Utimaco HSM "Not Found" problem
by Arshad Noor
Hi,
I've updated DogTag to the current modules available (FC11 x86_64):
dogtag-pki-ca-ui-1.3.1-1.fc11.noarch
dogtag-pki-common-ui-1.3.1-1.fc11.noarch
dogtag-pki-console-ui-1.3.1-1.fc11.noarch
pki-ca-1.3.3-1.fc11.noarch
pki-common-1.3.3-1.fc11.noarch
pki-console-1.3.1-1.fc11.noarch
pki-java-tools-1.3.1-1.fc11.noarch
pki-native-tools-1.3.0-5.fc11.x86_64
pki-selinux-1.3.4-1.fc11.noarch
pki-setup-1.3.4-1.fc11.noarch
pki-silent-1.3.2-1.fc11.noarch
pki-symkey-1.3.2-3.fc11.x86_64
pki-util-1.3.0-5.fc11.noarch
I've installed and successfully tested a Utimaco CryptoServer HSM
on the operating system, including adding it to secmod.db (in the
/var/lib/subca01/alias directory), generating a RSA key-pair,
issuing a self-signed and listing the objects using certutil (the
attached hsm-config.txt file shows sample output).
I've modified CS.cfg in /etc/subca01 to include this token (as the
attached modules.txt file shows).
I've even restarted pki-cad services after adding the HSM to secmod.db,
to ensure that the DogTag code reads secmod.db with the CryptoServer
configured in it.
However, when it comes time to install a Subordinate CA, the KeyStore
page claims that the Utimaco HSM is not found (see keystore-page.png)
even though it is correctly listed on the page under "Supported
Security Modules".
What am I missing?
How do I get DogTag to use the HSM to generate the key-pair?
Thanks.
Arshad Noor
StrongAuth, Inc.
# pet105:/var/lib/subca01/alias> modutil -dbdir . -nocertdb -list CryptoServer
-----------------------------------------------------------
Name: CryptoServer
Library file: /usr/local/utimaco/lib/libcs2_pkcs11.so
Manufacturer: Utimaco Safeware AG
Description: CryptoServer PKCS11 library
PKCS #11 Version 2.20
Library Version: 1.48
Cipher Enable Flags: None
Default Mechanism Flags: None
Slot: CryptoServer Device '/dev/cs2' - Slot No: 0
Slot Mechanism Flags: None
Manufacturer: Utimaco Safeware AG
Type: Hardware
Version Number: 0.0
Firmware Version: 1.6
Status: Enabled
Token Name: CBUAE TEST
Token Manufacturer: Utimaco Safeware AG
Token Model: CryptoServer
Token Serial Number: Se1000 CS410019
Token Version: 0.0
Token Firmware Version: 1.6
Access: NOT Write Protected
Login Type: Login required
User Pin: Initialized
-----------------------------------------------------------
# pet105:/var/lib/subca01/alias> certutil -K -d . -h "CBUAE TEST"
certutil: Checking token "CBUAE TEST" in slot "CryptoServer Device '/dev/cs2' - Slot No: 0"
Enter Password or Pin for "CBUAE TEST":
< 0> rsa 1f391f4675efbc5a22d7aa7a0c762b08b793b87a (orphan)
< 1> rsa 8329905b66d6e34c25a63c23dee6cd65acc598f1 CBUAE TEST:testcert
# pet105:/var/lib/subca01/alias> certutil -L -d . -h "CBUAE TEST" -n testcert
Enter Password or Pin for "CBUAE TEST":
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 123 (0x7b)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=TEST Cert"
Validity:
Not Before: Thu Apr 15 23:33:58 2010
Not After : Thu Jul 15 23:33:58 2010
Subject: "CN=TEST Cert"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ae:43:b3:10:f4:28:d0:e9:4a:b0:df:80:24:a8:1c:a7:
7f:fc:33:7c:1b:cd:57:e3:67:8f:fc:a6:a6:c5:07:01:
cf:67:3a:c6:6f:2f:16:4d:4b:66:92:6a:33:65:a9:24:
a1:57:d1:6e:79:73:72:0a:b8:fb:97:9e:bf:b5:34:df:
3c:a3:6b:54:4f:54:70:57:e8:70:ed:da:b1:c9:3a:3c:
35:c0:74:1c:06:be:2e:54:b1:21:c3:69:ec:77:d5:80:
49:8f:80:35:24:00:83:35:7c:a9:19:a7:3c:41:51:63:
a3:3b:0d:6a:b3:32:ec:16:b4:90:43:0c:98:ee:5a:f0:
05:c5:06:d0:1b:9f:ab:9d:56:43:e3:f1:87:a6:7e:4b:
5e:4e:4f:65:37:1c:42:79:73:fb:bf:1a:f4:ed:23:c3:
b7:16:5a:c9:1a:65:35:64:34:86:6a:10:5d:f3:66:25:
13:5a:85:49:e3:9a:07:00:05:ee:cf:2a:71:72:fe:3a:
ae:dd:4a:70:5a:a2:42:6e:33:3b:15:a2:4f:81:1c:30:
93:79:c4:11:db:5b:08:d6:55:73:d9:86:19:1d:87:cf:
4b:e6:e4:10:a0:b4:a2:84:68:4d:5a:53:b8:97:64:68:
07:9e:84:a7:e5:48:ac:be:01:19:be:8a:e6:95:20:19
