yes, I have indeed set SELinux to permissive to eliminate any potential security collisions.

If I configure my 'DogtagAuto' CA in /var/lib/certmonger/cas without the '-T caAgentServerCert', the certmonger daemon dies as soon as I request a certificate using that CA. Other than that, it looks like I'm using the same flags as you.

when I run dogtag-submit this way manually (without the template), I see that it reutrns: results = "<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>2</Status><Error>Request Deferred - {0}</Error><RequestId>  70</RequestId></XMLResponse>"
0
state=approve&requestId=70

I find it strange that this response would crash certmonger. Also, wouldn't I need to specify a template if I need to automatically sign the cert and get the cert immediately?



On Tue, Apr 7, 2015 at 2:57 PM, Nalin Dahyabhai <nalin@redhat.com> wrote:
On Tue, Apr 07, 2015 at 02:37:12PM -0500, Steve Neuharth wrote:
> Yes, very observant. I noticed that as well. The difference was that
> client.pem had some bag information in it:
>
> *Bag Attributes    friendlyName: PKI Administrator for test.org
> <http://test.org>    localKeyID: 4F E5 46 3D foo 64 1F
> E4subject=/O=test.org <http://test.org> Security
> Domain/emailAddress=caadmin@test.org/CN=PKI
> <http://caadmin@test.org/CN=PKI> Administratorissuer=/O=test.org
> <http://test.org> Security Domain/CN=CA Signing Certificate*
> while cert.pem does not. otherwise, they contain the same cert data.

Right, you mentioned that you'd pulled the key and certificate out of a
PKCS#12 bundle, so it makes sense that that'd show up there.

> I'm actually planning on using automatically approved certs eventually and
> so it is my desire to use either username/password or cert/key
> authentication to facilitate that. I just noticed that the dogtag-submit
> does not seem to use my cert/key pair when I specify them.
>
> Does certificate authentication work for you in dogtag-submit?

It does, but I'd been using an NSS database (-d and -n flags) rather
than PEM-formatted keys and certificates.  And -i to point to a
PEM-format certificate, and the -p flag, so it looked like this:
  /usr/libexec/certmonger/dogtag-submit -E http://machete.bos.redhat.com:9180/ca/ee/ca -A https://machete.bos.redhat.com:9443/ca/agent/ca -d /etc/httpd/alias -n ipaCert -i /etc/ipa/ca.crt -p /etc/httpd/alias/pwdfile.txt

When I used "openssl pkcs12 -in /root/ca-agent.p12 -nodes -nokeys -out
/etc/pki/tls/certs/agent.cert" to extract the certificates, I had to
prune out everything but the agent certificate itself, and the agent key
itself, to avoid getting SSL connect errors, though that may only be
necessary with the older version of NSS's PEM module that my test system
has.  The working invocation I ended up with looks like this:
  /usr/libexec/certmonger/dogtag-submit -E http://machete.bos.redhat.com:9180/ca/ee/ca -A https://machete.bos.redhat.com:9443/ca/agent/ca -k /etc/pki/tls/private/agent.key -c /etc/pki/tls/certs/agent.cert -i /etc/ipa/ca.crt

I'm not sure if you're in SELinux enforcing mode, but if you are, the
daemon (and the helpers that it starts) may not be able to read the
files under /tmp/test unless they're labeled to allow it.

HTH,

Nalin