Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
8 years, 5 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
8 years, 5 months
Flat-file auth
by James Masson
Hi list,
I'm trying to use flat-file auth on certificate requests via Certmonger.
I can successfully get certificates issued when I remove authentication.
I've restricted the Certificate Profile to require flat-file authentication.
I'm running Centos7 with pki-server-10.1.2-7.el7.noarch and
certmonger-0.78.4-1.el7.centos.x86_64
The error I get is.
"[29/Sep/2015:15:31:38][http-bio-8080-exec-10]: CertProcessor:
authentication error Authentication credential for uid is null.
The request generated by Certmonger looks like this.
###
GET
/ca/ee/ca/profileSubmit?profileId=IPASubCA&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q%0AnPQBQ6U0KbTKmKM81%2F2kD39eaMMzdyqBi%2BcbsPMOl93%2F%2FB88Eu8QRLis6hYMmgUF%0Av%2BcSS2JOHPOC8RY8YbkVlRYUGb%2BbMkldQEYsIOfad8xlfDBh%2Bg5ImA%2FrYS2g6MgV%0ACI0k%2F6w1nsNGJof7U2KEJpLJOvI%2F%2FwznaF%2FkuJC5kYrPLbOIEbQvM5%2F8Kcyh1W48%0AtgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67%2FAx%2FI2T34MpD5AN%0AWN1b9de3nWEce%2BMoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw%0AGwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG%0AA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX%2F%2BEWI84MCIG%0ACSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA%0AA4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T%2BkGSDgnzdK8afO8CwC6kfwAP8PZNo2L%0AcbpbiqYRSrwGOqmLpalxBG21T47c%2BonW2x8x4UYitpQH%2BUQE1P1SKiiiPA%2B6sj0f%0A5dFfPLjQGDrD1cpD!
8abY7HGPH
3
NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ%0APR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv%0AfKrckHp4AHK7B0hv%2FteB7GiqqrYA3cq9M3T6B17MnmjDF%2FyrS8uLl6DhFug0PLE2%0Afen%2FbDiCjJ3IDIqhS0hheym07ca8%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true&uid=foo&pwd=password
###
flatfile.txt looks like:
#
uid:foo
pwd:password
#
CS.cfg contains:
#
auths.instance.flatFileAuth.authAttributes=pwd
auths.instance.flatFileAuth.deferOnFailure=true
auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
auths.instance.flatFileAuth.keyAttributes=uid
auths.instance.flatFileAuth.pluginName=FlatFileAuth
#
The full error from the pki debug logs is below
thanks!
James M
###
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:service() uri
= /ca/ee/ca/profileSubmit
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='profileId' value='IPASubCA'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='cert_request_type' value='pkcs10'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='cert_request' value='-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
fen/bDiCjJ3IDIqhS0hheym07ca8
-----END NEW CERTIFICATE REQUEST-----
'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='xml' value='true'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='uid' value='foo'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='pwd' value='(sensitive)'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
caProfileSubmit start to service.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: xmlOutput true
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
isRenewal false
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1},
use default authz mgr: {2}.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: Start of CertProcessor
Input Parameters
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter profileId='IPASubCA'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter cert_request_type='pkcs10'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter isRenewal='false'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter cert_request='-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
fen/bDiCjJ3IDIqhS0hheym07ca8
-----END NEW CERTIFICATE REQUEST-----
'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: End of CertProcessor
Input Parameters
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
isRenewal false
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
profileId IPASubCA
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
Inputs into profile Context
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
authenticator flatFileAuth found
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]:
CertRequestSubmitter:setCredentialsIntoContext() authIds` null
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
sslClientCertProvider
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: authenticate:
authentication required.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: in auditSubjectID
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
auditSubjectID auditContext
{sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@5cd82562,
profileContext=com.netscape.cms.profile.common.EnrollProfileContext@727e748c}
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet
auditSubjectID: subjectID: null
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: FlatFileAuth:
concatenating string i=0 keyAttrs[0] = uid
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor:
authentication error Authentication credential for uid is null.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTH_FAIL][SubjectID=$NonRoleUser$ :
Unidentified][Outcome=Failure][AuthMgr=flatFileAuth][AttemptedCred=Unidentified]
authentication failure
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
authentication error in processing request: Authentication credential
for uid is null.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: curDate=Wed
Sep 30 08:14:32 UTC 2015 id=caProfileSubmit time=12
###
9 years, 2 months
Dogtag-pki
by Ben Francis
Where is this package in EPEL 6 or EPEL 6 Testing?
