Pki-users November 2020

users@lists.dogtagpki.org

4 participants
5 discussions

Dogtag PKI CA not enrolling router with CN or when IP specified in Trustpoint confg

by Rohan Raymore (rraymore)

Hello, I am looking for some guidance/assistance with a dogtag-pki CA server setup that I am testing. Environment: Cisco ASR router CentOS 7 vm PKI version 10.5.18-7.e17 installed Configured to use flatfile to authenticate Cisco router using UID/PWD via SCEP I am able to successfully authenticate and enroll the router via SCEP using UID/PWD in flatfile Issue: The UID=IP-address of the router interface toward the CA server, this IP is assigned via DHCP, thus not deterministic. When I configured an IP address of a Loopback interface under the Trustpoint configuration of the router I can see that it seen by the CA in the logs but it is not used for authentication/enroll I tried to change the CS.cfg file to use the CN/PWD to authenticate, however it appears I may have missed something as it fails with a password null. Can you please assist with providing one of two options: 1. How to authenticate/enroll router via Loopback interface IP address that is specified in the Trustpoint configuration of the router? 2. How to authenticate/enroll the router using the CN/PWD in the flatfile? Thanks in advance for your assistance! See below some output from the debug file: <snip> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = 1 [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating: 10.0.1.1 [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key 10.0.1.1 <-------- this is the IP I have configured in flatfile [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = 1 [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating: null [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = UID [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: authenticating user: finding user from key: 10.1.1.1 <----- this is the router outside interface IP [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: User not found in password file. [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: operation failure - Invalid Credential. <snap> <snip> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Found profile=caRouterCert [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Retrieving authenticator [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1 [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating: dev-sec-a-2.example.com [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key dev-sec-a-2.example.com [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1 [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating: null [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = CN [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: operation failure - Authentication credential for CN is null. <snap> Regards, Rohan Raymore [signature_652684385] Rohan Raymore<http://directory.cisco.com/dir/details/rraymore>

3 years, 4 months

2
2
0 / 0

retrieve certificate chain from CA

by Reinhardt, Uwe

Hello, if I install a ca with ca_signing certificate signed by an external root ca, how do I request and retrieve a certificate containing the complete certificate chain? I used caServerCert certificate profile to request/submit/approve a server certificate. When I export the certificate with pki ca-cert-show --encoded --output I get the plain PEM certificate without the chain. I tried also a modified profile with output class_id pkcs7OutputImpl but the certificate retrieved was the same. Has anyone some hint? Many thanks and regards Uwe

3 years, 5 months

1
0
0 / 0

Re: [Pki-users] Is Dogtag PKI Rest API documentation up to date?

