Re: KRA Problem
by Robert Riemann
Dear Marco,
really appreciate your help. My colleague and I tried to our best to document
the issue on Github: https://github.com/dogtagpki/pki/issues/5037
Discussion can continue over at Github.
Best,
Robert
On Wednesday, 9 April 2025 11:02:42 Central European Summer Time you wrote:
> Hi Robert,
>
> it could be an issue. Could you open a new issue in GitHub explaining steps
> and configuration?
> Cheers,
> Marco
>
>
> On Wed, 9 Apr 2025 at 10:49, Robert Riemann <robert-dogtag(a)riemann.cc>
>
> wrote:
> > Dear Marco,
> >
> > the transport certificate was indeed added automatically. However, it was
> > still producing an error until we added
> > ca.connector.KRA.transportCertNickname.
> >
> > Best,
> > Robert
> >
> > On Tuesday, 8 April 2025 19:03:12 Central European Summer Time you wrote:
> > > Hi Robert,
> > >
> > > as far as I know the transport certificate should be automatically added
> >
> > to
> >
> > > the CA during KRA spawn.
> > > There is something in your setup preventing this from happening but I am
> > > not sure. Do you have a warning in the CA logs?
> > > Or in the pkispawn installation? Maybe CA and pkispawn should run with
> > > debug enabled to get what is going on.
> > >
> > > Cheers,
> > > Marco
> > >
> > >
> > >
> > > On Tue, 8 Apr 2025 at 18:55, Robert Riemann <robert-dogtag(a)riemann.cc>
> > >
> > > wrote:
> > > > Dear Marco, dear all,
> > > >
> > > > with my colleague, we have repeated the setup. While we got past the
> >
> > error
> >
> > > > during the certificate request error (the original error), we could
> > > > not
> > > > validate the the request due to this error:
> > > >
> > > > SEVERE: ProfileProcessServlet: KRA Transport Certificate needs to be
> > > > imported
> > > > into the CA nssdb for Server-Side Kegen Enrollment
> > > > KRA Transport Certificate needs to be imported into the CA nssdb for
> > > > Server-
> > > > Side Kegen Enrollment
> > > >
> > > > Then, we compared again my working setup and the new setup and noticed
> > > > that
> > > > the I added previously in my CA CS.cfg file following line:
> > > >
> > > > ca.connector.KRA.transportCertNickname=kra_transport
> > > >
> > > > We then added this to the new setup and then the new setup allowed us
> >
> > to
> >
> > > > to
> > > > create (request and validate) a certificate with profile
> > > > caServerKeygen_UserCert.
> > > >
> > > > Couldn't this line be added automatically by "pkispawn -s KRA"?
> > > >
> > > > Best,
> > > > Robert
> > > >
> > > > On Tuesday, 8 April 2025 10:28:43 Central European Summer Time Marco
> > > > Fargetta
> > > >
> > > > wrote:
> > > > > Ok, thanks for the update.
> > > > > Marco
> > > > >
> > > > >
> > > > > On Mon, 7 Apr 2025 at 23:39, Robert Riemann <
> >
> > robert-dogtag(a)riemann.cc>
> >
> > > > > wrote:
> > > > > > Dear Marco, dear all,
> > > > > >
> > > > > > The original error comes from the web GUI. So I do not know which
> > > >
> > > > commands
> > > >
> > > > > > are
> > > > > > precisely executed.
> > > > > >
> > > > > > Fedora 40 does not offer packages for v11.6 yet.
> > > > > >
> > > > > > So I have updated now to Fedora 41 which comes with v11.6. Now, I
> >
> > can
> >
> > > > > > request
> > > > > > and approve certificates through the web gui. Hence, the KRA
> >
> > problem
> >
> > > > > > is
> > > > > > solved
> > > > > > for me. I may eventually switch to Redhat Enterprise Linux
> > > > > > packages
> > > > > > and
> > > > > > hope
> > > > > > that they also offer v11.6...
> > > > > >
> > > > > > Best regards,
> > > > > > Robert
> > > > > >
> > > > > > On Monday, 7 April 2025 16:32:58 Central European Summer Time
> > > > > > Marco
> > > > > > Fargetta
> > > > > >
> > > > > > wrote:
> > > > > > > Hi Robert,
> > > > > > >
> > > > > > > I am not sure if there is an async operation to complete before
> >
> > the
> >
> > > > > > request
> > > > > >
> > > > > > > can be approved. I should investigate it.
