Pki-users February 2016

users@lists.dogtagpki.org

3 participants
5 discussions

by Lionel Beard

Hi, I'm trying to create a CA with a Atos/Bull HSM backend. I have created a configuration file default_hsm.cfg with hsm options enabled and configured, and I have set HSM token and password. When I run the command: # pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv I get the error: pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse> pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... executing 'certutil -R -d /root/.dogtag/pki-tomcat/ca/alias -s cn=PKI Administrator,e=caadmin(a)cls.fr ,o=cls.fr Security Domain -k rsa -g 2048 -z /root/.dogtag/pki-tomcat/ca/alias/noise -f /root/.dogtag/pki-tomcat/ca/password.conf -o /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin' pkispawn : INFO ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise pkispawn : INFO ....... BtoA /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc pkispawn : INFO ....... configuring PKI configuration data. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 400 Client Error: Bad Request for url: https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"*Invalid Token provided. No such token*."} pkispawn : DEBUG ....... Error Type: ParseError pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data root = ET.fromstring(e.response.text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML parser.feed(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror raise err Installation failed. Just after pki service restart. I don't know which "Token" is it talking about, not sure it is HSM token. HSM is working fine because it is previously added to database with modutil: # modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb Bull TrustWay Proteccio NetHSM 2.4 Configuration read from /etc/proteccio//proteccio.rc Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. nethsm library name: /usr/lib64/libnethsm.so slots: 8 slots attached status: loaded slot: Trustway Crypto Engine Slot token: nethsm1_V1 slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: ----------------------------------------------------------- Of course, I have updated default_hsm.cfg file according to Redhat documentation to enable HSM et put HSM token name and password: # grep hsm /etc/pki/default_hsm.cfg pki_audit_signing_token=nethsm1_V1 pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/libnethsm.so pki_hsm_modulename=nethsm pki_ssl_server_token=nethsm1_V1 pki_subsystem_token=nethsm1_V1 pki_token_name=nethsm1_V1 pki_storage_token=nethsm1_V1 pki_transport_token=nethsm1_V1 I have tried with interactive installation (so with no HSM), and it is working fine. Does anyone can help me? Thanks!

8 years

2
2
0 / 0

Renew expired OCSP system certificates

by pki tech

Hi all, Good day to you all. What is the process to renew all the four system certificates (SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when those existing certificates are currently expired. I cant access the pkiconsole also as the system is not up and running. I have used the certutil to generate the certificate requests and get it signed by the CA. But it didn't work as expected. I believe the procedure that i have followed to request generation or the signing profiles used for the generation, may have some issues. Cheers. Regards, Mark

8 years

3
2
0 / 0

base64 CMC Request format

by Elliott William C OSS sIT

Hi all, Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming? We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded. Thanks and best regards, William Elliott s IT Solutions Open System Services

8 years

4
6
0 / 0

Rewrite of Subject in profile

by Supper Florian OSS sIT

Hi and good morning. I get some request from mobile devices which are very poor. Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00 With this subject name, it is not possible to enroll a certificate, because of the " \x00" at the end.. So i'm compelled to rewrite the Subject name. In the first way I only want to remove the "\x00" characters from CN. I've tried some pattern and configs, but it doesn't work. Does one of you knows how this could work? policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint policyset.cmcUserCertSet.1.constraint.params.accept=true policyset.cmcUserCertSet.1.constraint.params.pattern=.* policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl policyset.cmcUserCertSet.1.default.name=Subject Name Default policyset.cmcUserCertSet.1.default.params.name=.*CN=................................... In the second way, i want to set the whole subject like this below. But I want to use the CN which comes in the csr. Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=mycn.example.com /emailAddress=pki-AT-example.com Thanks for your help. BR Florian

8 years, 3 months

3
2
0 / 0

PKI TRAC Ticket access disabled due to excessive spamming

by Matthew Harmsen

This is to advise users of the PKI TRAC system, that until the following ticket is resolved: * Fedora Infrastructure TRAC Ticket #1521 - https://fedorahosted.org NEEDS_TRIAGE is being SPAMMED <https://fedorahosted.org/fedora-infrastructure/ticket/5121> access to the create/update PKI TRAC tickets and wiki pages has been restricted. We apologize in advance for any problems this causes. Until this issue is resolved, please utilize the pki-users(a)redhat.com, pki-devel(a)redhat.com, and #dogtag-pki FreeNode IRC channel to request PKI TRAC Tickts. Thanks, -- The Dogtag Team

8 years, 5 months

1
0
0 / 0

← Newer
1
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users February 2016