Router identity certificate auto-renewal questions
by Emily Stemmerich
Hi,
I was referred to this email list by alee on the #dogtag-pki IRC group to get some help on automatic certificate renewals. We are trying to get Dogtag 10.2.1 set up to be a certificate authority for Cisco routers’ identity certificates. For the first step I have things working to get a certificate using the caRouterCert.cfg profile with a one-time password in the flatfile.txt. For the second step I’m trying to get auto-renewal of the identity certificates working. Here is where I stand:
1. For testing, I have set the validity to 1 day so that the renewal attempt happens the next day… I don’t see a way of making it any shorter to expedite testing.
2. I have added “renewal=true” to the caRouterCert.cfg hoping that it will enable auto-renewal. I’m not sure if using the same profile would require that a “one-time” password needs to be in flatfile.txt again (which isn’t practical)? If I would need a different profile for the renewal I’m not clear on how to add and then use it for the renewal.
3. I have renewal.graceBefore=10 and renewal.graceAfter=1 in the profile just for testing purposes.
4. I have confirmed on the router that the expiration is as expected (24hrs) and it shows a date/time that it will attempt to renew automatically (the link below discusses cert renewal from the perspective of IOS).
http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrast...
5. When the renewal time comes on the router, I see lots of activity in the dogtag debug log, but am unsure of what to look for to troubleshoot it failing.
Please advise on what to change and/or look for. I can also send logs and/or config files if that would help.
Best Regards,
-Emily
9 years
Publishing module is disabled
by Ricardo Alexander Alexander Perez Ricardez
When I try Update Directory Server, I recieve message: "Publishing module is disabled"
Step 1:
Step 2:
9 years
How to setup PKI Administrator user
by Jain, Mahendra
Hello All,
When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin).
What is the procedure to setup additional PKI Administrator users so that they can also access agent interface?
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.”
9 years
Validate OCSP responder
by Ricardo Alexander Alexander Perez Ricardez
Is there any way to validate if the OCSP responder is working correctly on the client side?
9 years
EMV CPS 1.1 support
by Javier Gallart
Hello
we're working with G&D SmartCafe 3.2 cards and trying to integrate them
with Dogtag. They use the EMV CPS 1.1 key derivation protocol for obtaining
the session keys in a Secure Channel establishment (SCP02). Is the any plan
to include it in Dogtag?. If not, would a patch implementing it be
considered?
Thanks in advance
Javi
9 years
Looking for a short path to auto signing server certificates.
by Steve Neuharth
Hello everyone,
I have a requirement to provide a service to our internal linux systems to
allow them to self-register and receive a certificate representing the host
itself and then a cert representing any application on that host. I have
installed DogTag, it's up and running and seems to be working.
I'd like to be able to use REST to request a certificate and have it
auto-signed. I know that DogTag has a REST interface and while the
interface is documented, there are no examples where I can see how it would
actually be used to post a CSR, fetch a cert, etc.
Normally, I'd just sniff a request made with getcert but as I'm using just
dogtag as a standalone install and not as a part of FreeIPA, getcert has no
knowledge of my local DogTag CA:
*[root@dogtag lib]# getcert list-casCA 'SelfSign': is-default:
no ca-type: INTERNAL:SELF next-serial-number: 01CA
'IPA': is-default: no ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster':
is-default: no ca-type: EXTERNAL helper-location:
/usr/libexec/certmonger/certmaster-submitCA
'dogtag-ipa-renew-agent': is-default: no ca-type:
EXTERNAL helper-location:
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local':
is-default: no ca-type: EXTERNAL helper-location:
/usr/libexec/certmonger/local-submit*
so... how do I make it aware? I'm using fedora21 so I'm at
certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. It
looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure what
to add.
I apologize in advance for the pedestrian questions. I have read the docs
and the getting started guide and while they provide examples for
self-signed certs and for using FreeIPA, I don't see much info on using
getcert with DogTag as a standalone product. I'd also like to explore using
SCEP for requesting certs from our MS PKI. Is there a guide or info setting
up certmonger/getcert to hit a SCEP URL?
Thanks for your continued work on DogTag and certmonger. They ROCK and will
solve big problems for my client if I can just get them to work the way I
need them to.
--steve
9 years