> > > > > > > However, this was executed during v11.5 and it was working. Not
> >
> > sure
> >
> > > > > > > what
> > > > > > > could have happened to create this different behaviour.
> > > > > > >
> > > > > > > If v11.6 works, then you could try to update your setup.
> > > > > > >
> > > > > > > For the original error, the logs show the same error when you
> > > > > > > run
> > > > > > > the
> > > > > > > approve without the sleep?
> > > > > > >
> > > > > > > Cheers,
> > > > > > > Marco
> > > > > > >
> > > > > > >
> > > > > > > On Mon, 7 Apr 2025 at 16:11, Robert Riemann <
> > > >
> > > > robert-dogtag(a)riemann.cc>
> > > >
> > > > > > > wrote:
> > > > > > > > Dear Marco, dear all,
> > > > > > > >
> > > > > > > > I run Dogtag v11.5 and have possibly found a race condition
> >
> > error.
> >
> > > > The
> > > >
> > > > > > > > Github
> > > > > > > > actions you mentioned seem to be specific for version v11.6.
> >
> > The
> >
> > > > tests
> > > >
> > > > > > for
> > > > > >
> > > > > > > > v11.5 use instead this script:
> > https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar
> >
> > > > > > > > chival.sh
> > > > > > > >
> > > > > > > > I copied the script over, adapted the passwords and gave it a
> >
> > try.
> >
> > > > I
> > > >
> > > > > > > > notice
> > > > > > > > the following:
> > > > > > > >
> > > > > > > > This line 21 fails for me:
> > > > > > > > pki -u caadmin -w Secret.123 ca-cert-request-approve
> >
> > $REQUEST_ID
> >
> > > > > > --force |
> > > > > >
> > > > > > > > tee
> > > > > > > > output
> >
> > > > > > > > Source:
> > https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar
> >
> > > > > > > > chival.sh#L21
> > > > > > > >
> > > > > > > > Error:
> > > > > > > >
> > > > > > > > Keypair private key id:
> > > > > > > > 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4
> > > > > > > > Submitting CRMF request to pki-test.riemann.cc:8080
> > > > > > > > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
> > > > > > > > Request Status: pending
> > > > > > > > Reason:
> > > > > > > > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
> > > > > > > > BadRequestException: Request Sending DRM request failed check
> >
> > KRA
> >
> > > > log
> > > >
> > > > > > for
> > > > > >
> > > > > > > > detail Rejected - {1}
> > > > > > > > Cert ID:
> > > > > > > > ERROR: Missing serial number
> > > > > > > >
> > > > > > > >
> > > > > > > > Workaround:
> > > > > > > >
> > > > > > > > I add a "sleep 3" between the call to CRMFPopClient and the
> >
> > call
> >
> > > > > > > > to
> > > > > > > > "ca-cert-
> > > > > > > > request-approve".
> > > > > > > >
> > > > > > > > Is it possible that a race condition is also responsible for
> >
> > the
> >
> > > > > > original
> > > > > >
> > > > > > > > error?
> > > > > > > >
> > > > > > > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> > > > > > > > > ProfileSubmitServlet: error in processing request: KRA
> >
> > Transport
> >
> > > > > > > > Certificate
> > > > > > > >
> > > > > > > > > needs to be imported into the CA nssdb for Server-Side Kegen
> > > > > >
> > > > > > Enrollment
> > > > > >
> > > > > > > > > KRA Transport Certificate needs to be imported into the CA
> >
> > nssdb
> >
> > > > for
> > > >
> > > > > > > > > Server-Side Kegen Enrollment
> > > > > > > >
> > > > > > > > I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but
> > > > > > > > couldn't
> > > > > > > > find
> > > > > > > > any recent entry.
> > > > > > > >
> > > > > > > > $ ls /var/log/pki/pki-tomcat/kra/
> > > > > > > > archive debug.2025-04-04.log selftests.log signedAudit
> > > > > > > >
> > > > > > > > Best,
> > > > > > > > Robert
> > > > > > > >
> > > > > > > >
> > > > > > > > On Friday, 4 April 2025 19:43:27 Central European Summer Time
> > > > > > > > Marco
> > > > > > > > Fargetta
> > > > > > > >
> > > > > > > > wrote:
> > > > > > > > > Hi Robert,
> > > > > > > > >
> > > > > > > > > I have not tested your configuration but it seems correct.
