base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
8 years, 4 months
Re: [Pki-users] CA Administrator of Instance pki-ca
by Andrew Wnuk
On 10/11/2013 07:04 AM, Richard Thomas wrote:
>
> Hi Andrew,
>
> Thanks for those tips, I had some success, then difficulty and then
> success.
>
> Below is what I did, with some of my comments inline.
>
> Before I get to that though, there are some other certificates that
> are due to run out soon, but I think they should be easier to renew.
>
> The Common Name of those other certificates are:
>
> o) CN=OCSP Signing Certificate
>
> o) CN=<servername>
>
> o) CN=CA Subsystem Certificate
>
> o) CN=CA Audit Signing Certificate
>
As I noticed below, that your server provides option to "Renew
certificate to be manually approved by agents".
You should used this option for all your renewals.
Then start pkiconsole go to "System Keys and Certificates", select
"Local Certificates", click on "Add/Renew", "Next" and "Install a
certificate"
> Please could you help me and let me know what steps I should take for
> renewing these too.
>
> Thank you.
>
> Anyway, back to what I did to get the admin certificate updated.
>
> Your steps are still numbered, the ones that I did around them are
> identified with o)
>
> Here goes:
>
> o) Edit /var/lib/pki-ca/profiles/ca/caUserCert.cfg
>
> Change:
>
> visible=false
>
> enable=false
>
> To:
>
> visible=true
>
> enable=true
>
> o) Restart service "pki-cad"
>
> 1. Go to EE interface (typically
> https://<hostname>:9444/ca/ee/ca/) and select "Manual User Dual-Use
> Certificate Enrollment"
>
> 2. Fill out the form and submit request
>
> 3. Go to Agent interface (typically
> https://<hostname>:9443/ca/agent/ca/) and approve submitted request
>
> 4. Return to EE interface, select "Retrieval" tab and
> "Check Request Status".
>
> 5. Type in request number and press submit.
>
> 6. Click on issued certificate serial number.
>
> >I did "List Certificates", went to the last page and found the certificate that way
>
> 7. Go to the end of page displaying certificate and press
> "Import Your Certificate"
>
> >I got "The server returned an invalid client certificate. Error 207 (net::ERR_CERT_INVALID)"
>
This probably means that browser which generated certificate request
(and the key) is not the same browser used to import certificate.
> > So having got stuck at this point, I figured I could use what I had done before and then use your
> pkiconsole instructions.
>
> > The below is end-to-end from what I started off on my own and then across to the second half of your
> instructions.
>
> o) Go to the <server>:9444/ca/ee/ca URL
>
> o) Click on "Renewal: Renew certificate to be manually approved by
> agents" (make a note of the number)
>
> o) Go to the <server>:9443/ca/agent/ca URL to approve my request. (Use
> the number above)
>
> o) Go to the <server>:9444/ca/ee/ca URL to retrieve the certificate.
> (Use the number above) and click on the Issued certificate
>
> o) Extract the Base 64 encoded part of the certificate and save as
> <new certificate name>.pem
>
> o) Transfer <old certificate bundle name>.p12 and <new certificate
> name>.pem to a machine with openssl installed on it
>
> o) On a machine with openssl installed on it, submit following command:
>
> $openssl pkcs12 -in <old certificate bundle name>.p12 -out <old
> certificate bundle name>.pem -nodes
>
> o) Copy <old certificate bundle name>.pem to <new certificate bundle
> name>.pem
>
> o) Update <new certificate bundle name>.pem by replacing the relevant
> part of it with the contents of <new certificate name>.pem
>
> o) Cut the key part of <new certificate bundle name>.pem and create
> <certificate name>.key from it
>
> o) Submit following command:
>
> $openssl pkcs12 -export -in <new certificate bundle name>.pem -inkey
> <certificate name>.key -out <new certificate bundle name>.p12
>
> o) Transfer <new certificate bundle name>.p12 to the machine with the
> web browser that you want to access Dog Tag from.