Ben
9 years, 3 months
error installing ipa 4.1.4 w. pki 10.2.6
by Timo Aaltonen
Hi
This is what I get in the logs when trying to install ipa server 4.1.4 on Debian:
[21/27]: issuing RA agent certificate
[error] CalledProcessError: Command ''/usr/bin/sslget' '-v' '-n' 'ipa-ca-agent' '-p' XXXXXXXX '-d' '/tmp/tmp-B_7AiF' '-r' '/ca/agent/ca/profileReview?requestId=7' 'sid-test.tyrell:8443'' returned non-zero exit status 3
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command ''/usr/bin/sslget' '-v' '-n' 'ipa-ca-agent' '-p' XXXXXXXX '-d' '/tmp/tmp-B_7AiF' '-r' '/ca/agent/ca/profileReview?requestId=7' 'sid-test.tyrell:8443'' returned non-zero exit status 3
syys 24, 2015 7:33:21 AP. org.apache.catalina.core.ApplicationContext log
SEVERE: Servlet castart threw unload() exception
javax.servlet.ServletException: Servlet.destroy() for servlet castart threw exception
at org.apache.catalina.core.StandardWrapper.unload(StandardWrapper.java:1507)
at org.apache.catalina.core.StandardWrapper.stopInternal(StandardWrapper.java:1847)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5700)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1590)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1579)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at com.netscape.cmscore.profile.ProfileSubsystem.shutdown(ProfileSubsystem.java:226)
at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1859)
at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1797)
at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
at com.netscape.cms.servlet.base.CMSStartServlet.destroy(CMSStartServlet.java:144)
at org.apache.catalina.core.StandardWrapper.unload(StandardWrapper.java:1486)
... 10 more
syys 24, 2015 7:33:51 AP. org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [caProfileReview] in context with path [/ca] threw exception [Servlet execution threw an exception] with root cause
java.lang.AbstractMethodError: org.apache.tomcat.util.net.jss.JSSSupport.getPeerCertificateChain(Z)[Ljava/lang/Object;
at org.apache.coyote.http11.Http11Processor.actionInternal(Http11Processor.java:256)
at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:911)
at org.apache.coyote.Request.action(Request.java:347)
at org.apache.catalina.connector.Request.getAttribute(Request.java:957)
at org.apache.catalina.connector.RequestFacade.getAttribute(RequestFacade.java:283)
at com.netscape.cms.servlet.base.CMSServlet.getSSLClientCertificate(CMSServlet.java:858)
at com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1743)
at com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1685)
at com.netscape.cms.servlet.profile.ProfileReviewServlet.process(ProfileReviewServlet.java:115)
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:513)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
old packages of ipa 4.0.5 with 10.2.0 work
--
t
9 years, 3 months
build error with newer tomcat7, Debian issues
by Timo Aaltonen
Hi
I'm not able to build 10.2.6 with a current tomcat7 (7.0.64):
com/netscape/cms/tomcat/ProxyRealm.java:22: error: ProxyRealm is not
abstract and does not override abstract method authenticate(String) in Realm
public class ProxyRealm implements Realm {
^
1 error
which is what I need in order to debug if my switch to tomcat8 is to
blame why the configure phase of a pki instance doesn't start on Debian:
2015-09-04 20:29:54 pkispawn : INFO ....... executing 'certutil
-N -d /root/.dogtag/pki-tomcat/ca/alias -f
/root/.dogtag/pki-tomcat/ca/password.conf'
2015-09-04 20:29:54 pkispawn : INFO ....... executing
'/etc/init.d/pki-tomcatd start pki-tomcat'
2015-09-04 20:30:07 pkispawn : DEBUG ........... No connection -
server may still be down
2015-09-04 20:30:07 pkispawn : DEBUG ........... No connection -
exception thrown: ('Connection a
borted.', error(104, 'Connection reset by peer'))
2015-09-04 20:30:08 pkispawn : DEBUG ........... No connection -
server may still be down
2015-09-04 20:30:08 pkispawn : DEBUG ........... No connection -
exception thrown: ('Connection a
borted.', error(104, 'Connection reset by peer'))
2015-09-04 20:30:09 pkispawn : DEBUG ........... No connection -
server may still be down
2015-09-04 20:30:09 pkispawn : DEBUG ........... No connection -
exception thrown: ('Connection a
borted.', error(104, 'Connection reset by peer'))
2015-09-04 20:30:10 pkispawn : DEBUG ........... No connection -
server may still be down
2015-09-04 20:30:10 pkispawn : DEBUG ........... No connection -
exception thrown: EOF occurred i
n violation of protocol (_ssl.c:590)
2015-09-04 20:30:12 pkispawn : DEBUG ........... No connection -
server may still be down
2015-09-04 20:30:12 pkispawn : DEBUG ........... No connection -
exception thrown: EOF occurred i
n violation of protocol (_ssl.c:590)
...
