Manually Replacing Server Certificates + Profiles
by Raspante, Patrick
Using CS 8.0,
I'm interested in replacing (not renewing) all the server certificates
for every subsystem (CA,TKS,DRM,TPS).
The solution I had planned on using was to painstakingly use certutil to
generate certificate requests, sign then, and import them back into the
subsystem cert db with identical cert nicknames.
Is there an easier way to do this (other than reinstalling+rerunning the
create wizard)? I can attempt to use pkiconsole to replace certificates
and automatically send them to the CA's ee page, but that seems to be
erroring repeatedly.
Using the certutil method, I'm unsure of which CA profiles to use when
signing some of the server certificates certificates. For example, when
replacing the TKS's 'subsystemCert' or 'Server-Cert' using the CA's
'manual server certificate enrollment' profile, I don't a get a cert
with identical extensions as the original TKS 'subsytem cert'. Which
profile does the CA use at TKS creation-time for these certs?
Thanks
Patrick Raspante
Software Engineer
General Dynamics C4 Systems
Work: 781-455-2399
This message and/or attachments may include information subject to GDC4S
O.M. 1.8.6 and GD Corporate Policy 07-105 and is intended to be accessed
only by authorized recipients. Use, storage and transmission are
governed by General Dynamics and its policies. Contractual restrictions
apply to third parties. Recipients should refer to the policies or
contract to determine proper handling. Unauthorized review, use,
disclosure or distribution is prohibited. If you are not an intended
recipient, please contact the sender and destroy all copies of the
original message.
14 years, 12 months
SCEP Question
by Erwin Himawan
Hi All,
Has someone confirm that dogtag can be configured such that a SCEP request
from a router is approved manually by an agent at the CA or RA?
The following are the steps I do to test this scenario:
1. In the CA, I create a profile, called router profile.
2. This router profile is similar to the caRouterCert profile
3. In this profile, I disable the visibility such that this profile is not
visible in the CA's end-entity web page.
4. The profile's Certificate Profile Authentication filed is left empty;
implying that the request will be handled by the CA agent.
5. I am using Simple SCEP as my SCEP client.
6. At the sscep client, I generate a CSR using mkrequest. During CSR
generation using the mkrequest, I did not include PIN (or challenge-response
PIN), since did not ask the RA to generate a PIN for me. The reason is, I
would like the agent to manually approve the request.
7. using sscep enroll, I made the scep client to send SCEP enroll to the CA
./sscep enroll -c ca.crt -k local.key -r local.csr -l local.crt -u
http://ca.fqdn:9180/ca/cgi-bin/pkiclient.exe
8. I turned on sscep debug and verbose. From this debug and verbose output,
I observed that the scep client sends HTTP GET
/ca/cgi-bin/pkiclient.exe?operation=PKIOperation&message=MIIH3A.................
9. Also from the sscep debug message, I noticed that the CA responses with
status code 200. The CA sends a PKCS7 payload.
10. Inside the payload is the router certificate.
My question is:. Why the CA does not queue this request for agent approval?
Thanks in advance,
Erwin
15 years
SCEP: List Request: "Error Certificate Not Issued." However, certificate is issued successfully to client
by Erwin Himawan
Hi All,
I have been playing with DCS in a test environment and so far I am happy
with its functionalities.
During the SCEP test, I looked into various information generated by the CA
in processing a SCEP request. However, I noticed that the information
obtained through the "list request" was not consistent with the information
obtained from the "list certificate." According to the "list request" my
SCEP request encountered an error and the certificate was not issued.
However, in the "List Certificate", this SCEP request
was successfully processed and resulted in the issuance of a certificate.
Likewise, at the SCEP client, the SCEP client also successfully obtained
the certificate.
Is this a bug or my SCEP test procedure is not correct?
Here is my SCEP test procedure:
1. Using the RA webform, I applied for a SCEP PIN
2. Logging in as an RA, I approved the PIN request, the output of this
approval is a PIN which I distributed it to the SCEP client using out of
band method.