>
> o) Import <new certificate bundle name>.p12 into the machine.
>
> 8. Start pkiconsole (typically by running "pkiconsole
> https://`hostname`:9445/ca")
>
> 9. Select "Users and Groups" and select your admin entry.
>
> 10. Press "Certificates" button then "Import" and paste in
> the contents of <new certificate name>.pem, then OK and "Done"
>
> 11. Clear SSL cache in the browser or restart your browser.
>
> 12. You should now be able to use your new certificate to
> access Agent interface
>
> >YES -- I can now access the agent interface using the new certificate J
>
> *From:*Andrew Wnuk [mailto:awnuk@redhat.com]
> *Sent:* 08 October 2013 19:26
> *To:* Richard Thomas
> *Cc:* pki-users-bounces(a)redhat.com
> *Subject:* Re: [Pki-users] CA Administrator of Instance pki-ca
>
> On 10/07/2013 11:41 AM, Richard Thomas wrote:
>
> Hi Andrew,
>
>
>
> Thanks very much for sending this to me.
>
>
>
> The first thing I'd like to point out is that I'm using the pre-Red Hat enterprise variant of DogTag (dogtag-pki-1.3.0-2.el5)
>
>
>
> I have been trying to adapt the instructions as best I can and have so nearly got there, but not quite..
>
>
>
> I have been referring to chapter 4.8.2 of that article by going to the <server>:9444/ca/ee/ca URL and the only 2 Certificate Profiles I have to choose from are:
>
> o) Renewal: Renew certificate to be manually approved by agents
>
> o) Cisco VPN Client Enrolment
>
>
>
> The second option is for end users of our Cisco VPN to generate new certificates with, so I don't do anything with that.
>
>
>
> The first option looked promising, as it asked for a certificate number, so I used the <server>:9443/ca/agent/ca URL to find the certificate number of the current "CA Administrator of Instance pki-ca" certificate, make a note of it and enter it into the certificate renewal page.
>
>
>
> I then use the <server>:9443/ca/agent/ca URL to approve my request.
>
>
>
> Back to the <server>:9444/ca/ee/ca URL to retrieve the certificate.
>
>
>
> I then updated the .p12 (.pfx) certificate with the one that appeared from the step above, with quite a bit of open_ssl commands, but I am confident that my new .p12 has everything in it as before (including the private key), with the exception of the "CA Administrator of Instance pki-ca" certificate being my updated one instead of the current one.
>
>
>
> I manage to import it into by machine's browser and when I navigate to <server>:9443/ca/agent/ca, the new certificate comes up as an option to present to Dog Tag, so things are looking good at this stage and I select it.
>
>
>
> After that is where the first thing looks different, but I wasn't too worried about. I get a message saying "Request For Permission to Use a Key", so I grant permission.
>
>
>
> Then things don't look go at all, as once I'm past that, all the pages say "Invalid Credential".
>
>
>
> I have probably gone about things in a way that's more complicated than it should be and I guess it's because I'm using an earlier version of Dog Tag.
>
>
>
> Do you have any ideas where I have gone wrong with this please.
>
>
>
> Thank you very much.
>
>
>
> Richard.
>
>
>
>
> Unfortunately your version is old enough to miss new renewal profiles,
> which would make your task easier.
>
> Here is a simple way to renew your CA administrator certificate:
>
> 1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/)
> and select "Manual User Dual-Use Certificate Enrollment"
> 2. Fill out the form and submit request
> 3. Go to Agent interface (typically
> https://<hostname>:9443/ca/agent/ca/) and approve submitted request
> 4. Return to EE interface, select "Retrieval" tab and "Check Request
> Status".
> 5. Type in request number and press submit.
> 6. Click on issued certificate serial number.