by Wahaj K

Hi Endi, Thanks a lot for your response. In the meanwhile I managed to get some code working to get this approval done but somehow when I do this for a number of times it hangs. I then checked with the PKI CLI and the approval call is indeed at times very slow (giving a hang perception but does work after some time) and that's the reason my code breaks with an exception - see below. So I have 2 queries: - Why Approval calls so slow? Can these be made faster. I am running fedora 32 as VM with 6 GB RAM and 4 vCPUs. - Is there a way to set the timeout period in the client to ensure the calling application doesn't close the session too soon. [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Client certificate: PKI Administrator for localhost.localdomain [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - HTTP request: POST /ca/rest/agent/certrequests/68/approve HTTP/1.1 [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Accept: application/xml [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Content-Type: application/xml [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Content-Length: 21606 [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Host: 192.168.56.103:8443 [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Connection: Keep-Alive [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - User-Agent: Apache-HttpClient/4.5.10 (Java/1.8.0_242) [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Cookie: JSESSIONID=BF20B9C354788A712389E9FBF920651C pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - HTTP response: HTTP/1.1 400 [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Content-Type: text/html;charset=UTF-8 [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Content-Length: 243 [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Date: Thu, 12 Nov 2020 09:25:04 GMT [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Connection: close *[pool-3-thread-4] ERROR com.netscape.certsrv.client.PKIConnection - WARNING: SSL alert sent: CLOSE_NOTIFY* com.netscape.certsrv.base.PKIException: Bad Request at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:469) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:432) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:106) at com.netscape.certsrv.ca.CACertClient.approveRequest(CACertClient.java:127) On Thu, Nov 12, 2020 at 5:05 PM <pki-users-owner(a)redhat.com> wrote: > This mailing list is restricted to members, and your message has been > automatically rejected. > > To subscribe, visit: https://www.redhat.com/mailman/listinfo/pki-users > > > If you think that your messages are being rejected in error, contact > the mailing list owner at pki-users-owner(a)redhat.com. > > > > > > ---------- Forwarded message ---------- > From: "info@codegic" <info(a)codegic.com> > To: Endi Dewata <edewata(a)redhat.com> > Cc: pki-users(a)redhat.com > Bcc: > Date: Thu, 12 Nov 2020 16:59:13 +0500 > Subject: Re: [Pki-users] Is Dogtag PKI Rest API documentation up to date? > Hi Endi, > > Thanks a lot for your response. In the meanwhile I managed to get some > code working to get this approval done but somehow when I do this for a > number of times it hangs. I then checked with the PKI CLI and the approval > call is indeed at times very slow (giving a hang perception but does work > after some time) and that's the reason my code breaks with an exception - > see below. So I have 2 queries: > > - Why Approval calls so slow? Can these be made faster. I am running > fedora 32 as VM with 6 GB RAM and 4 vCPUs. > - Is there a way to set the timeout period in the client to ensure the > calling application doesn't close the session too soon. > > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Client > certificate: PKI Administrator for localhost.localdomain > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - HTTP > request: POST /ca/rest/agent/certrequests/68/approve HTTP/1.1 > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - > Accept: application/xml > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - > Content-Type: application/xml > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - > Content-Length: 21606 > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Host: > 192.168.56.103:8443 > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - > Connection: Keep-Alive > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - > User-Agent: Apache-HttpClient/4.5.10 (Java/1.8.0_242) > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - > Cookie: JSESSIONID=BF20B9C354788A712389E9FBF920651C > pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - HTTP > response: HTTP/1.1 400 > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - > Content-Type: text/html;charset=UTF-8 > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - > Content-Length: 243 > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - Date: > Thu, 12 Nov 2020 09:25:04 GMT > [pool-3-thread-4] INFO com.netscape.certsrv.client.PKIConnection - > Connection: close > *[pool-3-thread-4] ERROR com.netscape.certsrv.client.PKIConnection - > WARNING: SSL alert sent: CLOSE_NOTIFY* > com.netscape.certsrv.base.PKIException: Bad Request > at > com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:469) > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:432) > at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:106) > at > com.netscape.certsrv.ca.CACertClient.approveRequest(CACertClient.java:127) > > On Wed, Nov 11, 2020 at 10:39 PM Endi Dewata <edewata(a)redhat.com> wrote: > >> Hi Wahaj, >> >> The REST API doc was created manually, so unfortunately it may have become >> out of date and we don't have resources right now to update it. For now >> I'd suggest >> to run the pki CLI in --verbose, --message-format, and --output to see >> the actual >> request and responses sent between the server and client and then >> replicate the >> same messages in your application. Hope this helps. >> >> https://github.com/dogtagpki/pki/wiki/PKI-CLI-Options >> >> -- >> Endi S. Dewata >> >> >> On Mon, Nov 9, 2020 at 1:52 AM Wahaj K <mwahaj3120(a)gmail.com> wrote: >> >>> Hi, >>> >>> Saw the documentation at: >>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Revoke-Certificate-REST-API >>> >>> I am trying this and failing. I get all sort of issues like Content type >>> is not valid, Content Length is not valid etc when I put some content type >>> and content length. I believe as this is HTTP POST and no content required >>> hence I am then skipping both of these but then I get this in the CA logs: >>> >>> 2020-11-09 11:33:00 [https-jsse-nio-8443-exec-24] ERROR: RESTEASY002010: >>> Failed to execute >>> >>> javax.ws.rs.NotSupportedException: RESTEASY003200: Could not find >>> message body reader for type: class >>> com.netscape.certsrv.cert.CertRevokeRequest of content type: */* >>> >>> I am using Postman. Get Certs call is working fine. >>> >>> [image: image.png] >>> >>> I get similar errors on the Restful Approve call. >>> >>> Is the documentation up to date? I am stuck for days :( *Would be >>> grateful if you can guide!* >>> >>> Regards, >>> Wahaj >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users(a)redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> >> >> >>

3 years, 5 months

1
0
0 / 0

Is Dogtag PKI Rest API documentation up to date?

by Wahaj K

Hi, Saw the documentation at: https://github.com/dogtagpki/pki/wiki/PKI-CA-Revoke-Certificate-REST-API I am trying this and failing. I get all sort of issues like Content type is not valid, Content Length is not valid etc when I put some content type and content length. I believe as this is HTTP POST and no content required hence I am then skipping both of these but then I get this in the CA logs: 2020-11-09 11:33:00 [https-jsse-nio-8443-exec-24] ERROR: RESTEASY002010: Failed to execute javax.ws.rs.NotSupportedException: RESTEASY003200: Could not find message body reader for type: class com.netscape.certsrv.cert.CertRevokeRequest of content type: */* I am using Postman. Get Certs call is working fine. [image: image.png] I get similar errors on the Restful Approve call. Is the documentation up to date? I am stuck for days :( *Would be grateful if you can guide!* Regards, Wahaj

3 years, 5 months

2
1
0 / 0

Automatically generate certificates without approval

by Wahaj K

Hi Guys, I am new to Dogtag PKI and have installed it on fedora 33. I am able to send a PKCS#10 certificate, approve and then get the issued certificate. I need to know a way to generate the certificate without manual approval hence when PKCS#10 request is sent ,the certificate is generated right away. I have looked at profiles, CA configuration but couldn't see a way. I am using Dogtag 10.9. Is this possible? Any guidance is appreciated. Regards, Wahaj

3 years, 5 months

3
3
0 / 0

← Newer
1
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users November 2020