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
44:b4:bf:8c:f5:22:4e:fe:42:64:5d:f4:e5:73:3a:25:
b8:8c:1e:1c:68:7a:65:ce:30:c2:f2:ab:41:1f:58:3b:
70:50:92:b4:81:fc:f4:5a:b1:f3:b3:69:6e:4e:7a:c0:
94:2a:b2:23:4e:41:24:59:0f:62:87:0d:a2:37:cb:67:
a5:d2:01:91:aa:74:0f:c0:27:f0:7d:d3:0b:16:48:f8:
d9:69:6b:b2:84:80:7e:71:79:5d:11:9d:d6:1a:47:4d:
62:ba:f6:09:28:41:36:e2:78:12:9b:41:fd:df:84:de:
b2:91:fa:3e:99:aa:04:17:3e:ff:f7:6f:19:78:4e:a7:
aa:77:0a:aa:d2:ee:d1:e4:f2:cf:92:68:e8:79:1f:f3:
10:b0:3e:bd:2d:33:a4:bc:7f:66:ea:31:71:c5:7c:4f:
a8:0f:db:25:f2:60:1d:dc:a5:98:73:e3:1e:4b:94:80:
5c:f7:65:69:21:ff:3a:30:55:f6:67:29:f3:e1:aa:a4:
b8:40:9b:c3:8e:90:3b:5b:18:95:36:89:23:22:32:8d:
7c:46:a8:5b:10:2c:2e:99:49:d5:cb:18:f1:04:8f:40:
7e:b7:80:d3:1f:32:50:78:2a:c9:b4:c5:e0:78:b9:93:
63:ac:b4:85:ca:7e:a8:36:9d:6c:58:4c:3a:2f:a7:66
Fingerprint (MD5):
3F:AD:29:3F:60:58:27:9D:19:66:88:AC:7A:BF:0A:DC
Fingerprint (SHA1):
9F:C1:1B:0A:08:D8:1C:80:50:60:BF:0A:47:5E:3E:2C:29:3C:52:CD
Certificate Trust Flags:
SSL Flags:
Valid Peer
Trusted
Email Flags:
Object Signing Flags:
# pet105:/etc/subca01> grep Modules CS.cfg
preop.configModules.count=4
preop.configModules.module0.commonName=NSS Internal PKCS #11 Module
preop.configModules.module0.imagePath=../img/clearpixel.gif
preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
preop.configModules.module1.commonName=nfast
preop.configModules.module1.imagePath=../img/clearpixel.gif
preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module
preop.configModules.module2.commonName=lunasa
preop.configModules.module2.imagePath=../img/clearpixel.gif
preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module
preop.configModules.module3.commonName=CryptoServer
preop.configModules.module3.imagePath=../img/clearpixel.gif
preop.configModules.module3.userFriendlyName=Utimacos's CryptoServer Hardware Security Module
14 years, 7 months
Reset pkiconsole "administrator" password?
by Mike Mercier
Hello,
Is there a way to reset the pkiconsole "administrator" (I think the username
is actually 'admin') password?
Can someone point me to the documentation?
Thanks,
Mike
14 years, 8 months
Re: [Pki-users] Questions on customizing certificate profiles
by Oliver Burtchen
Hi @ all,
I also tried to change from "SHA1withRSA" to "SHA256withRSA" by editing the
config files. No luck!
I found, this is hard-coded in the sources, for example in:
- pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
- pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java
Just look for "SHA1withRSA" in the files, I don't think this are just
fallbacks.
Best regards,
Oli
Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
> On 04/06/2010 05:08 PM, Arshad Noor wrote:
> > The only option that is visible under Advanced is the key-size
> > for each of the certificate-types. The hash algorithm does not
> > show up at all.
> >
> > Even the default, as mentioned by Step 8, is not the default as
> > the last 10-12 installs have shown:
> >
> > * SHA256withRSA (the default)
> >
> > So, the question is: is the current build of DogTag in the pki
> > repository identical to RHCS 8.0 or is it a different version?
>
> It might very well be ... we can look at the svn commits
> to be really sure...
>
> > Arshad Noor
> > StrongAuth, Inc.
> >
> > Chandrasekar Kannan wrote:
> >> the installation wizard should provide 'options' under the advanced
> >> section for you to be able to select the alg to use. Have you tried
> >> doing Step (8) from here ?
> >> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configur
> >>ing_a_CA.html
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
--
Oliver Burtchen, Berlin
14 years, 8 months
Submitting CMCRequest using HttpClient
by Erwin Himawan
Hi All,
I am trying to use HttpClient to submit a CMC request. So far, I have no
luck. Each time, I do HttpClient, the server responses with http 404.
Anybody has ever tried this?
