Problem with Subject Alternative Name Extension
by Riccardo Brunetti
Dear pki-users.
I'm trying to setup a pki-ca instance to produce X509 certificates which include a Subject Alternative Name Extension with the following attributes:
Criticality = not critical
Type = RFC822Name
Value = the email of the requestor.
I'm using the Signed CMC-Authenticated User Certificate Enrollment profile and this is the relevant section of my /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file:
policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=Extension Constraint
policyset.cmcUserCertSet.8.constraint.params.extCritical=false
policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17
policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.cmcUserCertSet.8.default.name=Subject Alternative Name Extension Default
policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name
policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false
policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1
The input certificate request is generated using certutil and CMCEnroll and the command used is the following:
certutil -R -g 2048 -s "<the-subject>" -7 "<the-requestor-email>" -d <a-local-dir> ……
The certificate is generated, but the extension is not populated with the email address and I always get:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
RFC822Name: $request.requestor_email$
These are the installed packages:
pki-java-tools-9.0.18-1.fc15.noarch
pki-selinux-9.0.18-1.fc15.noarch
pki-setup-9.0.18-1.fc15.noarch
pki-ca-9.0.18-1.fc15.noarch
dogtag-pki-common-theme-9.0.10-1.fc15.noarch
pki-symkey-9.0.18-1.fc15.x86_64
pki-native-tools-9.0.18-1.fc15.x86_64
dogtag-pki-ca-theme-9.0.10-1.fc15.noarch
pki-console-9.0.5-1.fc15.noarch
pki-util-9.0.18-1.fc15.noarch
dogtag-pki-console-theme-9.0.10-1.fc15.noarch
pki-common-9.0.18-1.fc15.noarch
Does anybody have some suggestion on how to solve this issue? Any input would be very appreciated.
Best Regards
Riccardo
Riccardo Brunetti
INFN-Torino
Tel: +390116707295
riccardo.brunetti(a)to.infn.it
12 years, 7 months
Error installing alpha 10
by Mike Mercier
Hello,
I tried to setup an instance of alpha 10 without success:
[root@localhost log]# more /etc/redhat-release
Fedora release 16 (Verne)
[root@localhost log]# rpm -qa|grep pki
pki-common-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch
dogtag-pki-ca-theme-10.0.0-0.1.a1.20120315T0001z.git4f7ada5.fc16.noarch
pki-selinux-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch
pki-deploy-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch
pki-symkey-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.x86_64
pki-util-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch
pki-setup-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch
dogtag-pki-common-theme-10.0.0-0.1.a1.20120315T0001z.git4f7ada5.fc16.noarch
pki-native-tools-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.x86_64
pki-ca-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch
pki-java-tools-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch
[root@localhost ~]# pkicreate -pki_instance_root=/var/lib
-pki_instance_name=pki-ca -subsystem_type=ca -agent_secure_port=9443
-ee_secure_port=9444 -ee_secure_client_auth_port=9446
-admin_secure_port=9445 -unsecure_port=9180 -tomcat_server_port=9701
-user=pliuser -group=pkiuser -redirect conf=/etc/pki-ca -redirect
logs=/var/log/pki-ca -verbose
I see the following errors when running the above command:
[debug] Attempting to add hardware security modules to system if
applicable ...
[debug] module name: lunasa lib:
/usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST!
[debug] module name: nfast lib:
/opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[debug] configuring SELinux ...
[error] Failed setting selinux context pki_ca_port_t for 9180. Port
already defined otherwise.
[error] Failed setting selinux context pki_ca_port_t for 9701. Port
already defined otherwise.
[error] Failed setting selinux context pki_ca_port_t for 9443. Port
already defined otherwise.
[error] Failed setting selinux context pki_ca_port_t for 9444. Port
already defined otherwise.
[error] Failed setting selinux context pki_ca_port_t for 9446. Port
already defined otherwise.
[error] Failed setting selinux context pki_ca_port_t for 9445. Port
already defined otherwise.
[debug] Selinux contexts already set. No need to run semanage.
[debug] Running restorecon commands
[error] FAILED run_command("/bin/systemctl restart
pki-cad(a)pki-ca.service"), exit status=1 output="Job failed. See system
logs and 'systemctl status' for details."
