Enterprise CA Architecture
by orrious@yahoo.com
Hi Everyone,
I am setting up a Dogtag 9.0.3 CA PoC and have a couple deployment questions. My goal is to have a secure and redundant CA and subsystems. The RA is external, redundant, and outside the scope of the discussion (for now). OCSP services will more than likely be distributed in multiple Server/LB pairs behind a single GTM VIP.
I am documenting each step of the install and will happily provide it so others don't have to ask the same questions.
Thank you for taking the time to read and provide feedback.
Scenario:
I have successfully deployed CA1 and cloned CA2 from CA1. The VIP: CA.lab load balances all incoming ports to both servers, during testing.
Q1.) When I configure OCSP1, it will not allow me to configure it to the VIP: CA.lab. Instead I must select either CA1.lab or CA2.lab. Is there a way to configure the OCSP to connect to the VIP rather than a specific CA server?
Q2.) If I am unable to configure OCSP against a VIP, should I configure OCSP1->CA1 and OCSP2->CA2?
Q3.) If Q2 is True and one of the CA's is down will OCSP failover to the other CA or will it just not answer a request.
Q4.) For the Dogtag Web pages, how do I change the server name in the URI to the VIP, rather than the actual host name of the server? i.e, I go to https://ca.lab:9445/ca/services. Depending on the server I am load balanced to, the URLs for "Dogtag Certificate System", 'SSL End Users Services", and "Agent Services" all go to CA1.lab:944x/ca.. rather than https://ca.lab:944x/ca This also pertains to OCSP pages.
Q5.) Certificates issues by default contain the OCSP service of the CA server that issued the Certificate. i.e. http://ca1.lab:9180/ca/ocsp. Can this URI be changed to the LB VIP: http://ca.lab:9180/ca/ocsp or can the VIP only be added to the certificate? If it can only be added, can the priority be changed so the VIP is queried first, as the CA would be firewalled in production and inaccessible.
Q6.) Should the OCSP services become unavailable, I would also like to publish the CRL in the certificates. What is the best performance for large CRLs, say 100K entries; a web page or LDAP?
Kind Regards,
Paul
9 years, 6 months
Bulk Revocation not working
by Taggart, Michelle
Hi,
I'm trying to perform bulk revocation through the web portal of my CA instance. I'm able to successfully perform my search string using the "Issuing Information: Revoke certificates issued during the period: Start date same as end date" criteria, and brought all the proper search result, but when I click on "Revoke all # Certificates, it gives me the following error message:
Certificate Details
The details of the certificate being revoked are below:
No Matching Certificates Found
This works if I make the end date a day after the start date. I believe the issue is isolated to this scenario.
Thanks,
Michelle
9 years, 7 months
Using SCEP
by Oleg Antonenko
Hi!
I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP.
But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag.
>From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA.
As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP.
Is that correct?
I did not get an impression that I have to do same when sending SCEP requests directly to CA.
Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly?
Thanks in advance,
Oleg
9 years, 7 months
User Authentication on the CA End-Entity portal
by Taggart, Michelle
Hi,
On Dogtag 10, is there a way to restrict the EE page to authenticate (either by certificate or credentials, credentials more preferred) before accessing the page?
Thanks,
Michelle (pbbunny)
9 years, 7 months
Finding CRL Issuing Point
by Taggart, Michelle
Hi,
Here's another noob question for you.
Where can I find the configuration/pointer to the CRL Issuing Point? I have an understanding that this extension needs to be specified on the certificate in order to have the certificate status checked when the server is accessed.
Thanks,
Michelle Taggart
9 years, 7 months
OCSP reply logging
by Remy van Elst
Hello,
Is it possible to have the ocsp subsystem log the status part (good, unkown etc.) of the replies it sents out? I've got it configured correctly and the responses it gives are as expected. However in transaction.log I can see that it replies, but not the status of the reply (and the certificate it replies to), and with debug logging turned on I have a multi-line ocsp response in a log file, and I don't feel like parsing that.
Is there a (preferably simple) way to let the ocsp responder log the certificate, the status of that certificate and the requesting entity (for example by IP) in a plain-text format?
