Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
7 years, 9 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
7 years, 9 months
SCEP Enrollment fails with Certificate not found .
by Elliott William C OSS sIT
Hello,
We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs setup for SCEP enrollment. But, no matter whether we try the older HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a successful SCEP request. The following exception occurs in the debug log:
[29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
[29/Sep/2014:13:41:17][http-9180-1]: message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
/oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: token name: osstest'
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1'
[29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
[29/Sep/2014:13:41:17][http-9180-1]: ServletException javax.servlet.ServletException: Failed to process message in CEP servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
What stands out is the line with mNickname. After restarting the service, with the first request, the HSM token name appears to be listed twice in the mNickname string. Interestingly, with each new request, the number of token names increases by one in the string. i.e. with the 2nd attempt, the same exception occurs but the token name appears three times:
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: token name: osstest'
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:osstest:caSigningCert cert-pki-testca1'
[29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
[29/Sep/2014:13:41:17][http-9180-1]: ServletException javax.servlet.ServletException: Failed to process message in CEP servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
As mentioned, the exception occurs with both versions 4 and 5 of LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating with SCEP enrollment.) With local tokens, (no HSMs) the error does not occur.
Any Ideas, how we can track this down? We definitely need to get this running.
Best regards!
William Elliott
s IT Solutions
Open System Services
s IT Solutions AT Spardat GmbH
A-1110 Wien, Geiselbergstraße 21 - 25
Phone: +43 (0)5 0100 - 39376
Fax: +43 (0)5 0100 9 - 39376
Mobile: +43 (0) 5 0100 6 - 39376
mailto:william.elliott at s-itsolutions.at<mailto:william.elliott%20at%20s-itsolutions.at>
www.s-itsolutions.com<http://www.s-itsolutions.com/>
Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna
This message and any attached files are confidential and intended solely for the addressee(s). Any publication, transmission or other use of the information by a person or entity other than the intended addressee is prohibited. If you receive this in error please contact the sender and delete the material. The sender does not accept liability for any errors or omissions as a result of the transmission.
9 years, 5 months
Urgent Help Needed - CA subsystem certificate renewal
by pki tech
Dear All,
In our Issuing CA, all the subsystem certificates are expired except the
caSigningCert.
I can generate the new certificate requests via certutil, but how can i get
them signed?
your swift response is appreciated.
Regards,
Kamal
9 years, 5 months
Using the linux sscep client with dogtag 10.1.2-2.fc20
by John McLean
Wondering if anyone is using the linux sscep client with Dogtag 10/fc20
and could shed some light on the command lines for "sscep getca ..." and
"sscep enroll ..."
Been combing through the documentation but everything seems to be describing older versions of dogtag, 1.3 and 9.
From
http://pki.fedoraproject.org/wiki/SCEP_in_Dogtag
This example points to ca/cgi-bin/pkiclient.exe.
In dogtag 10.1.2-2.fc20 theres:
/usr/share/pki/ra/docroot/ee/scep/pkiclient.cgi
Has anybody had any success in using this? Have I missed some newer docs somewhere?
Much thanks, J.
9 years, 5 months
Can OpensSSL be used as external CA ?
by kritee jhawar
Hi
In my recent thread i read that there is a bug due to which Microsoft CA
can't work as external CA for dogtag.
Can OpenSSL be used ?
Thanks
Kritee
9 years, 5 months
CA integration and installation with HSM
by Dennis Gnatowski
What are the steps to integrate DogTag (Root) CA with an HSM? Does this have to occur during installation?
I've successfully performed a general installation with CA keys in software. I was then able to modify secmod.db to add the HSM library and restart the system. I can both use command line utilities (certutil) and GUI (pkiconsole) to create keys on the HSM. Re-keying the caSigning certificate works but the CA certificate is issued (issuer) by the original software-based issuer (therefore NOT a self-signed CA cert!). So I assume this has to be done during initial installation (custom install). But, how do I get the HSM PKCS#11 library added/included with the custom install?
-----------------------------------------------------------
Dennis Gnatowski
dgnatowski(a)yahoo.com
9 years, 5 months
