Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
9 years, 4 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
9 years, 4 months
Exception when upgrading to 10.2.0
by Peter Beal
Hello,
Our project has been integrating our own RA with Dogtag and everything
has been going perfectly. We made our first internal release to our
downstream product teams at the end of last year. Unfortunately, all our
development had been done using Dogtag 10.0.6 on Fedora 19, which is
pretty old at this point. Our test team installed a Fedora 21 system
and Dogtag 10.2.0 and attempted to run our regression tests. What they
found was that when our RA attempted to enroll a certificate we received
an error response instead of a successful response containing a certID.
The XML sent to both 10.0.6 and 10.2.0 is:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><CertEnrollmentRequest> <profileId>caAutoCiscoRA</profileId> <isRenewal>false</isRenewal> <xmlOutput>false</xmlOutput> <Input> <InputAttrs> <InputAttr name="cert_request_type">pkcs10</InputAttr> <InputAttr name="cert_request">MIIBUzCBvQIBADAUMRIwEAYDVQQDEwkxMjcuMC4wLjEwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBALvXizDymVYx6ic1Dz8dDppziWjfhIr2CkrtGyfGHJa1Loy9
OkWdS2w3CH/ASNVL3vTeA7dAly6SHgxrXEOtBFLL8KKnDzDg6oqyM4OFmhZBr/gW
QXlrIbwEWvGOXHuFLSzcuN9B7iqVn7UXQHl6c5QRmi+iZB1dL0MiQ59MG+a7AgMB
AAGgADANBgkqhkiG9w0BAQsFAAOBgQAiFqKKrAe+ToLFhOhlRwqsuzSUzqeQ16kw
MM5MZ4gnVZr6PAO0ixk1KUEcSmAppq0hC8NOikXiWzbkRAKpF0AMbF9e3EbKcZWU
TOpCd6BAjjo0M5ceki6R0RRKRYRGDgJiFJbJttpqKrh4Ngw8iuZ/MyXZd/YcfnRo
kaB+Gz8gRg==
</InputAttr> </InputAttrs> </Input></CertEnrollmentRequest>
In the case of 10.0.6, the response was:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><CertRequestInfos><CertRequestInfo><requestType>enrollment</requestType><requestStatus>complete</requestStatus><requestURL>https://dogsled:8444/ca/rest/623660</requestURL><certId>0x98361</certId><certURL>https://dogsled:8444/ca/rest/623457</certURL><certRequestType>pkcs10</certRequestType><operationResult>success</operationResult></CertRequestInfo></CertRequestInfos>
In the case of 10.2.0, the response was:
<html><head><title>Apache Tomcat/7.0.52 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerException</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerException</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.
And the end of the debug log was:
# tail -f /var/log/pki/pki-tomcat/ca/debug
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: CertRequestResource.enrollCert()
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: mapping: default
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: required auth methods: [*]
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: anonymous access allowed
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: ACLInterceptor: CertRequestResource.enrollCert()
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: ACLInterceptor: No ACL mapping.
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: CertRequestResource.enrollCert()
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: content-type: application/xml
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: accept: [*/*]
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: request format: application/xml
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: response format: application/xml
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}.
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: Start of CertProcessor Input Parameters
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: CertProcessor Input Parameter isRenewal='false'
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: End of CertProcessor Input Parameters
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: EnrollmentSubmitter: isRenewal false
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: EnrollmentSubmitter: profileId null
java.lang.NullPointerException
at java.util.Hashtable.get(Hashtable.java:363)
at com.netscape.cmscore.profile.ProfileSubsystem.getProfile(ProfileSubsystem.java:302)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:137)
at com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:178)
at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:135)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:238)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Nothing is changed on the RA side between these two runs. Is there
something that now needs to be done different with 10.2 and above versus
10.0?
Thanks very much,
Pete Beal
10 years, 9 months
Requiring the Hash Algorithm SHA-2 on server certificates
by Taggart, Michelle
Hi,
Hoping this is just a trivial question. Is there a way to configure the caServerCert certificate profile to include the requirement/constraint for having SHA-2 hashing algorithm in the issued certificate?
Thanks,
Michelle Taggart | Enterprise Systems Engineer | The School District of Philadelphia | mtaggart(a)philasd.org | 215.400.4470
10 years, 10 months
Dogtag with Thales HSM
by Javier Gallart
Hello
we are trying to setup Dogtag 10.2.1 with a Nshield Solo as HSM. We haven't
found a specific guide for this apart from the RedHat documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
The guide states: "The Certificate System supports the nCipher netHSM
hardware security module (HSM) by default".
Does that mean that pkispawn will detect the module and use it or any
manual intervention is required afterwards?
Regards
Javi
10 years, 10 months
Unable to format smart card
by Javier Gallart
Hello all
first question in the list. I recently installed Dogtag version 10.2.1.
Testing is going fine so far, with the exception of the smart card format
stage.
Let me give you the specs of the system:
-Dogtag runs on a Fedora20 x86_64
-ESC (version esc-1.1.0-14.el5.centos1) runs on a Centos 5.11 x86_64
-Smart Card Model:SmartCafe Expert 3.2 72K from G&D with 72K on-board EEPROM
When I push the format button, the authentication looks good; however the
operation fails throwing this message: "The Smart Card Server cannot
establish a secure channel with the smart card".
Looking at the logs:
----TPS----
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSEngine.computeSessionKey:
Non zero status result: 1
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: Message
processing failed: TPSProcessor.setupSecureChannel: Can't set up secure
channel: TPSEngine.computeSessionKey: invalid returned status: 1
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSMessage.write: Writing:
s=43&msg_type=13&operation=5&result=1&message=17
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: leaving:
result: 1 status: STATUS_ERROR_SECURE_CHANNEL
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: After session.process()
exiting ...
----TKS----
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
ComputeSessionKey(): xkeyInfo[0] = 0x1, xkeyInfo[1] = 0x2
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >=
0x0
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD.
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet about to try
ComputeSessionKey selectedToken=Internal Key Storage Token
keyNickName=#01#02
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:Tried
ComputeSessionKey, got NULL
java.lang.Exception: Can't compute session key!
(...)
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet Computing
Session Key: java.lang.Exception: Can't compute session key!
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]:
TokenServlet:outputString.encode status=1
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]:
TokenServlet:outputString.length 8
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: SignedAuditEventFactory:
create()
message=[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded=00002161960056514505][KDD_decoded=00002161960056514505][Outcome=Failure][status=1][AgentID=xxxxx-8443][IsCryptoValidate=true][IsServerSideKeygen=false][SelectedToken=Internal
Key Storage
Token][KeyNickName=#01#02][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x1][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false][Error=Problem
generating session key info.] TKS Compute session key request failed
Any idea about the where the problem might be?
Thanks in advance
Regards
Javi
10 years, 10 months
Command pki user-cert-find returns always 0
by Javier Gallart
Hello
during the tests of Dogtag testing of the pki cli client, we've noticed
that the command user-cert-find always returns 0. Doing it in two steps
(ldapsearch and the pki-cert-show) it works fine.
Regards
Javi
10 years, 10 months