--
Remy van Elst
https://raymii.org - https://sparklingnetwork.nl
9 years, 7 months
Configuring external PKCS#11 Module (softhsm) with DogTag
by Jayakishore Thunga
Hi ,
I am configuring external HSM called SoftHSM to certificate system. Here is my configuration DogTag 9.0Fedora 15
After pkicreate, i created softhsm entry into the db. Here are the details
[root@fed15vmnew alias]# modutil -dbdir . -nocertdb -listListing of PKCS #11 Modules----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded
slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services token: NSS Certificate DB
2. SOFTHSM PKCS #11 Module library name: /usr/lib/softhsm/libsofthsm.so slots: 1 slot attached status: loaded
slot: SoftHSM token: softhsm-----------------------------------------------------------
[root@fed15vmnew alias]# modutil -dbdir . -nocertdb -list "SOFTHSM PKCS #11 Module"-----------------------------------------------------------Name: SOFTHSM PKCS #11 ModuleLibrary file: /usr/lib/softhsm/libsofthsm.soManufacturer: SoftHSMDescription: Implementation of PKCS11PKCS #11 Version 2.20Library Version: 1.3Cipher Enable Flags: NoneDefault Mechanism Flags: RSA
Slot: SoftHSM Slot Mechanism Flags: RSA Manufacturer: SoftHSM Type: Software Version Number: 1.3 Firmware Version: 1.3 Status: Enabled Token Name: softhsm Token Manufacturer: SoftHSM Token Model: SoftHSM Token Serial Number: 1 Token Version: 1.3 Token Firmware Version: 1.3 Access: NOT Write Protected Login Type: Login required User Pin: Initialized
/var/lib/pki-ca/conf/password.confadded this linehardware-softhsm=12345&Modified /var/lib/pki-ca/conf/serverCertNick.confsofthsm:Server-Cert cert-pki-ca
After this, configuration link doesn't open https://fed15vmnew.newnet.local:9445/ca/admin/console/config/login?pin=mg... password.conf & serverCertNick.conf are unmodified then, configuration link opens and SoftHSM module is listed as Found, but doesn't allow to set it as default for the CA system.
Please help in setting up external HSM to be configured with certificate system.
Thanks,
Br,Kishore8105176926
9 years, 7 months
Implications of Root Certificate reissue with a new key pair
by pki tech
Dear all,
I have been trying to regain my PKI system after a root certificate renewal
with a NEW ROOT KEY PAIR. but still failing to start the CA instance.
I'm using DogTag 9.0 over Fedora 15 with two tier local PKI hierarchy with
root CA and one subordinate CA.
Steps followed;
1. renew the caSigningCert via the pkiconsole with a new key pair and same
DN as earlier
2. restart the CA instance
Then the ca instance is not starting and returns the followings
[root@root admin]# /sbin/service pki-cad restart pki-ca
Stopping pki-ca: [FAILED]
Starting pki-ca: [ OK ]
[root@root admin]# /sbin/service pki-cad status
pki-ca dead but subsys locked [WARNING]
I do understand that the subsystem certs and other system certificates need
to be renewed after the root key renewal. I did try that out by renewing
all the system certs via pkiconsole after the root key renewal without
restarting the CA instance. but it was a blind guess and got the following
hits in the debug log.
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert
tag=signing
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname():
calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname()
failed:caSigningCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=caSigningCert
cert-pki-ca] CIMC certificate verification
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert
tag=ocsp_signing
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname():
calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname()
failed:ocspSigningCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=ocspSigningCert
cert-pki-ca] CIMC certificate verification
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert
tag=sslserver
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname():
calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname()
failed:Server-Cert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=Server-Cert
cert-pki-ca] CIMC certificate verification
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert
tag=subsystem
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname():
calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname()
failed:subsystemCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=subsystemCert
cert-pki-ca] CIMC certificate verification
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCerts() cert
tag=audit_signing
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname():
calling isCertValid()
[02/Aug/2013:09:41:39][main]: CertUtils: verifySystemCertByNickname()
failed:auditSigningCert cert-pki-ca
[02/Aug/2013:09:41:39][main]: SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=auditSigningCert
cert-pki-ca] CIMC certificate verification
It will be a great if someone could help me out to update the rest of the
system certificates after the root key renewal and restore the CA
functionality.
Thanks
9 years, 7 months
