Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
8 years, 5 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
8 years, 5 months
Subordinate CA setup procedures
by Dennis Gnatowski
Can someone provide or point me to documentation on setting up a subordinate CA? I have a Root CA running DogTag 10.1.1 on Fedora 20 and I just want to create a subordinate CA to this Root CA (also using DogTag).
-----------------------------------------------------------
Dennis Gnatowski
dgnatowski(a)yahoo.com
10 years
Best way to bypass challenge password verification
by Peter Beal
Hello,
Our group is developing its own RA to be part of a PKI solution that
includes Dogtag. Our solution uses EST (RFC 7030) between the the
clients and the RA, with the EST protocol terminating at the RA. The RA
then takes the CSRs and sends them on to Dogtag using REST commands.
This project has been going very well, however we did just hit one issue
that we were hoping others might be able to provide some guidance on.
The EST protocol defines a feature called Proof Of Possession (PoP)
where the clients insert the TLS unique ID of the TLS session between it
and the EST server, in our case our RA. This TLS UID is sent in the
challenge password attribute field of the CSR so that it can be signed
by the client. The EST server is responsible for verifying this TLS
UID, and once this verification is performed the value in the challenge
password field no longer has any meaning. Because the CSR cannot be
resigned at this point, the challenge password cannot be taken out of
the CSR. This CSR is passed as is along to Dogtag and we're currently
finding that Dogtag is checking the CSR and does not like the challenge
password attribute:
[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: Start parsePKCS10():
MIIBdDCB3gIBADAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAMPNKtwZO82WfR5u/hS+SsVghdS9jD5BQS6Z5ymXrKcr9R4t
DtSeEQ+AtCZ5qVNXcangb00vJgVqgS/7NH4MzSqscgNzZdpx9+mPklvOUuqTuYCv
MFIlMwP/2DJ6TBrmF86vJ1I0GmZAyTSzHg4V4YWaN7r0V7x0RyvFqoBnZU51AgMB
AAGgITAfBgkqhkiG9w0BCQcxEgwQTUR4clVZNmd6TnZqdWRmNzANBgkqhkiG9w0B
AQsFAAOBgQAAKLbWGndYFfa+8IhopufYOEKIOAmcT+Nhr27vFt5I4ymoUwSlKX9L
K+KpLho5Q2GsRoItNXJ6VxRcGe1CPZBW2ef7yPdZaKhFmnxXsYVQaqPY5BGI8kAY
MMMr75WQcpn+XUpu+FNB4F2j8YY314u2rsplCMbOdR4tcrgc8WqucA==
[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile:
parsePKCS10: signature verification enabled
[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile:
parsePKCS10: use internal token
[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10
setting thread token
[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10
java.io.IOException: DerValue.getPrintableString, not a string 12
[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10
restoring thread token
So we're wondering what the best approach might be to handle this. Is
there a way to configure Dogtag so that it will ignore the challenge
password?
Thanks very much,
Pete Beal
10 years