> > > > > > > > >
> > > > > > > > > You can find documentation on dogtag KRA configuration in
> >
> > the
> >
> > > > > > folder:
> > > > https://github.com/dogtagpki/pki/tree/master/docs/installation/kra.
> > > >
> > > > > > > > > There are also several actions performing the operation.
> >
> > Have a
> >
> > > > look
> > > >
> > > > > > at:
> > https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048.
> >
> > > > > > > > > You can compare the installation steps with your case.
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Marco
> > > > > > > > >
> > > > > > > > > On Fri, 4 Apr 2025 at 17:55, Robert Riemann <
> > > > > >
> > > > > > robert-dogtag(a)riemann.cc>
> > > > > >
> > > > > > > > > wrote:
> > > > > > > > > > Dears,
> > > > > > > > > >
> > > > > > > > > > I experience the same issue (KRA missing in CA nssdb) when
> > > > > >
> > > > > > attempting
> > > > > >
> > > > > > > > to
> > > > > > > >
> > > > > > > > > > enroll via the browser with the profile:
> > > > > > > > > > Manual User Dual-Use Certificate Enrollment using
> >
> > server-side
> >
> > > > Key
> > > >
> > > > > > > > > > generation
> > > > > > > > > >
> > > > > > > > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO:
> > > > > > > > > > UserSubjectNameDefault: Subject:
> > > > > > > > > > UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT
> > > > > > > > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5]
> >
> > SEVERE:
> > > > > > > > > > ProfileSubmitServlet: error in processing request: KRA
> > > >
> > > > Transport
> > > >
> > > > > > > > > > Certificate
> > > > > > > > > > needs to be imported into the CA nssdb for Server-Side
> >
> > Kegen
> >
> > > > > > > > > > Enrollment
> > > > > > > > > > KRA Transport Certificate needs to be imported into the CA
> > > >
> > > > nssdb
> > > >
> > > > > > for
> > > > > >
> > > > > > > > > > Server-
> > > > > > > > > > Side Kegen Enrollment
> > > > > > > > > >
> > > > > > > > > > at
> >
> > com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey
> >
> > > > > > > > > > genUserKeyDefault.java: 501)
> > > > > > > > > >
> > > > > > > > > > at
> >
> > com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237
> >
> > > > > > > > > > )
> > > > > > > > > >
> > > > > > > > > > at
> > > >
> > > > com.netscape.cms.profile.common.Profile.populate(Profile.java:1261
> > > >
> > > > > > > > > > )
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > The link
> >
> > https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_
> >
> > > > > > > > > > EE provided by
> > > > > > > > > > Chris Zinda in 2021 is unfortunately broken/empty.
> > > > > > > > > >
> > > > > > > > > > What I have done so far:
> > > > > > > > > >
> > > > > > > > > > - I have setup the directory server and CA+KRA in the same
> > > > > >
> > > > > > pki-tomcat
> > > > > >
> > > > > > > > > > instance.
> > > > > > > > > > - I have checked if the kra_transport certficate in in the
> >
> > CA
> >
> > > > > > nssdb:
> > > > > > > > > > $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> > > > > > > > > >
> > > > > > > > > > Certificate Nickname
> > > >
> > > > Trust
> > > >
> > > > > > > > > > Attributes
> > > > > > > > > >
> > > > > > > > > > SSL,S/MIME,JAR/
> > > > > > > > > >
> > > > > > > > > > XPI
> > > > > > > > > >
> > > > > > > > > > ca_signing
> > > > > >
> > > > > > CTu,Cu,Cu
> > > > > >
> > > > > > > > > > ca_ocsp_signing
> > > >
> > > > u,u,u
> > > >
> > > > > > > > > > sslserver
> > > >
> > > > u,u,u
> > > >
> > > > > > > > > > subsystem
> > > >
> > > > u,u,u
> > > >
> > > > > > > > > > ca_audit_signing
> > > > > > > > > > u,u,Pu
> > > > > > > > > > kra_transport
> > > >
> > > > u,u,u
> > > >
> > > > > > > > > > kra_storage
> > > >
> > > > u,u,u
> > > >
> > > > > > > > > > kra_audit_signing
> > > > > > > > > > u,u,Pu
> > > > > > > > > >
> > > > > > > > > > - I have read https://docs.redhat.com/en/documentation/
> >
> > red_hat_certificate_system/10/html/planning_installation_and_deployment_gu
> >
> > > > > > > > > > ide/ configuring_key_recovery_authority
> > > > > > > > > >
> > > > > > > > > > - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to
> >
> > add
> >
> > > > the
> > > >
> > > > > > line:
> > > > > > > > > > "ca.connector.KRA.transportCertNickname=kra_transport"
> > > > > > > > > > (However, ca.connector.KRA.transportCert was already set
> > > > > >
> > > > > > accurately)
> > > > > >
> > > > > > > > > > - Is the line "ca.connector.KRA.nickName=subsystem" in the
> > > > > > > > > > same
> > > > > >
> > > > > > file
> > > > > >
> > > > > > > > ok?