My questions is: could I use HttpClient to submit a CMC request and obtain a
CMC response (a certificate?)
Here are my procedures:
1. Use certutil to create a CSR
2. Use CMCRequest to create a CMC request message
The CMCRequest.cfg content
numRequests=1
input=crmf1
output=cmcReq
nickname=RA Administrator
dbdir=/home/RAagent
password=
format=pkcs10
3. Use HttpClient to submit the request
My HttpClient.cfg contents:
host=ca.hh.org
port=9180
secure=false
input=cmcReq
output=cmcResp
servlet=/ca/profileSubmitCMCFull
Thanks,
Erwin
14 years, 8 months
Creating a sub-ca under an external CA?
by Michael StJohns
Hi -
One of my customers has an existing root key pair and CA cert that
exists outside of Dogtag. I want to create a CA immediately subordinate
to that root CA and use Dogtag for it.
After numerous attempts to adopt Dogtag to an external CA, I admit to
defeat. I've tried this with and without a PKCS7 chain, I've tried
various extensions and formats for the new CA cert, etc.
The CA system comes up, looks good, but looking at the SSL hand shake
with "openssl s_client" shows that the server isn't providing the entire
chain, only the certificate for the server itself.
Taking all of the certs in the chain from root through server and
running them through the Java cert path checking routines seems to
indicate the certs are fine.
If I build a system from scratch - with a new root cert and key pair in
one CA and then build a subordinate CA under that in the same domain it
works perfectly.
Has anyone else tried this? If so, can you give me a step-by-step please?
Help!
Mike
14 years, 8 months
Questions on customizing certificate profiles
by Arshad Noor
Hi,
I thought I used to know the Certificate Server, but it appears
that so much has changed that I feel like I'm starting over again.
Hopefully, I'm the one who's making mistakes and that DogTag is
really not different from RHCS.
In trying to install DogTag on Fedora 11 (x86_64), I'm unable to
customize the initial certificates created by the installation
process. For example, here is what I'm doing:
1) Run "yum install pki-ca".
2) Run "pkicreate" with appropriate parameters.
3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg
files to do the following:
- Add "default.params.signingAlg=SHA256withRSA" to the files;
- Remove digitalSignature and nonRepudiation for CA cert;
- Remove digitalSignature, nonRepudiation, dataEncipherment
for Server cert;
- Change default validity periods, etc.
Yet, none of the certificates generated by the installation process
have these changes in them.
I've tried stopping "pki-cad", copying the modified *.cfg files to
the appropriate "<instance>/profiles/ca" directory and restarting
pki-cad in case the service needed to see the modified files at
startup - but to no avail.
I've tried modifying the *.profile files in the /etc/<instance>
directory, but to no avail.
How does one customize the certificates before the self-signed cert
is generated?
I'm going through the PDF documentation for RHCS 8.0 and assuming
that the instructions there apply to DogTag too. The version number
of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0
repository.
Thanks.
Arshad Noor
StrongAuth, Inc.
14 years, 8 months
Re: [Pki-users] Questions on customizing certificate profiles
by John Magne
Did you try modifying the source of the files in /var/lib/pki-ca/conf/*.profile ??
When an instance is created, I believe the files are taken from here:
/usr/share/pki/ca/conf/*.profile
I imagine if you change the files in /var/lib/pki-ca/conf before proceeding with the wizard, things should work. Perhaps the files are cached into memory as soon as the instance is created and before the wizard is executed.
----- Original Message -----
From: "Arshad Noor" <arshad.noor(a)strongauth.com>
To: pki-users(a)redhat.com
Sent: Tuesday, April 6, 2010 10:34:20 AM GMT -08:00 US/Canada Pacific
Subject: [Pki-users] Questions on customizing certificate profiles
Hi,
I thought I used to know the Certificate Server, but it appears
that so much has changed that I feel like I'm starting over again.
Hopefully, I'm the one who's making mistakes and that DogTag is
really not different from RHCS.
In trying to install DogTag on Fedora 11 (x86_64), I'm unable to
customize the initial certificates created by the installation
process. For example, here is what I'm doing:
1) Run "yum install pki-ca".
2) Run "pkicreate" with appropriate parameters.
3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg
files to do the following:
- Add "default.params.signingAlg=SHA256withRSA" to the files;
- Remove digitalSignature and nonRepudiation for CA cert;
- Remove digitalSignature, nonRepudiation, dataEncipherment
for Server cert;
- Change default validity periods, etc.
Yet, none of the certificates generated by the installation process
have these changes in them.
I've tried stopping "pki-cad", copying the modified *.cfg files to
the appropriate "<instance>/profiles/ca" directory and restarting
pki-cad in case the service needed to see the modified files at
startup - but to no avail.
I've tried modifying the *.profile files in the /etc/<instance>
directory, but to no avail.
How does one customize the certificates before the self-signed cert
is generated?
I'm going through the PDF documentation for RHCS 8.0 and assuming
that the instructions there apply to DogTag too. The version number
of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0
repository.
Thanks.
Arshad Noor
StrongAuth, Inc.
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
14 years, 8 months
