Re: Bulk Issuance Problem.
by Marc Sauton
those steps come from an older article at
https://access.redhat.com/solutions/44042 , originally on RHEL-5 for RHCS-8
( and my fault).
I think the the perl command in the step 4 after the loop on PKCS10Client ,
is now incorrect, the goal was to remove the header and footer of the CSR,
but it seems the resulting file with several CSR is now incorrect with
mangled headers.
so I would change the step 4 from
"
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
${f}.${i} -s "cn=testms${i}.example.com"; cat ${f}.${i} >> ${f}; done
perl -pi -e 's/\r\n//;s/\+/%2B/g;s/\//%2F/g' ${f}
wc -l ${f}
"
to create a request and make it one line without header and footer within
the loop:
"
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
${f}.${i} -n "cn=testms${i}.example.com"; sed -i.orig -rn '/^-----BEGIN
CERTIFICATE REQUEST-----$/{:1;n;/^-----END CERTIFICATE
REQUEST-----$/b2;H;b1};:2;${x;s/\s//g;p}' ${f}.${i} ; cat ${f}.${i} >>
${f}; done
wc -l ${f}
"
and the sslget command did work ok for me.
and note the CA restart is not needed in the step 1 ( is not in the
original article)
There are different ways to create and submit CSR, this was one example.
I am going to correct the article and open a doc bug.
Thanks for pointing this out, and your patience.
M.
On Wed, Sep 22, 2021 at 2:25 PM Hank Hotz <Hank_Hotz(a)na.honda.com> wrote:
> I’m trying to demonstrate that Dogtag could support issuing certs to a
> Linux version which I can’t get information on. Using Fedora 34 for initial
> proof-of-concept.
>
>
>
> I’ve managed to work through a lot of the errors in
> https://access.redhat.com/documentation/en-us/red_hat_certificate_system/....
> (The page doesn’t seem to be maintained. Where can I submit corrections?)
>
>
>
> I’m stuck on the last step though. Until I get a working example, I can’t
> tell what’s wrong with the format of the request. The error I get follows.
> If other info would be useful, like the full traceback, or the request as
> actually formatted by the perl command, just let me know.
>
>
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] WARNING: CertProcessor:
> No authenticator credentials required
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: DBSSession:
> reading cn=8,ou=certificateRepository, ou=ca, o=pki-tomcat-CA
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO:
> AgentCertAuthentication: authenticated
> uid=newcaagent,ou=people,o=pki-tomcat-CA
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: EnrollProfile:
> Parsing PKCS #10 request:
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE: Unable to parse
> PKCS #10 request: Sequence tag error -1
>
> java.io.IOException: Sequence tag error -1
>
> at
> org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)
>
> [ . . . traceback with no explicit errors . . . ]
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE:
> ProfileSubmitServlet: error in processing request: Invalid Request
>
> Invalid Request
>
> at
> com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:247)
>
> [ . . . traceback including . . . ]
>
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>
> at
> org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
>
> at
> org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>
> at java.base/java.lang.Thread.run(Thread.java:829)
>
> Caused by: java.io.IOException: Sequence tag error -1
>
> at
> org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)
>
> at
> org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:143)
>
> at
> org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:234)
>
> at
> com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:238)
>
> ... 50 more
>
>
>
> Thanks for any help. If I get past proof of concept, I can engage Honda’s
> support contract with IBM, but I’m not there yet.
>
>
> Confidentiality Notice: This transmission (including any attachments) may
> contain confidential information belonging to the sender and is intended
> only for the use of the party or entity to which it is addressed. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, retention or the taking of action in
> reliance on the contents of this transmission is strictly prohibited. If
> you have received this transmission in error, please immediately notify the
> sender and erase all information and attachments.
> _______________________________________________
> Pki-users mailing list -- users(a)lists.dogtagpki.org
> To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
3 years, 2 months
- 1
- 2
- ← Newer
- 1
- Older →