Re: [Pki-users] Problems with Dogtag and CA cert signed by External CA
On 10/17/2012 03:52 PM, Dwayne MacKinnon wrote:
Hi all,
A helpful fellow called alee on #dogtag-pki suggested I write the list. I've
been playing with dogtag-pki-9.0.0-10 on 64-bit Fedora 17.
I'm looking to use dogtag to run a subordinate CA that does all our everyday
PKI stuff. So when I used pki-create and went into the webform, I went the
"create a csr" route and signed it using a root CA I'd set up using
openssl.
Everything seemed to work out fine, until I got to the point where I was
restarting pki-cad (using systemctl restart pki-cad(a)pki-ca.service). It
wouldn't start.
With alee's help I tracked it down to a failure of SystemCertsVerification
during the selftests.
He asked me to submit my debug log to the list, so here it is.
Interestingly enough I'm in the middle of tracking down why NSS will not
validate a self signed cert as a CA. I suspect dogtag is calling NSS's
CERT_VerifyCertificateNow (or it's equivalent) and passing it a specific
usage parameter.
There are very specific requirements to accept a CA cert as valid. More
valuable than the log would be show us what the cert looks like. I would
ordinarily tell you to dump the cert in text form using openssl x509
-text but openssl often omits detailed information on the cert
extensions which are critical (no pun intended) here. How about if you
also provide us with a PEM formatted version of the cert and we'll use
our tools to examine it's contents.
--
John Dennis <jdennis(a)redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/