Unable to spawn CA when using HSM
by Lionel Beard
Hi,
I'm trying to create a CA with a Atos/Bull HSM backend.
I have created a configuration file default_hsm.cfg with hsm options
enabled and configured, and I have set HSM token and password.
When I run the command:
# pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv
I get the error:
pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
pkispawn : INFO ....... constructing PKI configuration data.
pkispawn : INFO ....... executing 'certutil -R -d
/root/.dogtag/pki-tomcat/ca/alias -s cn=PKI Administrator,e=caadmin(a)cls.fr
,o=cls.fr Security Domain -k rsa -g 2048 -z
/root/.dogtag/pki-tomcat/ca/alias/noise -f
/root/.dogtag/pki-tomcat/ca/password.conf -o
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'
pkispawn : INFO ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise
pkispawn : INFO ....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
pkispawn : INFO ....... configuring PKI configuration data.
pkispawn : ERROR ....... Exception from Java Configuration Servlet:
400 Client Error: Bad Request for url:
https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure
pkispawn : ERROR ....... ParseError: not well-formed (invalid token):
line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"*Invalid
Token provided. No such token*."}
pkispawn : DEBUG ....... Error Type: ParseError
pkispawn : DEBUG ....... Error Message: not well-formed (invalid
token): line 1, column 0
pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in
main
rv = instance.spawn(deployer)
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 116, in spawn
json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line
3872, in configure_pki_data
root = ET.fromstring(e.response.text)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
parser.feed(text)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
self._raiseerror(v)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in
_raiseerror
raise err
Installation failed.
Just after pki service restart.
I don't know which "Token" is it talking about, not sure it is HSM token.
HSM is working fine because it is previously added to database with modutil:
# modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb
Bull TrustWay Proteccio NetHSM 2.4
Configuration read from /etc/proteccio//proteccio.rc
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. nethsm
library name: /usr/lib64/libnethsm.so
slots: 8 slots attached
status: loaded
slot: Trustway Crypto Engine Slot
token: nethsm1_V1
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
-----------------------------------------------------------
Of course, I have updated default_hsm.cfg file according to Redhat
documentation to enable HSM et put HSM token name and password:
# grep hsm /etc/pki/default_hsm.cfg
pki_audit_signing_token=nethsm1_V1
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/libnethsm.so
pki_hsm_modulename=nethsm
pki_ssl_server_token=nethsm1_V1
pki_subsystem_token=nethsm1_V1
pki_token_name=nethsm1_V1
pki_storage_token=nethsm1_V1
pki_transport_token=nethsm1_V1
I have tried with interactive installation (so with no HSM), and it is
working fine.
Does anyone can help me?
Thanks!
8 years, 5 months
Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
8 years, 5 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
8 years, 5 months
Registration Authority
by Pascal Jakobi
As far as I can see, there is currently no RA in dogtag (no such choice
in pkispawn, no rpm). However, this is frequently required by customers.
Is there a document that discusses this topic ?
Thanks in advance
--
Pascal Jakobi <mailto:pascal.jakobi@gmail.com>
116 rue de Stalingrad
93100 Montreuil, France
Tel : +33 6 87 47 58 19
8 years, 7 months
Replace default caadmin key
by John Hogenmiller (yt)
Hello,
I've been recently learning a good bit about dogtag pki. I've setup a
standalone dogtag instance for development, I've written some code to
generate CSRs and get a cert from dogtag. I then went to try and get this
working against our FreeIPA instances. While trying to create a user
certificate, I found that none of my pki -n caadmin commands would work.
I eventually discovered this page
http://pki.fedoraproject.org/wiki/Default_CA_Admin and went to the
master/first freeipa server. While I did have the .cert and .der files, I
did not have "/root/.dogtag/pki-tomcat/ca_admin_cert.p12". It turns out
this server was rebuilt at one point, and no one was aware of the need to
back up this directory.
I do have /root/ca-agent.p12 and /root/cacert.p12, but I don't believe
either of these contain the private key that would have been in
ca_admin_cert.p12. I do have the pkcs12 password conf files (these seem to
be replicated to every freeipa replica).
My question at this point is if I can regain control of the dogtag CA
system. I believe I would have to create a new key/cert pair locally, and
then update an ldap entry with the new cert. Or maybe I can create a new
user entirely to manage dogtag. I would probably have to sign the user cert
using cacert.p12 as well. Since I'm unfamiliar with dogtag internals,
looking for guidance. If my guesses are correct, a series of openssl
commands, followed by some work with ldif files and ldapmodify.
Thanks in advance,
John
8 years, 7 months
wiki update
by John Hogenmiller (yt)
On http://pki.fedoraproject.org/wiki/Default_CA_Admin
The following command:
$ pki -c Secret123 client-cert-import --pkcs12
~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password
~/.dogtag/pki-tomcat/ca/pkcs12_password.conf
should read:
$ pki -c Secret123 client-cert-import --pkcs12
~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password-file
~/.dogtag/pki-tomcat/ca/pkcs12_password.conf
8 years, 7 months
Dogtag support of CA certificate rollover
by Gary Hostetler (ghostetl)
Good day,
I am trying to understand if Dogtag supports the ability to create a chain of trust certificates that support CA certificate rollover. There would be transition certs from the old existing certificate/key to a new certificate and key. The transition certs OldWithNew and NewWithOld are used for the transition from the old CA cert (OldWithOld) to the new one (NewWithNew).
Thank you - Gary Hostetler
8 years, 7 months