[root@localhost log]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 localhost.localdomain:ipp *:*
LISTEN
tcp 0 0 localhost.localdomain:smtp *:*
LISTEN
tcp 0 0 *:9830 *:*
LISTEN
tcp 0 0 *:47372 *:*
LISTEN
tcp 0 0 *:sunrpc *:*
LISTEN
tcp 0 0 *:ssh *:*
LISTEN
tcp 0 0 *:ipp *:*
LISTEN
tcp 0 0 *:45602 *:*
LISTEN
tcp 0 0 *:sunrpc *:*
LISTEN
tcp 0 0 *:ssh *:*
LISTEN
udp 0 0 *:64440 *:*
udp 0 0 *:mdns *:*
udp 0 0 *:42572 *:*
udp 0 0 *:bootpc *:*
udp 0 0 *:sunrpc *:*
udp 0 0 *:ntp *:*
udp 0 0 *:323 *:*
udp 0 0 *:51643 *:*
udp 0 0 *:ipp *:*
udp 0 0 *:entrust-kmsh *:*
udp 0 0 localhost.localdomain:733 *:*
udp 0 0 *:38474 *:*
udp 0 0 *:sunrpc *:*
udp 0 0 *:ntp *:*
udp 0 0 *:323 *:*
udp 0 0 *:23085 *:*
udp 0 0 *:entrust-kmsh *:*
Any ideas?
Note: I have already perfomed a pkiremove.
Thanks,
Mike
12 years, 8 months
Announcing 'Dogtag 10.0.0 (Alpha)'
by Matthew Harmsen
The Dogtag team is pleased to announce the availability of an Alpha
Release of the Dogtag 10.0 code.
This release contains the following features:
1. Extension of the functionality of the DRM to store and retrieve
symmetric keys and passphrases,
rather than only asymmetric keys. This feature allows the DRM to be
used as a secure
vault-like storage for essentially any sensitive data. The data is
stored using the same
secure FIPS-compliant storage mechanism used to store PKI keys.
2. The new DRM functionality is exposed through a new REST interface,
provided by the RESTEasy
framework. This provides an intuitive mechanism for writing clients
to the interface. Both
Java (using the RESTEasy client proxy framework) and Python clients
have been coded. The
server uses standard Java libraries to generate and parse XML or
JSON input and output data.
3. Extracted authentication and authorization code from the individual
servlets into a standard
Tomcat authentication realm. This realm has been configured to
require client certificate
authentication, and is being used to secure the new DRM REST
interface. In the future, this
authentication realm could be extended to include other kinds of
authentication (such as
Kerberos). This is part of a push to refactor the code to expose
the core business
functionality in the servlets, while extracting the ancillary tasks
(authentication,
authorization, XML parsing and generation, etc.) and using standard
methods and libraries to
accomplish these tasks.
4. Enhanced Java subsystems so that they could connect to the internal
database using a
non-directory manager user, that is authenticated using client
authentication. This resolves a
number of issues with LDAP operations ignoring search limits. In
addition, some changes have
been made to allow integrating the Dogtag database with other
systems such as IPA.
5. A new package pki-deploy contains the initial framework for a
Python-based
installer/de-installer (pkispawn/pkidestroy) that will be used to
install and configure a
Dogtag instance. This will ultimately replace the pki-setup
installer/de-installer
(pkicreate, pkidestroy) package, and the pki-silent instance
configuration (pkisilent) package.
6. Much of the focus of this release was on cleaning up and modernizing
the Dogtag source code.
* Dogtag source code has been moved to git.
* Java coding standards have been revised - and the code has been
reformatted to match those
standards.
* Initially, Eclipse reported about 13000 warnings in the dogtag
code. Those have been reduced
to close to 2400. This included removing dead and unused code,
replacing calls to deprecated
functions and replacing raw collections with type-safe generics.
NOTE: These numbers currently exclude console code.
* OSUtil is a package that has certain utilities that were not
available when the Dogtag code
was originally written. These utilities are now available in
current standard
libraries - and so this package has been eliminated entirely.
* Improved handling of short and long lived threads which allow
threads to exit gracefully on
shutdown.
The builds can be found at the following links:
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/RPMS/i686
- Fedora 16 (32-bit i686)
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/RPMS/x86_64
- Fedora 16 (64-bit x86_64)
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/SRPMS
- Fedora 16 (Source)
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/RPMS/i686
- Fedora 17 (32-bit i686)
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/RPMS/x86_64
- Fedora 17 (64-bit x86_64)
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/SRPMS
- Fedora 17 (Source)
12 years, 9 months