> 7. Go to the end of page displaying certificate and press "Import
> Your Certificate"
> 8. Start pkiconsole (typically by running "pkiconsole
> https://`hostname`:9445/ca")
> 9. Select "Users and Groups" and select your admin entry.
> 10. Press "Certificates" button then "Import" and paste in your new
> base64 encoded certificate, then OK and "Done"
> 11. Clear SSL cache in the browser or restart your browser.
> 12. You should now be able to use your new certificate to access Agent
> interface
>
> Thanks,
> Andrew
>
>
>
>
> ________________________________________
> From:pki-users-bounces@redhat.com <mailto:pki-users-bounces@redhat.com> [pki-users-bounces(a)redhat.com <mailto:pki-users-bounces@redhat.com>] On Behalf Of Andrew Wnuk [awnuk(a)redhat.com <mailto:awnuk@redhat.com>]
> Sent: Thursday, October 03, 2013 6:05 PM
> To:pki-users@redhat.com <mailto:pki-users@redhat.com>
> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca
>
> Hi Richard,
>
> You can renew certificate using:https://access.redhat.com/site/documentation/en-US/Red_Hat_Certific...
> and then add new certificate to CA administrator entry using console.
>
> Best,
> Andrew
>
> On 10/03/2013 08:49 AM, Richard Thomas wrote:
> Hi all,
>
> I hope someone would be able to help me with this.
>
> I have taken over a Dog Tag system and I have little knowledge of it.
>
> I need to renew the "CA Administrator of Instance pki-ca" certificate, as it is running out in a few weeks.
>
> Would someone be able to point me in the direction of any documentation on how to do this or let me know how to do it.
>
> I would massively appreciate any guidance on this.
>
> Thanks in advance,
>
> Richard.
>
> The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accreditation-fo...> <http://www.the-logic-group.com/pressrelease/Worlds-First-Accreditation-fo...>
> The Logic Group
> Enterprises Limited
> Logic House
> Waterfront Business Park
> Fleet, Hampshire
> GU51 3SB
> United Kingdom phone
> fax
> email
> web +44 1252 776 700
> +44 1252 776 738
> info(a)the-logic-group.com <mailto:info@the-logic-group.com><mailto:info@the-logic-group.com> <mailto:info@the-logic-group.com>
> www.the-logic-group.com <http://www.the-logic-group.com><http://www.the-logic-group.com> <http://www.the-logic-group.com> Registered in England
> Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...]
>
>
>
> The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet,
> Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323
>
> The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system.
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com><mailto:Pki-users@redhat.com> <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> *The world's first PCI accreditation for a Point to Point Encryption
> application.**Find out more...
> <http://www.the-logic-group.com/pressrelease/Worlds-First-Accreditation-fo...>
> *
>
> The Logic Group
> Enterprises Limited
>
> Logic House
> Waterfront Business Park
> Fleet, Hampshire
> GU51 3SB
> United Kingdom phone
> fax
> email
> web +44 1252 776 700
> +44 1252 776 738
> info(a)the-logic-group.com
> www.the-logic-group.com Registered in England
> Number 2609323
>
>
>
> The Logic Group Enterprises Limited, Logic House, Waterfront Business
> Park, Fleet Road, Fleet,
> Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered
> No. 2609323
>
> The information in this email and any attachments are confidential and
> may be legally privileged and protected by law. It is for the intended
> recipient only. If you are not the intended recipient you may not use,
> disclose, copy, distribute, print or rely on the content of this email
> or its attachments. If this email has been received by you in error
> please advise the sender and delete the email from your system.
>
>
11 years
Could RHCS81 run under RHEL59?
by 安泱
Hi all,
service pki-ca start failed, in catalina.out:
Caused by: java.security.AccessControlException: access denied (java.io.FilePermission /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/logging.properties read)
The same installation method is OK under RHEL58, but could not run under RHEL59.