> > > > > > > >
> > > > > > > > > > - I've tested with `pki -n caadmin ca-kraconnector-show`:
> > > > > > > > > >
> > > > > > > > > > Host: pki-test.riemann.cc:8443
> > > > > > > > > > Enabled: true
> > > > > > > > > > Local: false
> > > > > > > > > > Timeout: 30
> > > > > > > > > > URI: /kra/agent/kra/connector
> > > >
> > > > > > > > > > Transport Cert:
> > > > MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk
> > > >
> > > > MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET
> > > >
> > > > > > > > > > […]
> > > > > > > > > >
> > > > > > > > > > What else could be wrong? Find my setup script here below.
> > > > > > > > > >
> > > > > > > > > > Best,
> > > > > > > > > > Robert
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > #!/usr/bin/sudo /bin/bash
> > > > > > > > > >
> > > > > > > > > > cat << EOF > /etc/security/limits.d/01-pki
> > > > > > > > > > # Dogtag CA Settings
> > > > > > > > > > root hard nofile 4096
> > > > > > > > > > root soft nofile 4096
> > > > > > > > > > EOF
> > > > > > > > > >
> > > > > > > > > > dnf update -y
> > > > > > > > > > dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > # Create Directory Server Instance:
> > > > > > > > > > #
> > > > > > > > > > #
> > > >
> > > > https://github.com/dogtagpki/pki/blob/master/docs/installation/others/
> > > >
> > > > > > > > > > creating-ds-instance.adoc
> > > > > > > > > > <
> >
> > https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre
> >
> > > > > > > > > > ating-ds-instance.adoc> #
> > > > > > > > > > dscreate create-template ds-template.inf
> > > > > > > > > >
> > > > > > > > > > sed --silent \
> > > > > > > > > >
> > > > > > > > > > -e "s/;full_machine_name = .*/full_machine_name =
> > > >
> > > > $HOSTNAME/"
> > > >
> > > > > > > > > > \
> > > > > > > > > > -e "s/;root_password = .*/root_password =
> >
> > $DS_PASSWORD/g"
> >
> > > > > > > > > > \
> > > > > > > > > > -e "s/;suffix = .*/suffix = $SUFFIX/g" \
> > > > > > > > > > -e "s/;create_suffix_entry = .*/create_suffix_entry =
> > > >
> > > > True/g"
> > > >
> > > > > > > > > > \
> > > > > > > > > > -e "s/;self_sign_cert = .*/self_sign_cert = True/g" \
> > > > > > > > > > -e "w ds.inf" \
> > > > > > > > > > ds-template.inf
> > > > > > > > > >
> > > > > > > > > > dscreate from-file ds.inf
> > > > > > > > > >
> > > > > > > > > > ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager"
> > > > > > > > > > -w
> > > > > > > >
> > > > > > > > "$DS_PASSWORD"
> > > > > > > >
> > > > > > > > > > <<
> > > > > > > > > > EOF
> > > > > > > > > > dn: dc=pki,$SUFFIX
> > > > > > > > > > objectClass: domain
> > > > > > > > > > dc: pki
> > > > > > > > > > EOF
> > > > > > > > > >
> > > > > > > > > > systemctl status dirsrv(a)localhost.service
> > > > > > > > > >
> > > > > > > > > > # Create PKI CA Server
> > > > > > > > > > #
> > > > > > > > > > curl -o ca-template.cfg
> > > > > > > > > > https://raw.githubusercontent.com/dogtagpki/pki/refs/
> > > > > > > > > > heads/master/base/server/examples/installation/ca.cfg
> > > > > > > > > > <
> >
> > https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se
> >
> > > > > > > > > > rver/examples/installation/ca.cfg> # cp
> > > > > > > > > > /usr/share/pki/server/examples/installation/ca.cfg
> > > >
> > > > ca-template.cfg
> > > >
> > > > > > sed
> > > > > >
> > > > > > > > > > --silent \
> > > > > > > > > >
