Hello Pki users,
Section B.1.4. of the RH admin guide refers to the following acceptable
for crlDistributionPoint Type:
Using PKIConsole, I have added to the caUserCert profile a policy for
include a CDP as follow:
policyset.userCertSet.13.default.name=CRL Distribution Points Extension
after profile re-activated, and new request generated, I get the
following error on the agent interface:
The Certificate System has encountered an unrecoverable error.
/java.lang.ClassCastException: netscape.security.x509.Extension cannot
be cast to netscape.security.x509.CRLDistributionPointsExtension/
Please contact your local administrator for assistance.
Any Ideas what could be wrong ?
I have a dogtag-1.1.0 with fedora-ds-base-1.2.0 installed on Fedora
10. I would like to migrate this system to CentOS 5.5 using the
latest EPEL distribution without losing any data. Is there any
documentation available to accomplish this?
A bit of background:
2 servers with the following:
fedora-ds installed with replication between the two (using
certificates generated from dogtag)
self-signed CA on dogtag
dogtag installed on both with the second install joined to the
security domain of the first
If more details are required, please let me know.
I have a brand new install on Centos 5.5 64.
I can't get it to publish certs to the file system, only LDAP. In
pkiconsole, when I first access the Publishing area, I get an error
message about not being authorized. I am using the CA admin account to
I appreciate your response.
The primary reason for wanting to a PKI was to alleviate all the
self-signed certs that we are/will be using. Then I realized that it
could be expanded to include user authentication to our NOC web sites.
So this is how it has evolved.
Currently, I have a primary CA with a secondary CA.
* The primary CA is all hosted on a single host, host A, including
* The secondary CA is all hosted on a single host, host B, including
* The 2 LDAP servers are in a multi-master config with replication
agreements for the User database, not the CAs though.
* I will create all the certs from the secondary CA.
* We will create user certs
* We will create server certs
* Both hosts are in a 2-node corosync cluster.
So we have numerous single points of failure in this setup, hence my
questions. With I think of HA for this project, I think more along the
lines of availability and less about performance. I have 2 physical
hosts to work with, along with fibre channel with an OCFS2 volume
available to both hosts.
So I would think that what I am looking for is that all services could
be running on a single host, in case the other host failed. Dogtags
supports cloning and so for each service that I need (CA1,CA2, OCSP ), I
can use cloning with manual assistance. I just designate one of host A
or B to be the primary host for a given service. Them clone them to the
On 02/17/2011 11:42 AM, Erwin Himawan wrote:
> Hi Dave,
> Since PKI is so much flexible, your PKI architecture would be
> influenced by many factors such as number of subscribers, the
> diversity of your subscribers PKI needs, real time access, initial and
> operating cost, etc. Also, when you mentioned "HA", what kind of "HA"
> it is; e.g. HA for obtaining new cert, renewal cert, obtaining the
> latest revocation status information? HA for certificate publication
> in the repository? HA for CA access to the repository? What is the
> requirement in your PKI CP?
> Not knowing these factors are, it would be very difficult to come up
> with the "best" "HA" design for your circumstances.
> On Wed, Feb 16, 2011 at 10:15 PM, Dave Augustus
> <davea(a)ingraftedsoftware.com <mailto:firstname.lastname@example.org>> wrote:
> We are in the planning stages of deploying a CA using dogtags.
> Here is what we know we need and what resources we have to work
> with. Any suggestions are welcome!
> A primary CA - only used to create the subordinate CAs.
> A subordinate CA - this would actually create the certs.
> We have 2 servers with shared fiber channel storage. Each
> currently has LDAP (389 project) installed and are replicating
> between themselves. The LDAP servers run on their own IPs. Also,
> these 2 servers are a corosync cluster with 4 resource groups:
> puppet, mysql, apache, snmptrapd and syslog-ng. Each of these have
> their own IP as well. None of these services are load-balanced.
> They are either on one or the other servers- all the files these
> services need are supported with fibre channel storage.
> Now the CA. Here is what I have considered:
> 1) CA1 runs on server1- it uses the local LDAP server for storage
> 2) CA2 runs on server2- it uses the local LDAP server for storage
> 3) A clone of CA1 runs on server2 using server2's LDAP storage
> 4) A clone of CA2 runs on server1 using server1's LDAP storage
> Ideally, we would run the service like we do apache. It would run
> on either host, but only one a time. It would have its files on
> shared storage to support this. The problem with this setup is the
> LDAP storage is the single point of failure as I cannot refer to 2
> LDAP servers at the same time, afaik.
> For HA, it seems that the best I could do would be to have both
> LDAP servers and all 4 PKI instances installed on shared storage.
> Any thoughts on this are greatly appreciated.
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pkiemail@example.com>
Im a little bit stuck on enabling the Security Officer Mode, I'm
following the guide at:
When formating the blank token my TPS likes to have authentication by
default on soKey format operations. This does not work, the
tps-debug.log says RA_Processor::RequestExtendedLogin - No Extended
Login Response Msg Received and aborts. I wonder where the login data
should come from as the ESC is not prompting for a ldap user/pw in
btw. I did not use the absolut path
/var/lib/pki-tps/cgi-bin/so/index.cgi as stated in guide but the http
url as this made more sendse to me.
When disabling the authentication for soKey format within the CS.cfg
then the formating runs through until the error:
RA:tdb_update - failed to add tokendb entry
RA_Format_Processor::Process - Failed to update the token database
I sniffed with wireshatk and I can see that the ldap addRequest to the
tokendb is failing with a syntax error: tokenUserID: value #0 invalid
per syntax. And indeed it is missing in the addRequest. I think this
is because the auth is disabled and now there is no UserID.
How to continue?
We are in the planning stages of deploying a CA using dogtags. Here is
what we know we need and what resources we have to work with. Any
suggestions are welcome!
A primary CA - only used to create the subordinate CAs.
A subordinate CA - this would actually create the certs.
We have 2 servers with shared fiber channel storage. Each currently has
LDAP (389 project) installed and are replicating between themselves. The
LDAP servers run on their own IPs. Also, these 2 servers are a corosync
cluster with 4 resource groups: puppet, mysql, apache, snmptrapd and
syslog-ng. Each of these have their own IP as well. None of these
services are load-balanced. They are either on one or the other servers-
all the files these services need are supported with fibre channel storage.
Now the CA. Here is what I have considered:
1) CA1 runs on server1- it uses the local LDAP server for storage
2) CA2 runs on server2- it uses the local LDAP server for storage
3) A clone of CA1 runs on server2 using server2's LDAP storage
4) A clone of CA2 runs on server1 using server1's LDAP storage
Ideally, we would run the service like we do apache. It would run on
either host, but only one a time. It would have its files on shared
storage to support this. The problem with this setup is the LDAP storage
is the single point of failure as I cannot refer to 2 LDAP servers at
the same time, afaik.
For HA, it seems that the best I could do would be to have both LDAP
servers and all 4 PKI instances installed on shared storage.
Any thoughts on this are greatly appreciated.
Section 6.2 of the Install Guide discusses "Exporting Keys from a
Software Database". The command to do this is:
PKCS12Export -debug -d /var/lib/subsystem_name/alias -w p12pwd.txt -p
internal.txt -o master.p12
The manual never specifies "what" p12pwd.txt should contain. Same for
Of course, I know that these are passwords used during the installation
But which ones?