11 years, 1 month
Re: [Pki-users] CA Administrator of Instance pki-ca
by Andrew Wnuk
On 10/07/2013 11:41 AM, Richard Thomas wrote:
> Hi Andrew,
>
> Thanks very much for sending this to me.
>
> The first thing I'd like to point out is that I'm using the pre-Red Hat enterprise variant of DogTag (dogtag-pki-1.3.0-2.el5)
>
> I have been trying to adapt the instructions as best I can and have so nearly got there, but not quite..
>
> I have been referring to chapter 4.8.2 of that article by going to the <server>:9444/ca/ee/ca URL and the only 2 Certificate Profiles I have to choose from are:
> o) Renewal: Renew certificate to be manually approved by agents
> o) Cisco VPN Client Enrolment
>
> The second option is for end users of our Cisco VPN to generate new certificates with, so I don't do anything with that.
>
> The first option looked promising, as it asked for a certificate number, so I used the <server>:9443/ca/agent/ca URL to find the certificate number of the current "CA Administrator of Instance pki-ca" certificate, make a note of it and enter it into the certificate renewal page.
>
> I then use the <server>:9443/ca/agent/ca URL to approve my request.
>
> Back to the <server>:9444/ca/ee/ca URL to retrieve the certificate.
>
> I then updated the .p12 (.pfx) certificate with the one that appeared from the step above, with quite a bit of open_ssl commands, but I am confident that my new .p12 has everything in it as before (including the private key), with the exception of the "CA Administrator of Instance pki-ca" certificate being my updated one instead of the current one.
>
> I manage to import it into by machine's browser and when I navigate to <server>:9443/ca/agent/ca, the new certificate comes up as an option to present to Dog Tag, so things are looking good at this stage and I select it.
>
> After that is where the first thing looks different, but I wasn't too worried about. I get a message saying "Request For Permission to Use a Key", so I grant permission.
>
> Then things don't look go at all, as once I'm past that, all the pages say "Invalid Credential".
>
> I have probably gone about things in a way that's more complicated than it should be and I guess it's because I'm using an earlier version of Dog Tag.
>
> Do you have any ideas where I have gone wrong with this please.
>
> Thank you very much.
>
> Richard.
Unfortunately your version is old enough to miss new renewal profiles,
which would make your task easier.
Here is a simple way to renew your CA administrator certificate:
1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/) and
select "Manual User Dual-Use Certificate Enrollment"
2. Fill out the form and submit request
3. Go to Agent interface (typically
https://<hostname>:9443/ca/agent/ca/) and approve submitted request
4. Return to EE interface, select "Retrieval" tab and "Check Request
Status".
5. Type in request number and press submit.
6. Click on issued certificate serial number.
7. Go to the end of page displaying certificate and press "Import Your
Certificate"
8. Start pkiconsole (typically by running "pkiconsole
https://`hostname`:9445/ca")
9. Select "Users and Groups" and select your admin entry.
10. Press "Certificates" button then "Import" and paste in your new
base64 encoded certificate, then OK and "Done"
11. Clear SSL cache in the browser or restart your browser.
12. You should now be able to use your new certificate to access Agent
interface
Thanks,
Andrew
>
> ________________________________________
> From: pki-users-bounces(a)redhat.com [pki-users-bounces(a)redhat.com] On Behalf Of Andrew Wnuk [awnuk(a)redhat.com]
> Sent: Thursday, October 03, 2013 6:05 PM
> To: pki-users(a)redhat.com
> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca
>
> Hi Richard,
>
> You can renew certificate using: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...
> and then add new certificate to CA administrator entry using console.
>
> Best,
> Andrew
>
> On 10/03/2013 08:49 AM, Richard Thomas wrote:
> Hi all,
>
> I hope someone would be able to help me with this.
>
> I have taken over a Dog Tag system and I have little knowledge of it.
>
> I need to renew the “CA Administrator of Instance pki-ca” certificate, as it is running out in a few weeks.