..
.
2015-09-04 20:31:00 pkispawn : ERROR ....... server failed to restart
2015-09-04 20:31:00 pkispawn : DEBUG ....... Error Type: Exception
2015-09-04 20:31:00 pkispawn : DEBUG ....... Error Message: server
failed to restart
2015-09-04 20:31:00 pkispawn : DEBUG ....... File
"/usr/sbin/pkispawn", line 597, in main
rv = instance.spawn(deployer)
File
"/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/configuration.py",
line 102, in spawn
raise Exception("server failed to restart")
(don't have catalina output from this..)
Another issue I found is that upgrading from 10.2.0 to 10.2.6 packages
(w.tomcat8) gives these errors:
http://pastebin.com/eM64FUDw
so wonder if these are somehow related.
--
t
9 years, 3 months
DirAclAuthz host configuration
by Raspante, Patrick
For the CA's authorization subsystem, Is it possible to configure the CA to look for users in a different DS instance than the one defined in 'internaldb.ldapconn.host' ?
I've done some initial testing changing the following settings to point to another ds instance:
authz.instance.DirAclAuthz.ldap.basedn=<my basedn>
authz.instance.DirAclAuthz.ldap.database=<my database>
authz.instance.DirAclAuthz.ldap.ldapconn.host=myotherds
authz.instance.DirAclAuthz.ldap.ldapconn.port=389
After a restart, the CA seems to still be doing authorization queries to the DS defined in 'internaldb.ldapconn.host'.
Thanks,
pwr
9 years, 3 months
DirAclAuthz host
by Raspante, Patrick
For the CA's authorization subsystem, Is it possible to configure the CA to look for users in a different DS instance than the one defined in 'internaldb.ldapconn.host' ?
I've done some initial testing changing the following settings to point to another ds instance:
authz.instance.DirAclAuthz.ldap.basedn=<my basedn>
authz.instance.DirAclAuthz.ldap.database=<my database>
authz.instance.DirAclAuthz.ldap.ldapconn.host=myotherds
authz.instance.DirAclAuthz.ldap.ldapconn.port=389
After a restart, the CA seems to still be doing authorization queries to the DS defined in 'internaldb.ldapconn.host'.
Thanks,
pwr
9 years, 3 months
This version of Firefox no longer supports the crypto web object...
by Aleksey Chudov
Hi,
I use Firefox 40.0.3 from Fedora 21 updates repository
$ rpm -q firefox
firefox-40.0.3-1.fc21.x86_64
Every PKI CA certificate profile containing keyGenInputImpl input produces
warning message on a web page:
Warning: This version of Firefox no longer supports the crypto web object
used to generate and archive keys from the browser. As a result expect
limited functionality in this area.
But actually key generation works in my Firefox version.
What does this warning really mean?
Aleksey
9 years, 3 months
How to setup PKI CA to ask for passwords at startup?
by Aleksey Chudov
Hi,
The password.conf file stores system passwords in plaintext, and I prefer
to enter system passwords manually and to remove the password file.
I have found original documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/....
But it is for older version on PKI and does not work with systemd.
How to setup PKI CA to ask for NSS DB password at startup?
Packages versions (I have rebuilt F22 packages for CentOS 7):
# rpm -qa | grep pki
pki-base-10.2.5-1.el7.centos.noarch
pki-server-10.2.5-1.el7.centos.noarch
dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch
pki-ca-10.2.5-1.el7.centos.noarch
pki-tools-10.2.5-1.el7.centos.x86_64
dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch
Aleksey
9 years, 3 months
