KRA Problem
by Tiago Magalhães
Hi, I installed ca and kra in the same tomcat instance, but when I try to
enroll a certificate using server-side Key generation, the following
message appears: "KRA Transport Certificate needs to be imported into the
CA nssdb for Server-Side Kegen Enrollment". Do you know how I can i fix
this?
Thanks for your attention
10 months, 2 weeks
authz.acl in certificate profiles
by jasper.misset@cleverbase.com
Hi all,
I have a question about the configuration setting authz.acl in certificate profiles. For example profile https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/c... contains:
authz.acl=group="Certificate Manager Agents"
The only documentation I can find on this is from the Red Hat Certificate System, where it says:
Specifies the authorization constraint. Most commonly, this us used to set the group evaluation ACL. For example, this caCMCUserCert parameter requires that the signer of the CMC request belong to the Certificate Manager Agents group:
authz.acl=group="Certificate Manager Agents"
In directory-based user certificate renewal, this option is used to ensure that the original requester and the currently-authenticated user are the same.
An entity must authenticate (bind or, essentially, log into the system) before authorization can be evaluated. The authorization method specified must be one of the registered authorization instances from CS.cfg.
However, I've found that this setting doesn't actually seem to do anything.
An agent belonging to any group that has the following permissions can submit a CMC request and it will get accepted and a certificate is issued:
"certServer.ee.profile"
"certServer.ca.certrequests", "execute"
Is this a known issue? Or should it work and am I just using it wrong?
11 months
test
by jasper.misset@cleverbase.com
test
11 months
authz.acl in certificate profiles
by Jasper Misset
Hi all,
I have a question about the configuration setting *authz.acl* in
certificate profiles. For example profile
https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/c...
contains:
*authz.acl=group="Certificate Manager Agents"*
The only documentation I can find on this is from the Red Hat Certificate
System, where it says:
Specifies the authorization constraint. Most commonly, this us used to set
the group evaluation ACL. For example, this caCMCUserCert parameter
requires that the signer of the CMC request belong to the Certificate
Manager Agents group:
authz.acl=group="Certificate Manager Agents"
In directory-based user certificate renewal, this option is used to ensure
that the original requester and the currently-authenticated user are the
same.
An entity must authenticate (bind or, essentially, log into the system)
before authorization can be evaluated. The authorization method specified
must be one of the registered authorization instances from CS.cfg.
However, I've found that this setting doesn't actually seem to do anything.
An agent belonging to any group that has the following permissions can
submit a CMC request and it will get accepted and a certificate is issued:
- "certServer.ee.profile"
- "certServer.ca.certrequests", "execute"
Is this a known issue? Or should it work and am I just using it wrong?
Jasper Misset
DevOps Engineer | +31 (0) 6 42 77 15 40 | jasper.misset(a)cleverbase.com
<http://vidua.nl>
Powered by Cleverbase
<http://cleverbase.com>
| Maanweg 174 | 2516 AB | Den Haag | +31 (0)70 820 96 80
Cleverbase sluit elke aansprakelijkheid uit in verband met het niet juist,
onvolledig of niet tijdig overkomen van de informatie in deze e-mail. Aan
dit bericht kunnen geen rechten worden ontleend. Dit bericht is alleen
bestemd voor de geadresseerde. Indien dit bericht niet voor u bestemd is,
verzoeken wij u dit onmiddellijk aan ons te melden en de inhoud van het
bericht te vernietigen.
Cleverbase ID B.V. staat ingeschreven bij de Kamer van Koophandel onder
nummer 67419925 te 's-Gravenhage.
11 months