> > > > > > > > > > -e "s/pki_server_database_password=.*/
> > > > > > > > > >
> > > > > > > > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> > > > > > > > > >
> > > > > > > > > > -e
> > > > > >
> > > > > > "s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/"
> > > > > >
> > > > > > > > > > \
> > > > > > > > > > -e "s/pki_client_pkcs12_password=.*/
> > > > > > > > > >
> > > > > > > > > > pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \
> > > > > > > > > >
> > > > > > > > > > -e
> > > > > > > > > > "s/pki_admin_email=.*/pki_admin_email=caadmin@
> >
> > $HOSTNAME/"
> >
> > > > \
> > > >
> > > > > > > > > > -e
> >
> > "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> >
> > > > > > > > > > -e "w ca.cfg" \
> > > > > > > > > > ca-template.cfg
> > > > > > > > > >
> > > > > > > > > > pkispawn -f ca.cfg -s CA
> > > > > > > > > >
> > > > > > > > > > pki-server cert-export ca_signing --cert-file
> >
> > ca_signing.crt
> >
> > > > > > > > > > sudo -u fedora pki client-cert-import "CA Signing
> >
> > Certificate"
> >
> > > > > > > > --ca-cert
> > > > > > > >
> > > > > > > > > > ./
> > > > > > > > > > ca_signing.crt
> > > > > > > > > > #
> >
> > https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI
> >
> > > > > > > > > > -CLI#importing-admin-certificate sudo -u fedora pki
> > > >
> > > > pkcs12-import
> > > >
> > > > > > > > --pkcs12
> > > > > > > >
> > > > > > > > > > ./ca_admin_cert.p12 --pkcs12- password
> > > >
> > > > "$PKI_CA_CLIENT_PASSWORD"
> > > >
> > > > > > > > > > sudo -u fedora pki info # for testing the setup
> > > > > > > > > >
> > > > > > > > > > # Create PKI KRA Server
> > > > > > > > > > #
> > > > > > > > > > cp /usr/share/pki/server/examples/installation/kra.cfg
> > > > > > > > > > kra-template.cfg
> > > > > > > > > > sed --silent \
> > > > > > > > > >
> > > > > > > > > > -e "s/pki_server_database_password=.*/
> > > > > > > > > >
> > > > > > > > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> > > > > > > > > >
> > > > > > > > > > -e
> > > > > >
> > > > > > "s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/"
> > > > > >
> > > > > > > > \
> > > > > > > >
> > > > > > > > > > -e "s/pki_client_pkcs12_password=.*/
> > > > > > > > > >
> > > > > > > > > > pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \
> > > > > > > > > >
> > > > > > > > > > -e "s/pki_admin_email=.*/pki_admin_email=kraadmin@
> > > >
> > > > $HOSTNAME/"
> > > >
> > > > > > \
> > > > > >
> > > > > > > > > > -e
> >
> > "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> >
> > > > > > > > > > -e "s/pki_security_domain_password=.*/
> > > > > > > > > >
> > > > > > > > > > pki_security_domain_password=$PKI_CA_PASSWORD/" \
> > > > > > > > > >
> > > > > > > > > > -e "w kra.cfg" \
> > > > > > > > > > kra-template.cfg
> > > > > > > > > >
> > > > > > > > > > pkispawn -f kra.cfg -s KRA
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Pki-users mailing list -- users(a)lists.dogtagpki.org
> > > > > > > > > > To unsubscribe send an email to
> > > >
> > > > users-leave(a)lists.dogtagpki.org
> > > >
> > > > > > > > > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
2 weeks
- 1
- 0
enrollment flows using HTTP Server headers (e.g. from mod_auth_openidc)
by Robert Riemann
Dears,
I have found https://github.com/dogtagpki/pki/wiki/Certificate-Profiles with
the flow chart on end entity enrollment.
