SCEP Authentication
by Erwin Himawan
I would like to configure my DCS's SCEP operation for manual approval, in
which the router uses SCEP to submit the request and the CA agent will
manually approve the request and to modify the request (if needed).
Does anybody has any idea how to configure the DCS CA?
I am thinking to clone the caRouterCert profile. I am not sure what to
specify to enable agent to approve the incoming request.
Am I in the right direction?
Thanks,
Erwin
12 years, 10 months
smart card support
by Henry GM
What kind smart card has implement/support using ESC Dog Tag beside Axalto
Cyberflex egate 32k ?
its support using STARCOS® SPK2.3 with Dog Tag smart card manager?
Rgds,
Henry Gultom
12 years, 10 months
Utimaco HSM "Not Found" problem
by Arshad Noor
Hi,
I've updated DogTag to the current modules available (FC11 x86_64):
dogtag-pki-ca-ui-1.3.1-1.fc11.noarch
dogtag-pki-common-ui-1.3.1-1.fc11.noarch
dogtag-pki-console-ui-1.3.1-1.fc11.noarch
pki-ca-1.3.3-1.fc11.noarch
pki-common-1.3.3-1.fc11.noarch
pki-console-1.3.1-1.fc11.noarch
pki-java-tools-1.3.1-1.fc11.noarch
pki-native-tools-1.3.0-5.fc11.x86_64
pki-selinux-1.3.4-1.fc11.noarch
pki-setup-1.3.4-1.fc11.noarch
pki-silent-1.3.2-1.fc11.noarch
pki-symkey-1.3.2-3.fc11.x86_64
pki-util-1.3.0-5.fc11.noarch
I've installed and successfully tested a Utimaco CryptoServer HSM
on the operating system, including adding it to secmod.db (in the
/var/lib/subca01/alias directory), generating a RSA key-pair,
issuing a self-signed and listing the objects using certutil (the
attached hsm-config.txt file shows sample output).
I've modified CS.cfg in /etc/subca01 to include this token (as the
attached modules.txt file shows).
I've even restarted pki-cad services after adding the HSM to secmod.db,
to ensure that the DogTag code reads secmod.db with the CryptoServer
configured in it.
However, when it comes time to install a Subordinate CA, the KeyStore
page claims that the Utimaco HSM is not found (see keystore-page.png)
even though it is correctly listed on the page under "Supported
Security Modules".
What am I missing?
How do I get DogTag to use the HSM to generate the key-pair?
Thanks.
Arshad Noor
StrongAuth, Inc.
# pet105:/var/lib/subca01/alias> modutil -dbdir . -nocertdb -list CryptoServer
-----------------------------------------------------------
Name: CryptoServer
Library file: /usr/local/utimaco/lib/libcs2_pkcs11.so
Manufacturer: Utimaco Safeware AG
Description: CryptoServer PKCS11 library
PKCS #11 Version 2.20
Library Version: 1.48
Cipher Enable Flags: None
Default Mechanism Flags: None
Slot: CryptoServer Device '/dev/cs2' - Slot No: 0
Slot Mechanism Flags: None
Manufacturer: Utimaco Safeware AG
Type: Hardware
Version Number: 0.0
Firmware Version: 1.6
Status: Enabled
Token Name: CBUAE TEST
Token Manufacturer: Utimaco Safeware AG
Token Model: CryptoServer
Token Serial Number: Se1000 CS410019
Token Version: 0.0
Token Firmware Version: 1.6
Access: NOT Write Protected
Login Type: Login required
User Pin: Initialized
-----------------------------------------------------------
# pet105:/var/lib/subca01/alias> certutil -K -d . -h "CBUAE TEST"
certutil: Checking token "CBUAE TEST" in slot "CryptoServer Device '/dev/cs2' - Slot No: 0"
Enter Password or Pin for "CBUAE TEST":
< 0> rsa 1f391f4675efbc5a22d7aa7a0c762b08b793b87a (orphan)