3. My SCEP client is Simple SCEP (sscep).
4. Using the mkrequest -ip 10.8.122.131 [PIN], I created the CSR. I could
see that the PIN is included in the CSR as the challenge-password attribute
5. Assuming I have successfully obtained the CA certificate, using the sscep
enroll -c ca.crt -k local.key -r local.csr -l local.crt -u
http://ra.fqdn:12888/ee/scep/pkiclient.cgi, I started SCEP enrollment
6. After a quick wait time, my SCEP client obtained the certificate from the
CA.
After the CA has successfully issued this certificate to my SCEP client, I
checked the CA "list requests" and "list certificates" pages.
At the "list request" page, I filtered for all type of request and all
status of requests. The output of this query is formatted into three colums;
"status", "assigned to", and "subject."
My SCEP client request has "status=completed". The assigned to and subject
are empty. Further opening this record, the CA indicates that there is an
error; i.e. the issued certificate section contained: "Error Certificate Not
Issued"
When I opened the "list certificates" and searched for the SCEP client
certificate, the SCEP client certificate was there with status "valid"
Thanks in advance.
Regards,
Erwin
15 years
CErtificate profile validation
by Thomas Shanthi-LST016
Hi,
Had a question on where certificate profile validation takes places
when the user sends the enrollment to the RA and RA sends it to the CA.
The authentication selected in the cert profile created at the CA is
raCert. In this scenario is it assumed that the RA does all verification
of the CSR against the profile? In other words, is it the repsonsibility
of the RA to check for fields to be present in the CSR and their current
values as specified in the cert profile? Also will the CA add the fields
specified in the cert profile that have to be inserted by the CA such as
Subject KEy Identifier, Authority Key Identifier, etc. ?
thanks,
Shanthi Thomas
Advanced Technology & Research,
Government & Public Safety,
Schaumburg, IL, USA
desk: 847-576-2499
cell: 224-715-6904
15 years
Unable to connect to Secure Admin Port
by Didier Moens
Dear all,
For the past few days, I've been struggling trying to set up our
dogtag-based PKI. Unfortunately, I am unable to access the Secure Admin
Port / Configuration Wizard (https://...:9445/...), probably due to
Tomcat failing to open SSL sockets.
- Configuration : clean RHEL5u4 ;
- Installed pki-ca-1.3.0 (tried 1.3.2 too) from EPEL, with all its
dependencies (except jss-4.2.6, which is installed from EPEL-testing) ;
- tomcatjss-1.2.0 is installed as a dependency too.
There is no "tomcat5-native" package installed, and LANG is set to C,
all to no avail.
After manually creating user 'pkiuser' (pki-setup 1.3.1 does not
automatically create this user) , "pkicreate" (with parameters from the
root CA example) yields the following errors in
/var/log/pki-ca/catalina.out :
...
org.apache.coyote.http11.Http11BaseProtocol init
SEVERE: Error initializing socket factory
java.lang.ClassNotFoundException: Error loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.jss.JSSImplementation
at
org.apache.tomcat.util.net.SSLImplementation.getInstance(SSLImplementation.java:79)
at
org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(Http11BaseProtocol.java:731)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:121)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Feb 25, 2010 1:52:12 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed:
java.lang.ClassNotFoundException: Error loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.jss.JSSImplementation
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1019)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
...
Strangely enough, connections are set up on e.g. the Agent Secure Port
(9443), but neither on the EE Secure Port (9444) :
# lsof |grep pkiuser |grep TCP
java 28349 pkiuser 71u IPv6
1445890 TCP *:9180 (LISTEN)
java 28349 pkiuser 76u IPv6
1445899 TCP *:9443 (LISTEN)
java 28349 pkiuser 77u IPv6
1445900 TCP localhost.localdomain:9701 (LISTEN)
Both '/etc/pki-ca/tomcat5.conf' and '/etc/pki-ca/server.xml' look valid
(disclaimer: I am a Tomcat novice).
Stracing (-e trace=file) the pki-cad process yields nothing useful,
except for the fact that tomcatjss.jar seems to be nowhere accessed.