Our organisation makes it very hard to use LDAP and more easy to use SAML/
OIDC. This issue was brought up some years ago already in the user mailing
list with a brief answer on looking into proxying the web interface through
apache with e.g. mod_auth_openidc.
https://github.com/OpenIDC/mod_auth_openidc
Can you please help me to understand how
1) I could set in certificate profiles the default to HTTP Server header
values? (I guess this is how integration with mod_auth_openidc would work)
2) I could set in certificate profiles the constraint accordingly.
Best regards,
Robert
2 weeks
- 1
- 0
Re: KRA Problem
by Robert Riemann
Dear Marco, dear all,
I run Dogtag v11.5 and have possibly found a race condition error. The Github
actions you mentioned seem to be specific for version v11.6. The tests for
v11.5 use instead this script:
https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-a...
I copied the script over, adapted the passwords and gave it a try. I notice
the following:
This line 21 fails for me:
pki -u caadmin -w Secret.123 ca-cert-request-approve $REQUEST_ID --force | tee
output
Source: https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-a...
Error:
Keypair private key id: 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4
Submitting CRMF request to pki-test.riemann.cc:8080
Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
Request Status: pending
Reason:
Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
BadRequestException: Request Sending DRM request failed check KRA log for
detail Rejected - {1}
Cert ID:
ERROR: Missing serial number
Workaround:
I add a "sleep 3" between the call to CRMFPopClient and the call to "ca-cert-
request-approve".
Is it possible that a race condition is also responsible for the original
error?
> 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> ProfileSubmitServlet: error in processing request: KRA Transport Certificate
> needs to be imported into the CA nssdb for Server-Side Kegen Enrollment
> KRA Transport Certificate needs to be imported into the CA nssdb for
> Server-Side Kegen Enrollment
I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but couldn't find
any recent entry.
$ ls /var/log/pki/pki-tomcat/kra/
archive debug.2025-04-04.log selftests.log signedAudit
Best,
Robert
On Friday, 4 April 2025 19:43:27 Central European Summer Time Marco Fargetta
wrote:
> Hi Robert,
>
> I have not tested your configuration but it seems correct.
>
> You can find documentation on dogtag KRA configuration in the folder:
> https://github.com/dogtagpki/pki/tree/master/docs/installation/kra.
>
> There are also several actions performing the operation. Have a look at:
> https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048.
> You can compare the installation steps with your case.
>
> Thanks,
> Marco
>
> On Fri, 4 Apr 2025 at 17:55, Robert Riemann <robert-dogtag(a)riemann.cc>
>
> wrote:
> > Dears,
> >
> > I experience the same issue (KRA missing in CA nssdb) when attempting to
> > enroll via the browser with the profile:
> > Manual User Dual-Use Certificate Enrollment using server-side Key
> > generation
> >
> > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO:
> > UserSubjectNameDefault: Subject:
> > UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT
> > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> > ProfileSubmitServlet: error in processing request: KRA Transport
> > Certificate
> > needs to be imported into the CA nssdb for Server-Side Kegen Enrollment
> > KRA Transport Certificate needs to be imported into the CA nssdb for
> > Server-
> > Side Kegen Enrollment
> >
> > at
> >
> > com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey
> > genUserKeyDefault.java: 501)
> >
> > at
> >
> > com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237
> > )
> >
> > at
> >
> > com.netscape.cms.profile.common.Profile.populate(Profile.java:1261)
> >
> >
> > The link
> > https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_
> > EE provided by
> > Chris Zinda in 2021 is unfortunately broken/empty.
> >
> > What I have done so far:
> >
> > - I have setup the directory server and CA+KRA in the same pki-tomcat
> > instance.
> > - I have checked if the kra_transport certficate in in the CA nssdb:
> >
> > $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> >
> > Certificate Nickname Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/
> >
> > XPI
> >
> > ca_signing CTu,Cu,Cu
> > ca_ocsp_signing u,u,u
> > sslserver u,u,u
> > subsystem u,u,u
> > ca_audit_signing u,u,Pu
> > kra_transport u,u,u
> > kra_storage u,u,u
> > kra_audit_signing u,u,Pu
> >
> > - I have read https://docs.redhat.com/en/documentation/
> >
> > red_hat_certificate_system/10/html/planning_installation_and_deployment_gu
> > ide/ configuring_key_recovery_authority
> >
> > - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add the line:
> > "ca.connector.KRA.transportCertNickname=kra_transport"
> > (However, ca.connector.KRA.transportCert was already set accurately)
> >
> > - Is the line "ca.connector.KRA.nickName=subsystem" in the same file ok?
