Should not, seem quite strange if you do not see those.
>> pki-ra 1.1.0 is installed.
>>
>ok, so you want to use SCEP with a RA.
Maybe a better description on the CA SCEP versus RA SCEP would be helpfull? I'll try to comment on the document soon.
>> There are what appear to be 3 tabs: Enrollment, Revocation and Retrieval - under the ca pkiconsole.
>>
>Those are for SSL sub system certificates.
>> Do any of the listed Certificate Profiles match to what the manual refers to as SCEP Enrollment and the Request Submission - Manager?
>>
>The Request Submission is to get the one time pin for the device.
>The SCEP Enrollment page shows the link to configure on the device.
>Those 2 are listed in the "EE" pages on the RA instance.
>See the profiles like in the directory
>/var/lib/rhpki-<ca-instance-id>/profiles/ca/caRA*
>Specially caRARouterCert profile on the CA instance (caRouterCert s for
>CA mode).
>Some pointers:
>http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu...
SCEP screenshots would help. The different ports available for all CM services makes things confusing.
>http://pki.fedoraproject.org/wiki/PKI_SCEP_Support_In_Certificate_System
>http://pki.fedoraproject.org/wiki/PKI_Cisco_Routers_%28IOS%29
Are there any easily available SCEP clients out there?
>> Regards,
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
16 years, 2 months
No SCEP Enrollment option in the SSL End Users Services page
by Fortunato
Hello list,
I don't know exactly where the differences are between Dogtag 1.1.0 and the documentation (currently 7.3), but under SSL End Users Services there's no SCEP Enrollment option. Am I missing an option/config? pki-ra 1.1.0 is installed.
There are what appear to be 3 tabs: Enrollment, Revocation and Retrieval - under the ca pkiconsole.
Do any of the listed Certificate Profiles match to what the manual refers to as SCEP Enrollment and the Request Submission - Manager?
Regards,
16 years, 2 months
pki-ca services on IPv6
by Fortunato
Hello again,
I have DTags 1.1.0.1.fc10:
# rpm -qi pki-ca
Name : pki-ca Relocations: (not relocatable)
Version : 1.1.0 Vendor: Red Hat, Inc.
Release : 1.fc10 Build Date: Sat 04 Apr 2009 10:00:35 AM PDT
Install Date: Mon 13 Apr 2009 10:55:06 AM PDT Build Host: localhost.localdomain
Group : System Environment/Daemons Source RPM: pki-ca-1.1.0-1.fc10.src.rpm
Size : 830321 License: GPLv2 with exceptions
Signature : (none)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://pki.fedoraproject.org/wiki/PKI_Documentation
Summary : Dogtag Certificate System - Certificate Authority
Is there a 'relatively easy' way to configure the pki-ca webserver to respond to an IPv6 address? (I'll take the hard way too!)
# netstat -tlpn is only listing the default installation listening to IPv4 (but not the IPv6 address):
tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 16960/java
>From the browser I'd expect something like the following to work.
https://[2001::5]:9443/ca/services
BTW, I have DNS to resolve for both IPv4 and IPv6.
16 years, 2 months
Re: [Pki-users] yum remove
by Fortunato
Sadly no, I removed the packages first and got all kinds of error messages when I tried to reinstall using yum.
I was trying to start over with the Configuration Wizard with the one-time PIN:
preop.pin=[PKI_RANDOM_NUMBER]
in the CS.cfg file.
-----Original Message-----
>From: Chandrasekar Kannan <ckannan(a)redhat.com>
>Sent: Apr 10, 2009 9:05 PM
>To: Fortunato <fortunato.montresor(a)earthlink.net>
>Cc: pki-users(a)redhat.com
>Subject: Re: [Pki-users] yum remove
>
>
>Have you tried the pkiremove command ?
>
>
>----- Fortunato <fortunato.montresor(a)earthlink.net> wrote:
>> Hi list,
>>
>> Just want to let those concerned that yum remove leave a lot of files and dirs lying around for 1.1.0
>>
>> Example:
>> /etc/pki*
>> /var/log/pki*
>> /etc/init.d/pki*
>>
>> Also it may be related but rpm (rpm -qf) does not claim ownership of of those files.