< 1> rsa 8329905b66d6e34c25a63c23dee6cd65acc598f1 CBUAE TEST:testcert
# pet105:/var/lib/subca01/alias> certutil -L -d . -h "CBUAE TEST" -n testcert
Enter Password or Pin for "CBUAE TEST":
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 123 (0x7b)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=TEST Cert"
Validity:
Not Before: Thu Apr 15 23:33:58 2010
Not After : Thu Jul 15 23:33:58 2010
Subject: "CN=TEST Cert"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ae:43:b3:10:f4:28:d0:e9:4a:b0:df:80:24:a8:1c:a7:
7f:fc:33:7c:1b:cd:57:e3:67:8f:fc:a6:a6:c5:07:01:
cf:67:3a:c6:6f:2f:16:4d:4b:66:92:6a:33:65:a9:24:
a1:57:d1:6e:79:73:72:0a:b8:fb:97:9e:bf:b5:34:df:
3c:a3:6b:54:4f:54:70:57:e8:70:ed:da:b1:c9:3a:3c:
35:c0:74:1c:06:be:2e:54:b1:21:c3:69:ec:77:d5:80:
49:8f:80:35:24:00:83:35:7c:a9:19:a7:3c:41:51:63:
a3:3b:0d:6a:b3:32:ec:16:b4:90:43:0c:98:ee:5a:f0:
05:c5:06:d0:1b:9f:ab:9d:56:43:e3:f1:87:a6:7e:4b:
5e:4e:4f:65:37:1c:42:79:73:fb:bf:1a:f4:ed:23:c3:
b7:16:5a:c9:1a:65:35:64:34:86:6a:10:5d:f3:66:25:
13:5a:85:49:e3:9a:07:00:05:ee:cf:2a:71:72:fe:3a:
ae:dd:4a:70:5a:a2:42:6e:33:3b:15:a2:4f:81:1c:30:
93:79:c4:11:db:5b:08:d6:55:73:d9:86:19:1d:87:cf:
4b:e6:e4:10:a0:b4:a2:84:68:4d:5a:53:b8:97:64:68:
07:9e:84:a7:e5:48:ac:be:01:19:be:8a:e6:95:20:19
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
44:b4:bf:8c:f5:22:4e:fe:42:64:5d:f4:e5:73:3a:25:
b8:8c:1e:1c:68:7a:65:ce:30:c2:f2:ab:41:1f:58:3b:
70:50:92:b4:81:fc:f4:5a:b1:f3:b3:69:6e:4e:7a:c0:
94:2a:b2:23:4e:41:24:59:0f:62:87:0d:a2:37:cb:67:
a5:d2:01:91:aa:74:0f:c0:27:f0:7d:d3:0b:16:48:f8:
d9:69:6b:b2:84:80:7e:71:79:5d:11:9d:d6:1a:47:4d:
62:ba:f6:09:28:41:36:e2:78:12:9b:41:fd:df:84:de:
b2:91:fa:3e:99:aa:04:17:3e:ff:f7:6f:19:78:4e:a7:
aa:77:0a:aa:d2:ee:d1:e4:f2:cf:92:68:e8:79:1f:f3:
10:b0:3e:bd:2d:33:a4:bc:7f:66:ea:31:71:c5:7c:4f:
a8:0f:db:25:f2:60:1d:dc:a5:98:73:e3:1e:4b:94:80:
5c:f7:65:69:21:ff:3a:30:55:f6:67:29:f3:e1:aa:a4:
b8:40:9b:c3:8e:90:3b:5b:18:95:36:89:23:22:32:8d:
7c:46:a8:5b:10:2c:2e:99:49:d5:cb:18:f1:04:8f:40:
7e:b7:80:d3:1f:32:50:78:2a:c9:b4:c5:e0:78:b9:93:
63:ac:b4:85:ca:7e:a8:36:9d:6c:58:4c:3a:2f:a7:66
Fingerprint (MD5):
3F:AD:29:3F:60:58:27:9D:19:66:88:AC:7A:BF:0A:DC
Fingerprint (SHA1):
9F:C1:1B:0A:08:D8:1C:80:50:60:BF:0A:47:5E:3E:2C:29:3C:52:CD
Certificate Trust Flags:
SSL Flags:
Valid Peer
Trusted
Email Flags:
Object Signing Flags:
# pet105:/etc/subca01> grep Modules CS.cfg
preop.configModules.count=4
preop.configModules.module0.commonName=NSS Internal PKCS #11 Module
preop.configModules.module0.imagePath=../img/clearpixel.gif
preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
preop.configModules.module1.commonName=nfast
preop.configModules.module1.imagePath=../img/clearpixel.gif
preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module
preop.configModules.module2.commonName=lunasa
preop.configModules.module2.imagePath=../img/clearpixel.gif
preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module
preop.configModules.module3.commonName=CryptoServer
preop.configModules.module3.imagePath=../img/clearpixel.gif
preop.configModules.module3.userFriendlyName=Utimacos's CryptoServer Hardware Security Module
12 years, 10 months
pki-ra port 12890 not up
by Henry GM
Dear all,
Why pki-ra port not up after i install using yum --enablerepo=epel-testing
install pki-ra ?