> >
> > - I've tested with `pki -n caadmin ca-kraconnector-show`:
> >
> > Host: pki-test.riemann.cc:8443
> > Enabled: true
> > Local: false
> > Timeout: 30
> > URI: /kra/agent/kra/connector
> > Transport Cert:
> >
> > MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk
> > MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET
> > […]
> >
> > What else could be wrong? Find my setup script here below.
> >
> > Best,
> > Robert
> >
> >
> > #!/usr/bin/sudo /bin/bash
> >
> > cat << EOF > /etc/security/limits.d/01-pki
> > # Dogtag CA Settings
> > root hard nofile 4096
> > root soft nofile 4096
> > EOF
> >
> > dnf update -y
> > dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme
> >
> >
> > # Create Directory Server Instance:
> > #
> > # https://github.com/dogtagpki/pki/blob/master/docs/installation/others/
> > creating-ds-instance.adoc
> > <https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre
> > ating-ds-instance.adoc> #
> > dscreate create-template ds-template.inf
> >
> > sed --silent \
> >
> > -e "s/;full_machine_name = .*/full_machine_name = $HOSTNAME/" \
> > -e "s/;root_password = .*/root_password = $DS_PASSWORD/g" \
> > -e "s/;suffix = .*/suffix = $SUFFIX/g" \
> > -e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \
> > -e "s/;self_sign_cert = .*/self_sign_cert = True/g" \
> > -e "w ds.inf" \
> > ds-template.inf
> >
> > dscreate from-file ds.inf
> >
> > ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w "$DS_PASSWORD"
> > <<
> > EOF
> > dn: dc=pki,$SUFFIX
> > objectClass: domain
> > dc: pki
> > EOF
> >
> > systemctl status dirsrv(a)localhost.service
> >
> > # Create PKI CA Server
> > #
> > curl -o ca-template.cfg
> > https://raw.githubusercontent.com/dogtagpki/pki/refs/
> > heads/master/base/server/examples/installation/ca.cfg
> > <https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se
> > rver/examples/installation/ca.cfg> # cp
> > /usr/share/pki/server/examples/installation/ca.cfg ca-template.cfg sed
> > --silent \
> >
> > -e "s/pki_server_database_password=.*/
> >
> > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> >
> > -e "s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/" \
> > -e "s/pki_client_pkcs12_password=.*/
> >
> > pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \
> >
> > -e "s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/" \
> > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> > -e "w ca.cfg" \
> > ca-template.cfg
> >
> > pkispawn -f ca.cfg -s CA
> >
> > pki-server cert-export ca_signing --cert-file ca_signing.crt
> > sudo -u fedora pki client-cert-import "CA Signing Certificate" --ca-cert
> > ./
> > ca_signing.crt
> > #
> > https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI
> > -CLI#importing-admin-certificate sudo -u fedora pki pkcs12-import --pkcs12
> > ./ca_admin_cert.p12 --pkcs12- password "$PKI_CA_CLIENT_PASSWORD"
> > sudo -u fedora pki info # for testing the setup
> >
> > # Create PKI KRA Server
> > #
> > cp /usr/share/pki/server/examples/installation/kra.cfg kra-template.cfg
> > sed --silent \
> >
> > -e "s/pki_server_database_password=.*/
> >
> > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> >
> > -e "s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/" \
> > -e "s/pki_client_pkcs12_password=.*/
> >
> > pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \
> >
> > -e "s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/" \
> > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> > -e "s/pki_security_domain_password=.*/
> >
> > pki_security_domain_password=$PKI_CA_PASSWORD/" \
> >
> > -e "w kra.cfg" \
> > kra-template.cfg
> >
> > pkispawn -f kra.cfg -s KRA
> >
> >
> > _______________________________________________
> > Pki-users mailing list -- users(a)lists.dogtagpki.org
> > To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
2 weeks, 1 day
- 2
- 4
KRA Problem
by Tiago Magalhães
Hi, I installed ca and kra in the same tomcat instance, but when I try to
enroll a certificate using server-side Key generation, the following
message appears: "KRA Transport Certificate needs to be imported into the
CA nssdb for Server-Side Kegen Enrollment". Do you know how I can i fix
this?
Thanks for your attention
2 weeks, 5 days
- 3
- 2
- ← Newer
- 1
- Older →