Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
7 years, 9 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
7 years, 9 months
SCEP Enrollment fails with Certificate not found .
by Elliott William C OSS sIT
Hello,
We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs setup for SCEP enrollment. But, no matter whether we try the older HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a successful SCEP request. The following exception occurs in the debug log:
[29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
[29/Sep/2014:13:41:17][http-9180-1]: message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
/oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: token name: osstest'
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1'
[29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
[29/Sep/2014:13:41:17][http-9180-1]: ServletException javax.servlet.ServletException: Failed to process message in CEP servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
What stands out is the line with mNickname. After restarting the service, with the first request, the HSM token name appears to be listed twice in the mNickname string. Interestingly, with each new request, the number of token names increases by one in the string. i.e. with the 2nd attempt, the same exception occurs but the token name appears three times:
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: token name: osstest'
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:osstest:caSigningCert cert-pki-testca1'
[29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
[29/Sep/2014:13:41:17][http-9180-1]: ServletException javax.servlet.ServletException: Failed to process message in CEP servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
As mentioned, the exception occurs with both versions 4 and 5 of LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating with SCEP enrollment.) With local tokens, (no HSMs) the error does not occur.
Any Ideas, how we can track this down? We definitely need to get this running.
Best regards!
William Elliott
s IT Solutions
Open System Services
s IT Solutions AT Spardat GmbH
A-1110 Wien, Geiselbergstraße 21 - 25
Phone: +43 (0)5 0100 - 39376
Fax: +43 (0)5 0100 9 - 39376
Mobile: +43 (0) 5 0100 6 - 39376
mailto:william.elliott at s-itsolutions.at<mailto:william.elliott%20at%20s-itsolutions.at>
www.s-itsolutions.com<http://www.s-itsolutions.com/>
Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna
This message and any attached files are confidential and intended solely for the addressee(s). Any publication, transmission or other use of the information by a person or entity other than the intended addressee is prohibited. If you receive this in error please contact the sender and delete the material. The sender does not accept liability for any errors or omissions as a result of the transmission.
9 years, 5 months
Can OpensSSL be used as external CA ?
by kritee jhawar
Hi
In my recent thread i read that there is a bug due to which Microsoft CA
can't work as external CA for dogtag.
Can OpenSSL be used ?
Thanks
Kritee
9 years, 5 months
Dogtag 10.2.0 is now in Debian
by Timo Aaltonen
Hi!
I'm happy to announce that Dogtag (version 10.2.0) has finally entered
Debian unstable repository this week. Assuming there won't be any nasty
surprises, the next stable release ("Jessie") will include it. Many
thanks to Ade Lee who did the first pass of packaging the long chain of
dependencies, up to and including RESTEasy.
and next week there should be another announcement..
--
t
9 years, 6 months
Dogtag and Internet Explorer 11 Compatible?
by Ricardo Alexander Alexander Perez Ricardez
Hi... I'm trying generate certificate request from an computer with Windows 7 64 bits and Internet Explorer 11 .
In the Certificate Profile page " Certificate Profile - Manual User Dual-Use Certificate Enrollment"
Internet Explorer 11 does not display the values of Key Generation.
And finally when I send the certificate request, I get the error:
Sorry, your request is not submitted. The reason is "Certificate Request Not Found".
On the server side... The request appears as "REJECTED"
9 years, 6 months
[HELP NEEDED] External CA configuration for Dogtag
by kritee jhawar
Hello,
I am an engineer from India and I have been struggling with this for the
past 2 weeks. Request you to help me out.
*USE-CASE: *
Dogtag is the private CA for multiple services in a cluster. Trust is
established by providing the root certificate of dogtag to all the
services. What happens if dogtag crashes? All the services will have to be
given the root certificate of the new dogatg.
How can we avoid this?
Can we bring up multiple instances dogtag with a static certificate every
time?
The only way I could find is by using the* external CA* option.
I am following the 2-step pkispawn process with 2 config files
(deployment-1.cfg and deployment-2.cfg)
In the first step the csr is generated. I take the csr and get a
certificate from the external CA and place it in the required location. The
root certificate of the CA has also been placed in the required location.
Step 2 of pkispawn goes through and the ca_admin cert is generated and
signed.
However, when i make a REST call to list the certificates, I get 2
different errors:
(Please note that I replicated the same steps with same files on 2 setups
and got 2 errors)
curl -k --request GET https://localhost:9443/ca/rest/certs
*ERROR 1*
<?xml version="1.0" encoding="UTF-8"
>
standalone="yes"?><PKIException><ClassName>com.netscape.certsrv.base.PKIException</ClassName><Code>500</Code><Message>Error
listing certs in
CertsResourceService.listCerts!</Message><Attributes/></PKIException>
*ERROR 2*
With the same steps i also get a NullPointerException as well (Attached
logs - null-pointer-error.txt)
When i see the status of my pki-instance after pkispawn step-2, It says
the Instance is loaded and needs to be configured. (attched logs :
post-pkispawn-2.txt)
However it starts using systemctl without any errors
I suspect I am missing some part in the configuration.
Any help/pointers would be very helpful!
Thanks
Kritee
*Attached files : *
deployment-1.txt - config file for pkispawn step 1
deployment-2.txt - config file for pkispawn step 2
pkispawn-1-log.txt - logs for pkisppawn step 1
pkispan-2-log.txt - logs for pkispawn step 2
dogtag-cert.txt - root certificate of dogtag generated by external CA
ca-admin-cert.txt - admin cert signed by dogtag
null-pointer-error.txt - null pointer exception while making a REST call to
list certs
post-pkispawn-2.txt - status of pki-instance after pkispawn step 2
9 years, 6 months
failure trying to install instances other than CA
by Timo Aaltonen
Hi
While porting to Debian/Ubuntu I noticed this when installing a new
instance (KRA/TPS..):
<snip>
Security Domain:
Hostname [sid.tyrell]:
Secure HTTP port [8443]:
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html (This warning
will only appear once by default.)
InsecureRequestWarning)
Traceback (most recent call last):
File "/usr/sbin/pkispawn", line 586, in <module>
main(sys.argv)
File "/usr/sbin/pkispawn", line 268, in main
info = parser.sd_get_info()
File
"/usr/lib/python2.7/dist-packages/pki/server/deployment/pkiparser.py",
line 465, in sd_get_info
config.pki_log.info(
AttributeError: 'NoneType' object has no attribute 'info'
</snip>
I'm no python expert, but looks like config.pki_log is still
uninitialized (pki_log = None in pkiconfig.py)? What am I missing?
--
t
9 years, 6 months