>>
>> Hopefully someone can work their magic.
>>
>> Have a good weekend!
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
16 years, 2 months
yum remove
by Fortunato
Hi list,
Just want to let those concerned that yum remove leave a lot of files and dirs lying around for 1.1.0
Example:
/etc/pki*
/var/log/pki*
/etc/init.d/pki*
Also it may be related but rpm (rpm -qf) does not claim ownership of of those files.
Hopefully someone can work their magic.
Have a good weekend!
16 years, 2 months
problem with nss
by Luis F. Gonzalez
Hi all,
It looks like I'm having a problem with a fresh Fedora 9 installation of pki components.
I've already installed fedora-ds-base:
--------------
# yum info fedora-ds-base
Loaded plugins: refresh-packagekit
Available Packages
Name : fedora-ds-base
Arch : i386
Version : 1.1.0.1
Release : 4.fc9
Size : 1.6 M
Repo : fedora
Summary : Fedora Directory Server (base)
URL : http://directory.fedoraproject.org/
License : GPLv2 with exceptions
Description: Fedora Directory Server is an LDAPv3 compliant server. The base
: package includes the LDAP server and command line utilities for
: server administration.
--------------
Here' the crux of the problem after, yum install pki-ca:
--------------
--> Missing Dependency: nss >= 3.12.0 is needed by package osutil-1.1.0-1.fc9.i386 (pki)
symkey-1.1.0-1.fc9.i386 from pki has depsolving problems
--> Missing Dependency: nss >= 3.12.0 is needed by package symkey-1.1.0-1.fc9.i386 (pki)
pki-native-tools-1.1.0-1.fc9.i386 from pki has depsolving problems
--> Missing Dependency: nss-tools >= 3.12.0 is needed by package pki-native-tools-1.1.0-1.fc9.i386 (pki)
pki-selinux-1.1.0-1.fc9.noarch from pki has depsolving problems
--> Missing Dependency: selinux-policy-targeted >= 3.3.1-118 is needed by package pki-selinux-1.1.0-1.fc9.noarch (pki)
pki-native-tools-1.1.0-1.fc9.i386 from pki has depsolving problems
--> Missing Dependency: nss >= 3.12.0 is needed by package pki-native-tools-1.1.0-1.fc9.i386 (pki)
Error: Missing Dependency: nss >= 3.12.0 is needed by package symkey-1.1.0-1.fc9.i386 (pki)
Error: Missing Dependency: selinux-policy-targeted >= 3.3.1-118 is needed by package pki-selinux-1.1.0-1.fc9.noarch (pki)
Error: Missing Dependency: nss >= 3.12.0 is needed by package osutil-1.1.0-1.fc9.i386 (pki)
Error: Missing Dependency: nss >= 3.12.0 is needed by package pki-native-tools-1.1.0-1.fc9.i386 (pki)
Error: Missing Dependency: nss-tools >= 3.12.0 is needed by package pki-native-tools-1.1.0-1.fc9.i386 (pki)
---------------
Any ideas before I get on an rpm dependency hunt?
Regards,
16 years, 2 months
dogtag can't establish SSL connection to LDAP server
by Simon Vallet
Hi,
I'm currently trying to integrate dogtag into our environment :
building did go fine, but somehow it doesn't want to securely connect
to our OpenLDAP server -- that's what I get in the logs at startup :
CMS Warning:
FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
FAILURE: In Ldap (bound) connection pool to host ldap.genoscope.cns.fr port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
FAILURE: In Ldap (bound) connection pool to host ldap.genoscope.cns.fr port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
FAILURE: In Ldap (bound) connection pool to host ldap.genoscope.cns.fr port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Could not connect to LDAP server host ldap.genoscope.cns.fr port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
Google is quite unhelpful on this one, so any hint would be greatly
appreciated.
Simon
16 years, 3 months