Looks like I will need to figure out directory auth for the
routers instead of the one-time flatfile since the routers need
to be able to auto-renew their identities prior to expiration,
otherwise their VPN connections will drop. Do you have any
quick links to using directory-based auth for certificate
profiles?
Unfortunately I can’t do any clock manipulation for testing
since that would break things working on the Cisco router – ntp
clock synchronization is a requirement.
reposting, since I Emily
possibly joined the mailing list after I replied ;-).
Christina
On 04/10/2015 09:14 AM,
Christina Fu wrote:
Hi Emily,
Please see my in-line reply below.
Actually, you might want to read my last comment first,
and then circle back, so you won't get confused.
Christina
On 04/08/2015 02:38 PM, Emily
Stemmerich wrote:
Hi,
I was referred to this email list by alee on the
#dogtag-pki IRC group to get some help on automatic
certificate renewals. We are trying to get Dogtag
10.2.1 set up to be a certificate authority for Cisco
routers’ identity certificates. For the first step I
have things working to get a certificate using the
caRouterCert.cfg profile with a one-time password in
the flatfile.txt. For the second step I’m trying to
get auto-renewal of the identity certificates working.
Here is where I stand:
If you intend to do auto-enrollment, then one-time pin is
not the right authentication method. See my reply to #2
below.
1. For testing, I have set the validity to 1 day
so that the renewal attempt happens the next day… I
don’t see a way of making it any shorter to expedite
testing.
a trick I hear in testing is to reset the clock
2. I have added “renewal=true” to the
caRouterCert.cfg hoping that it will enable
auto-renewal. I’m not sure if using the same profile
would require that a “one-time” password needs to be
in flatfile.txt again (which isn’t practical)? If I
would need a different profile for the renewal I’m not
clear on how to add and then use it for the renewal.
the caRouterCert profile works just like all the other
profiles where the authentication/authorization are
configurable.
Here is a link that explains how authentication works and
how to configure in profiles:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html
You have choices of authentication. For example, if you
want auto-approval (without agent manual approval), you
will need to set up directory-based authentication.
3. I have renewal.graceBefore=10 and
renewal.graceAfter=1 in the profile just for testing
purposes.
4. I have confirmed on the router that the
expiration is as expected (24hrs) and it shows a
date/time that it will attempt to renew automatically
(the link below discusses cert renewal from the
perspective of IOS).
5. When the renewal time comes on the router, I
see lots of activity in the dogtag debug log, but am
unsure of what to look for to troubleshoot it failing.
Please note that the renewal feature is not intended for
the router. You can read the doc here:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html
In case of router renewal, you just need to go through the
same caRouterCert profile. As you can see from the
renewal link above, renewal can take two forms:
1. reuse keys - in this case, you just need to resubmit
the same request
2. new keys - in this case, you generate a new request to
submit
Hope this helps.
Christina
Please advise on what to change and/or look for. I
can also send logs and/or config files if that would
help.
Best Regards,
-Emily
_______________________________________________
Pki-users mailing list
Pki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users