Re: [Pki-users] Router identity certificate auto-renewal questions

Hi Emily, Please see my in-line reply below. Actually, you might want to read my last comment first, and then circle back, so you won't get confused. Christina On 04/08/2015 02:38 PM, Emily Stemmerich wrote: > Hi, > > I was referred to this email list by alee on the #dogtag-pki IRC > group to get some help on automatic certificate renewals. We are > trying to get Dogtag 10.2.1 set up to be a certificate authority for > Cisco routers' identity certificates. For the first step I have > things working to get a certificate using the caRouterCert.cfg > profile with a one-time password in the flatfile.txt. For the second > step I'm trying to get auto-renewal of the identity certificates > working. Here is where I stand: > If you intend to do auto-enrollment, then one-time pin is not the right authentication method. See my reply to #2 below. > 1. For testing, I have set the validity to 1 day so that the renewal > attempt happens the next day... I don't see a way of making it any > shorter to expedite testing. a trick I hear in testing is to reset the clock > > 2. I have added "renewal=true" to the caRouterCert.cfg hoping that it > will enable auto-renewal. I'm not sure if using the same profile > would require that a "one-time" password needs to be in flatfile.txt > again (which isn't practical)? If I would need a different profile > for the renewal I'm not clear on how to add and then use it for the > renewal. the caRouterCert profile works just like all the other profiles where the authentication/authorization are configurable. Here is a link that explains how authentication works and how to configure in profiles: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... You have choices of authentication. For example, if you want auto-approval (without agent manual approval), you will need to set up directory-based authentication. > > 3. I have renewal.graceBefore=10 and renewal.graceAfter=1 in the > profile just for testing purposes. > > 4. I have confirmed on the router that the expiration is as expected > (24hrs) and it shows a date/time that it will attempt to renew > automatically (the link below discusses cert renewal from the > perspective of IOS). > http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrast... > > 5. When the renewal time comes on the router, I see lots of activity > in the dogtag debug log, but am unsure of what to look for to > troubleshoot it failing. Please note that the renewal feature is not intended for the router. You can read the doc here: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... In case of router renewal, you just need to go through the same caRouterCert profile. As you can see from the renewal link above, renewal can take two forms: 1. reuse keys - in this case, you just need to resubmit the same request 2. new keys - in this case, you generate a new request to submit Hope this helps. Christina > > Please advise on what to change and/or look for. I can also send > logs and/or config files if that would help. > > Best Regards, > -Emily > > > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users