Pki-users February 2019

users@lists.dogtagpki.org

5 participants
3 discussions

by Kat

Hi all - new to list. I can't find the answer on the IPA mailing list and I really thing this is directly related to DogTag anyway. Trying to debug a key being denied. Here is a little snippet of log. Where can I find WHY it is getting denied - or is there some additional debug I can turn on to find it? See the last one? This is driving me crazy - if anyone can point me to debug settings or anything to help me diagnose? 2019-02-09 16:12:56 - SimpleCredsAuth-[auth:simple] - PASS: '30015' authenticated as '48, 48' 2019-02-09 16:12:56 - SimpleHeaderAuth-[auth:header] - PASS: '30015' authenticated as '(null)' 2019-02-09 16:12:56 - IPAKEMKeys-[authz:kemkeys] - PASS: '30015' authorized for '/keys' 2019-02-09 16:12:57 - Secrets-[/keys] - ALLOWED: '(null)' requested key 'ca/subsystemCert cert-pki-ca' 2019-02-09 16:14:53 - SimpleCredsAuth-[auth:simple] - PASS: '30015' authenticated as '48, 48' 2019-02-09 16:14:53 - SimpleHeaderAuth-[auth:header] - PASS: '30015' authenticated as '(null)' 2019-02-09 16:14:53 - IPAKEMKeys-[authz:kemkeys] - PASS: '30015' authorized for '/keys' 2019-02-09 16:14:53 - Secrets-[/keys] - ALLOWED: '(null)' requested key 'ra/ipaCert' 2019-02-09 16:17:34 - SimpleCredsAuth-[auth:simple] - PASS: '24826' authenticated as '48, 48' 2019-02-09 16:17:34 - SimpleHeaderAuth-[auth:header] - PASS: '24826' authenticated as '(null)' 2019-02-09 16:17:34 - IPAKEMKeys-[authz:kemkeys] - PASS: '24826' authorized for '/keys' 2019-02-09 16:17:34 - Secrets-[/keys] - ALLOWED: '(null)' requested key 'dm/DMHash' *2019-02-25 09:21:47 - SimpleCredsAuth-[auth:simple] - PASS: '5570' authenticated as '48, 48'** **2019-02-25 09:21:47 - SimpleHeaderAuth-[auth:header] - PASS: '5570' authenticated as '(null)'** **2019-02-25 09:21:47 - IPAKEMKeys-[authz:kemkeys] - PASS: '5570' authorized for '/keys'** **2019-02-25 09:21:47 - Secrets-[/keys] - DENIED: '(null)' requested key 'ca/caSigningCert cert-pki-ca'* -K

4 years

2
1
0 / 0

Problem Renewing Server Certificates

by Wolf, Brian

I installed PKI-CA two years ago on a Redhat 7 server. I used it to create certificates for an application and have not needed it since. Now the PKI server certificates are about to expire, I'm trying to renew them using the directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal . I am getting an error when I try to submit the renewal request. The error seems to be that it can't find /pki/rest/info. Installed packages: pki-base-10.5.9-6.el7.noarch pki-base-java-10.5.9-6.el7.noarch pki-ca-10.5.9-6.el7.noarch pki-kra-10.5.9-6.el7.noarch pki-server-10.5.9-6.el7.noarch pki-tools-10.5.9-6.el7.x86_64 nuxwdog-1.0.3-8.el7.x86_64 java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64 javapackages-tools-3.4.1-11.el7.noarch javassist-3.16.1-10.el7.noarch nuxwdog-client-java-1.0.3-8.el7.x86_64 rest-0.8.1-2.el7.x86_64 resteasy-base-atom-provider-3.0.6-4.el7.noarch resteasy-base-client-3.0.6-4.el7.noarch resteasy-base-jackson-provider-3.0.6-4.el7.noarch resteasy-base-jaxb-provider-3.0.6-4.el7.noarch resteasy-base-jaxrs-3.0.6-4.el7.noarch resteasy-base-jaxrs-api-3.0.6-4.el7.noarch Listing the certificates works. We do not use the default instance of pki-tomcat. # pki-server cert-find -i <my-instance> ca ----------------- 5 entries matched ----------------- Cert ID: ca_signing Nickname: caSigningCert ... CA Token: Internal Key Storage Token Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,... Issuer DN: CN=CA Signing Certificate,... Not Valid Before: Fri Mar 10 16:38:21 2017 Not Valid After: Tue Mar 10 16:38:21 2037 Cert ID: ca_ocsp_signing Nickname: ocspSigningCert ... CA Token: Internal Key Storage Token Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,... Issuer DN: CN=CA Signing Certificate,OU=... Not Valid Before: Fri Mar 10 16:38:23 2017 Not Valid After: Thu Feb 28 16:38:23 2019 [snip] But the renewal request gives a Not Found error: # pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal PKIException: Not Found Adding -v shows an error on the HTTP GET of /pki/rest/info. I don't see that directory structure anywhere on the server. Am I missing something in the configuration, or is there another package I need to install? Do I have to point the command to our non-default instance, and if so, how do I do that? # pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal PKI options: -v PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Server URI: http://my-server:8370 Client security database: /root/.dogtag/nssdb Message format: null Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Initializing security database Module: ca Module: cert Module: request-submit Retrieving caManualRenewal profile. Initializing PKIClient HTTP request: GET /pki/rest/info HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: my-server:8370 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 977 Date: Fri, 15 Feb 2019 18:53:25 GMT com.netscape.certsrv.base.PKIException: Not Found at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107) at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46) at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576) at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) at com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95) at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669) ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370', 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', '0x2', '--renewal']' returned non-zero exit status 255

4 years, 1 month

2
3
0 / 0

exporting sub CA to pem format

by joris dedieu

Hello Pki users, I found how to issue a sub certificate with pki ca-authority-create and export certificate with ca-authority-show, but I don't understand how to export Sub CA key. I need it to sign some certificates with puppet or openssl. Is there a way to do so ? Best Regards Joris

4 years, 1 month

3
3
0 / 0

← Newer
1
Older →

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users February 2019