DogTAG PKI - crlDistributionPoints cert profile: Type_0 : URIName error
by Frederic d'Huart
Hello Pki users,
Section B.1.4. of the RH admin guide refers to the following acceptable
values
for crlDistributionPoint Type:
DirectoryName
URIName
RelativeToIssuer
Using PKIConsole, I have added to the caUserCert profile a policy for
include a CDP as follow:
policyset.userCertSet.13.default.name=CRL Distribution Points Extension
Default
policyset.userCertSet.13.default.params.crlDistPointsCritical=false
policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true
policyset.userCertSet.13.default.params.crlDistPointsPointType_0=URIName
policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http://xxx.xxx.xxx/crl/xxx.crl
policyset.userCertSet.13.default.params.crlDistPointsReasons_0=
after profile re-activated, and new request generated, I get the
following error on the agent interface:
The Certificate System has encountered an unrecoverable error.
Error Message:
/java.lang.ClassCastException: netscape.security.x509.Extension cannot
be cast to netscape.security.x509.CRLDistributionPointsExtension/
Please contact your local administrator for assistance.
Any Ideas what could be wrong ?
Thank you.
13 years, 2 months
connect dogtag to a existing Key in a luna HSM ?
by Alexander Jung
Hello,
we have a Microsoft CA that we'd like to migrate to a dogtag instance.
We built a few tools to import all the requests and certificates from
the Microsoft CA into a LDAP-Server used by the dogtag - this works so
far.
The CA key for the Microsoft CA has been generated in a Safenet Luna
K3 HSM and cannot be extracted from there, so we'll have to connect
the dogtag to this key in our HSM.
How can we do that ?
Mit freundlichen Grüßen,
Alexander Jung
13 years, 5 months
Cloning a Dogtag CS 1.3 on Fedora13
by Harshana Porawagama
Hi,
I have been trying a create a clone of a Certificate system. I the cloning
machine when configuring the Internal Databases, it waits indefinitely
without giving a result. When I checked the errors log which is in
"/var/log/dirsrv/slapd-<instance>/errors" it is giving the following error.
[15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin -
agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica has a
different generation ID than the local data.
Does anybody know how to fix this issue?
The whole log file is attached.
--
Best Regards,
Harshana
13 years, 5 months
Dogtag TPS wizard - java.lang.NullPointerException on last button
by Fabian Bertholm
Hi guys,
I've done a Dogtag PKI Testsetup on a Fedora 13 system.
I really got to the last button on the last wizard and it failed.
I am currently stuck and hope someone can point out where I can search
for the problem.
I stand at the last page of the TPS setup wizard (Import Administrator
Certificate), I click on next and I get an internal server error.
This is the content of the debug file at /var/log/pki-tps/
Thu Nov 11 08:37:47 CET 2010 - TPS wizard: update returns status '1'
Thu Nov 11 08:37:47 CET 2010 - TPS wizard: about to find out about sub panel
Thu Nov 11 08:37:47 CET 2010 - TPS wizard: no sub panel and is not subpanel
Thu Nov 11 08:37:47 CET 2010 - TPS wizard: after looking into about sub panel
Thu Nov 11 08:37:48 CET 2010 - DonePanel: display
Thu Nov 11 08:37:48 CET 2010 - DonePanel: register_tps at
https://pki-server1:9544
Thu Nov 11 08:37:48 CET 2010 - DonePanel: subsystem CA
uri=/ca/admin/ca/registerUser
Thu Nov 11 08:37:48 CET 2010 - DonePanel: Connecting to Security Domain
Thu Nov 11 08:37:48 CET 2010 - DonePanel: Security Domain Info
https://pki-server1:9544
Thu Nov 11 08:37:49 CET 2010 - ReqCertInfo: update got token name =
NSS Certificate DB
Thu Nov 11 08:37:49 CET 2010 - DonePanel: Connecting
Thu Nov 11 08:37:52 CET 2010 - req = HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Length: 234
Date: Thu, 11 Nov 2010 07:37:52 GMT
Connection: close
<HTML>
<BODY BGCOLOR=white>
<P>
The Certificate System has encountered an unrecoverable error.
<P>
Error Message:<BR>
<I>java.lang.NullPointerException</I>
<P>
Please contact your local administrator for assistance.
</BODY>
</HTML>
Subject: CN=pki-server1,OU=pki-subca,O=ST Test SubCA 1 Domain
Issuer : CN=Certificate Authority,OU=pki-subca,O=ST Test SubCA 1 Domain
bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
Thu Nov 11 08:37:52 CET 2010 - DonePanel: result
Thu Nov 11 08:37:53 CET 2010 - DonePanel: register_tps at
https://pki-server1:13443
Thu Nov 11 08:37:53 CET 2010 - DonePanel: subsystem TKS
uri=/tks/admin/tks/registerUser
Thu Nov 11 08:37:53 CET 2010 - DonePanel: Connecting to Security Domain
Thu Nov 11 08:37:54 CET 2010 - DonePanel: Security Domain Info
https://pki-server1:13443
Thu Nov 11 08:37:54 CET 2010 - ReqCertInfo: update got token name =
NSS Certificate DB
Thu Nov 11 08:37:55 CET 2010 - DonePanel: Connecting
Thu Nov 11 08:37:56 CET 2010 - req =
Thu Nov 11 08:37:56 CET 2010 - DonePanel: result
Thu Nov 11 08:37:56 CET 2010 - DonePanel: KRA available
best regards
Fabian
13 years, 5 months
