Pki-users August 2010

users@lists.dogtagpki.org

4 participants
3 discussions

by Gaiseric Vandal

I have installed DogTag 1.3 Certificate Server (CA and RA) components on Fedora Core 11. I want to configure a server certificate with a Subject Alternate Name. I used openssl to create a private key and a certificate signing request on the server in question. openssl genrsa -out server1.key -des3 1024 openssl req -new -key server1.key -out server.csr I am prompted along the way to include an e-mail address and subject alternate name. Both are permitted but optional in my openssl.cnf file. I can look at the csr with openssl req -in server.csr -text By default, openssl by default recreates a req with the following line Subject: C=US, ST=California, L=MyCity, O=MyCompany, OU=IT, CN=server.company.com/subjectAltName=www.company.com/emailAddress=mymail@... You can see that e-mail and SAN are part of the CN attribute. I went to the "Certificate System RA Services Page" (https://myserver:12890) - > SSL End Users Services -> Server Enrollment -> Request Submission. I pasted the contents of the csr file into the web page. The administrator (i.e. me) gets e-mail notification of a certificate request, and follows the link to approve it. However if I have included either e-mail or SAN the request will fail because the subject name doesn't match. CA: Request Rejected - Subject Name Not Matched E=mymail(a)company.com,CN=server.company.com,OU=IT,O=My Company,L=MyCity,ST=California,C=US If I compare the dogtag error message to the original csr file I can see that dogtag expects a different syntax for e-mail. Dogtag expects it as a separate "E" attribute (It still seems to have translated the attributes appropriately but then complains the subject doesn't match.) I can work around this by either omitting e-mail in the csr altogether or explicitly setting the subject attribute with the "openssl req -subj" -> openssl req -new -key server.key -out server.csr -subj "/E=mymail(a)company.com,CN=server.company.com,OU=IT,O=My Company Name,L=MyCity,ST=California,C=US" Enter pass phrase for server.key: Subject Attribute E has no known NID, skipped -> However, I can't figure out how to make this work for the Subject Alternate Name. DogTag rejects the certificate with CA: Request Rejected - Subject Name Not Matched E=mymail(a)company.com ,2.5.29.17=www.company.com,CN=server.... Is there a "NID" parameter than dogtag expects for SAN?

13 years, 8 months

2
3
0 / 0

NOTICE: Dogtag Subversion Repositories have moved from 'pki.fedoraproject.org' to 'fedorahosted.org'

by Matthew Harmsen

Everyone, The Dogtag "pki" and "tomcatjss" subversion source repositories that were originally hosted on 'pki.fedoraproject.org' have been moved to 'fedorahosted.org'. The URLs referenced below provide check-out details for these new repositories: * http://pki.fedoraproject.org/wiki/PKI_Subversion_Instructions (pki) * http://pki.fedoraproject.org/wiki/PKI_Pre-Built_Support_Components (tomcatjss) STEP 1: Anyone working with these repositories will need to check out ALL of the brand "new" repos (notice the "new" syntax for these URLs): * svn co http://svn.fedorahosted.org/svn/pki/trunk/pki pki * svn co http://svn.fedorahosted.org/svn/tomcatjss/trunk/tomcatjss tomcatjss STEP 2: You will then need to "move" any changes from any "old" trees that you have to the "new" trees that you have created in STEP 1 above. Since the "old" repositories will be left running for the next week or two, it is recommended that you first perform an "svn update" on any "old" trees to iron out any conflicts prior to moving your changes to the "new" tree. For example: * cd tomcatjss; svn update * cd pki; svn update The Dogtag Wiki as well as the PKI and TOMCATJSS source tarballs will remain located at 'pki.fedoraproject.org'. Thanks, -- Matt NOTE: As a part of this migration, ALL Dogtag and tomcatjss packages have been increased from version 1.3 to 2.0 (in preparation of future planned changes to the Dogtag code base), so if you are building directly from subversion source (rather than using the Dogtag 1.3 SRPMS), then you may wish to use the following UNSUPPORTED BRANCH URLs instead: * svn co http://svn.fedorahosted.org/svn/pki/branches/DOGTAG_1_3_FREEIPA_v2_BRANCH... pki * svn co http://svn.fedorahosted.org/svn/tomcatjss/branches/DOGTAG_1_3_FREEIPA_v2_... tomcatjss

13 years, 8 months

1
1
0 / 0

PKI subsystem webservice APIs

by Shakthi Kannan

Hi, Thanks for the Dogtag project. I have been able to install 389-ds and dogtag-pki-ca on Fedora 13. I am able to view the services through the browser. I would like to know if there are any web service APIs or tutorials or documents that are available to gives pointers on how to communicate with these server subsystems via other servers or programs? Appreciate any inputs in this regard, Thanks! SK -- Shakthi Kannan http://www.shakthimaan.com

13 years, 8 months

1
0
0 / 0

← Newer
1
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users August 2010