Hi Emily,
Please see my in-line reply below.
Actually, you might want to read my last comment first, and then
circle back, so you won't get confused.
Christina
On 04/08/2015 02:38 PM, Emily
Stemmerich wrote:
Hi,
I was referred to this email list by alee on the
#dogtag-pki IRC group to get some help on automatic
certificate renewals. We are trying to get Dogtag 10.2.1 set
up to be a certificate authority for Cisco routers’ identity
certificates. For the first step I have things working to get
a certificate using the caRouterCert.cfg profile with a
one-time password in the flatfile.txt. For the second step
I’m trying to get auto-renewal of the identity certificates
working. Here is where I stand:
If you intend to do auto-enrollment, then one-time pin is not the
right authentication method. See my reply to #2 below.
1. For testing, I have set the validity to 1 day so that
the renewal attempt happens the next day… I don’t see a way of
making it any shorter to expedite testing.
a trick I hear in testing is to reset the clock
2. I have added “renewal=true” to the caRouterCert.cfg
hoping that it will enable auto-renewal. I’m not sure if
using the same profile would require that a “one-time”
password needs to be in flatfile.txt again (which isn’t
practical)? If I would need a different profile for the
renewal I’m not clear on how to add and then use it for the
renewal.
the caRouterCert profile works just like all the other profiles
where the authentication/authorization are configurable.
Here is a link that explains how authentication works and how to
configure in profiles:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html
You have choices of authentication. For example, if you want
auto-approval (without agent manual approval), you will need to
set up directory-based authentication.
3. I have renewal.graceBefore=10 and renewal.graceAfter=1
in the profile just for testing purposes.
4. I have confirmed on the router that the expiration is
as expected (24hrs) and it shows a date/time that it will
attempt to renew automatically (the link below discusses cert
renewal from the perspective of IOS).
5. When the renewal time comes on the router, I see lots
of activity in the dogtag debug log, but am unsure of what to
look for to troubleshoot it failing.
Please note that the renewal feature is not intended for the
router. You can read the doc here:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html
In case of router renewal, you just need to go through the same
caRouterCert profile. As you can see from the renewal link above,
renewal can take two forms:
1. reuse keys - in this case, you just need to resubmit the same
request
2. new keys - in this case, you generate a new request to submit
Hope this helps.
Christina
Please advise on what to change and/or look for. I can
also send logs and/or config files if that would help.
Best Regards,
-Emily
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users