>
> Would someone be able to point me in the direction of any documentation on how to do this or let me know how to do it.
>
> I would massively appreciate any guidance on this.
>
> Thanks in advance,
>
> Richard.
>
> The world’s first PCI accreditation for a Point to Point Encryption application. Find out more…<http://www.the-logic-group.com/pressrelease/Worlds-First-Accreditation-fo...>
> The Logic Group
> Enterprises Limited
> Logic House
> Waterfront Business Park
> Fleet, Hampshire
> GU51 3SB
> United Kingdom phone
> fax
> email
> web +44 1252 776 700
> +44 1252 776 738
> info(a)the-logic-group.com<mailto:info@the-logic-group.com>
> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England
> Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...]
>
>
>
> The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet,
> Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323
>
> The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system.
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com<mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
11 years, 1 month
will the new version of RHCS support RHEL6?
by 安泱
Hi all,
I'm a beginner of the dogtag certificate system, dogtag(RHCS)is a wonderful project, but I'm confused about RHCS, could you give any help?
The latest version of RHCS is 8.1, which is based on dogtag 8.1, it supports RHEL5.8, and in RHEL6, pki-ca 9.0.3 was included without the other 5 subsystems, could you show me the consideration why RHCS do not support RHEL6?
Is RHEL6 not secure enough or some other reasons?
Regards.
An Yang
11 years, 1 month
CA Administrator of Instance pki-ca
by Richard Thomas
Hi all,
I hope someone would be able to help me with this.
I have taken over a Dog Tag system and I have little knowledge of it.
I need to renew the "CA Administrator of Instance pki-ca" certificate, as it is running out in a few weeks.
Would someone be able to point me in the direction of any documentation on how to do this or let me know how to do it.
I would massively appreciate any guidance on this.
Thanks in advance,
Richard.
The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accreditation-fo...>
The Logic Group
Enterprises Limited
Logic House
Waterfront Business Park
Fleet, Hampshire
GU51 3SB
United Kingdom phone
fax
email
web +44 1252 776 700
+44 1252 776 738
info(a)the-logic-group.com
www.the-logic-group.com Registered in England
Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...]
The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet,
Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323
The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system.
11 years, 1 month
pki-ca-9.0.3-30 setup
by Oleg Antonenko
Hello there!
Could you help with the CA setup please?
We installed a new machine with CentOS release 6.4 (Final) and installed the pki-ca-9.0.3-30 package.
The command we used for creation was:
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ca \
-subsystem_type=ca \
-agent_secure_port=9443 \
-ee_secure_port=9444 \
-ee_secure_client_auth_port=9446 \
-admin_secure_port=9445 \
-unsecure_port=9180 \
-tomcat_server_port=9701 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-ca \
-redirect logs=/var/log/pki-ca \
-verbose
After clicking through the wizard and restarting the service:
status:
[root@jdrhel2 ~]# /sbin/service pki-cad status pki-ca
pki-ca (pid 4988) is running... [ OK ]
Unsecure Port = http://jdrhel2:9180/ca/ee/ca
Secure Agent Port = https://jdrhel2:9443/ca/agent/ca
Secure EE Port = https://jdrhel2:9444/ca/ee/ca
Secure Admin Port = https://jdrhel2:9445/ca/services
EE Client Auth Port = https://jdrhel2:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://jdrhel2:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: AMSDomain
URL: https://jdrhel2:9445
==========================================================================
Everything seems to be running, but when i connect to the adresses above, i can see firefox is verifying server certificate, uses personal certificate, but then the page is empty.
To be precise, there are just two links leading to empty pages:
- link 'SSL End Users Services' pointing at https://jdrhel2:9444/ca/ee/ca and
- link 'Agent Services' pointing at https://jdrhel2:9443/ca/agent/ca
Is there anything we did wrong or forgot to configure?
Many thanks,
Oleg
11 years, 1 month