When manually adding ":/usr/share/java/tomcatjss.jar" to the CLASSPATH
variable in '/usr/bin/dtomcat5-pki-ca', Tomcat throws these exceptions
in catalina.out :
...
org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Caused by: java.lang.NoClassDefFoundError:
org/apache/tomcat/util/net/SSLImplementation
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:632)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:277)
at java.net.URLClassLoader.access$000(URLClassLoader.java:73)
at java.net.URLClassLoader$1.run(URLClassLoader.java:212)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:319)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:186)
at
org.apache.tomcat.util.net.SSLImplementation.getInstance(SSLImplementation.java:73)
at
org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(Http11BaseProtocol.java:731)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:121)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
... 6 more
Caused by: java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.SSLImplementation
at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:319)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
... 30 more
As a last resort, I created a tomcat keystore too, but as this is
nowhere mentioned in the docs, I guess this is way off.
I would be grateful for any clue whatsoever.
Best regards,
Didier
--
===================================================================
Didier Moens IT services
Department for Molecular Biomedical Research (DMBR)
VIB - Ghent University
Fiers-Schell-Van Montagu Research Building
Technologiepark 927 , B-9052 Zwijnaarde , Belgium
tel ++32(9)3313605 fax ++32(9)3313609
mailto:Didier.Moens@dmbr.vib-UGent.be http://www.dmbr.UGent.be
===================================================================
This message represents the official view of the voices in my head.
15 years
File Publishing
by Erwin Himawan
Hi,
I am in the process of understanding and evaluating the DCS features. I come
across the publishing feature whereby DCS can publish certificates and/or
CRL to a flat file.
I followed RH CS Admin Guide 8.0, in particular, on section 8.2.1, 8.2.4
(Creating Rules). However, when I was testing the file-publication
configuration, following direction on section 8.5, I did not see the
expected certificate files and crl files.
Any idea as how to troubleshoot from here?
Thanks,
Erwin
15 years
CA protocol support
by Thomas Shanthi-LST016
Hi,
I've recently started using the dogtag CA. As I understand the CA supports CMC and SCEP. Assuming this is correct, can end-entities use CMC or SCEP protocol to directly access the CA or RA or is only the web-interface supported? In other words, is there API support for the CA/RA?
thanks,
Shanthi
15 years
Dear Pki-Users, If you can't find in google, try JUSTDIAL.COM
by Rashmi
Dear Pki-Users,I strongly recommend this website www.justdial.com. It's a world class local search service & I've always found anything I've ever wanted.You can find info on any company, product, or service in over 240 cities in India.You can also call them up 24x7, on phone (69999999), a local call in 240 Indian cities.Ask for anything, you'll get the info on the phone and/or by SMS within 30 secs, and this service is at no cost!For a change, it's an original Indian idea and an Indian company with world class service, and with a vision to spread all over the world.Be a proud Indian and forward this to every Indian you know.Best Wishes,RashmiClick Here to unsubscribe.
15 years
Re-instating Revoked Certificate
by Erwin Himawan
Hi All,
I noticed in the redhat certificate administration guide for reasons of
revoking certificate.
"The certificate is on hold pending further action. It is treated as revoked
but may be taken off hold in the future."
The way I understood the above quoted statement; I can put a certificate
into revocation list and at later time, re-instate the certificate.
My question is, how do I re-instate a revoked certificate which revocation
reason is under the above revocation-category.
Thanks,
Erwin
15 years
yum install pki-ca - and problem :(
by Rafał Kamiński
Hi all,
I install dogtag two months ago, and now I repeat that move, but ...
When I use: yum install pki-ca
I see:
Installing : pki-common-1.3.0-7.fc11.noarch
156/158
Installing : hal-info-20090414-1.fc11.noarch
157/158
Adding default PKI group "pkiuser" to /etc/group.
Adding default PKI user "pkiuser" to /etc/passwd.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Installing : pki-ca-1.2.0-4.fc11.noarch
158/158
PKI instance creation Utility ...
[2010-02-02 04:39:15] [error] create_symbolic_link(): illegal
destination path => /usr/share/java/ca.jar.
Error detected would you like to clean up /var/lib/pki-ca (Y/N)?
Error detected would you like to clean up /var/lib/pki-ca (Y/N)?
Can sombody tell me why?
BR,
Rafal Kaminski
15 years