For pki-ca,pki-kra,pki-ocsp,pki-tps install and start configuration running
well and port up.
[2010-05-07 11:47:05] [debug] Processing PKI files and symbolic links for
'/var/lib/pki-ra' ...
[2010-05-07 11:47:05] [debug] Processing PKI security databases for
'/var/lib/pki-ra' ...
[2010-05-07 11:47:07] [debug] Processing PKI security modules for
'/var/lib/pki-ra' ...
[2010-05-07 11:47:07] [debug] Attempting to add hardware security
modules to system if applicable ...
[2010-05-07 11:47:07] [debug] module name: lunasa lib:
/usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST!
[2010-05-07 11:47:07] [debug] module name: nfast lib:
/opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2010-05-07 11:47:07] [debug] Restorecon file context for /usr/share/pki
[2010-05-07 11:47:07] [debug] Restorecon file context for /var/lib/pki-ra
[2010-05-07 11:47:08] [debug] Restorecon file context for /var/log/pki-ra
[2010-05-07 11:47:08] [debug] Restorecon /etc/pki-ra
[2010-05-07 11:47:08] [debug] Restorecon file context for
/usr/sbin/httpd.worker
[2010-05-07 11:47:08] [debug] Setting selinux context pki_ra_port_t for
12890
PKI instance creation completed ...
Stopping pki-ra: httpd (no pid file) not running
[ OK ]
==============================
Starting pki-ra: ............................... [ OK ]
pki-ra pid file exists but is empty
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://mydomain.com:12890/ra/admin/console/config/login?pin=jGRSfY5xWWyM...
After configuration, the server can be operated by the command:
/sbin/service pki-rad restart pki-ra
from /var/log/pki-ra/error.log i got messages :
/usr/sbin/httpd.worker: symbol lookup error:
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Apache2/ServerUtil/ServerUtil.so:
undefined symbol: ap_get_server_banner
perl -v
This is perl, v5.8.8 built for i386-linux-thread-multi
How to fix that ?
Rgds,
Henry G.
12 years, 10 months
dog tag and openldap
by Henry GM
Dear all,
i have a lot user at my openldap and want all of my user existing have
userCertificate so i can download using phpldapadmin.
Is there any way to store certificate to existing user at openldap? or Dog
tag can stores/publish certificate to openldap
Rgds,
Henry Gultom.
12 years, 10 months
Dogtag Version 1.3 release
by Kevin Unthank
We are pleased to announce the availability of both 32-bit and 64-bit
versions of Dogtag Certificate System 1.3 for Fedora 11, Fedora 12
Fedora 13 and EPEL packages for RHEL 5.5.
The new release is now included in the standard EPEL and Fedora
repositories allowing the packages to be installed on Fedora without
configuring additional package repositories and on Red Hat Enterprise
Linux systems that are configured to use the EPEL repositories.
* See the Release Notes for more information:
http://pki.fedoraproject.org/wiki/PKI_Release_Notes
12 years, 10 months
Customizing Subject Name Input Attributes
by Erwin Himawan
Hi,
For our in-house application. I would like to add "Locallity", "State", and
other attributes in my issued certificate. I would like to prompt the user
witht the set of attributes that he/she needs to provide. For reducing user
error, I would like to accomplish this through the Subject Name Input.
However, I could not add new attributes nor remove unwanted attributes from
this input. Does anybody know how to add/remove attributes on the Subject
name Input?
Thanks,
Erwin
12 years, 10 months
