Re: [Pki-users] Can OpensSSL be used as external CA ?

Friday, 31 October 2014

Thanks Christina

I checked out the master branch and built it. Now i can see the added
extensions in the CSR generated, however i am getting the same error as
earlier.
This time again, I tried the supply the certificate chain with and without
the headers. The chain is in a  valid pkcs7 format.
Following is how the extensions look in the certificate signed by openssl
for dogtag:

      X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL
Sign
            1.3.6.1.4.1.311.20.2:
                .
.S.u.b.C.A

The error i get in step 2 of pkispawn is as follows:

pkispawn    : INFO     ....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... loading external CA signing certificate from
file: '/home/kjhawar/dogtag/dg_ca.cert'
pkispawn    : INFO     ....... loading external CA signing certificate
chain from file: '/home/kjhawar/dogtag/dg_chain.cert'
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : INFO     ....... AtoB /root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert.der
pkispawn    : INFO     ....... certutil -A -d
/root/.dogtag/pki-tomcat/ca/alias -n PKI Administrator -t u,u,u -i
/root/.dogtag/pki-tomcat/ca_admin.cert.der -f
/root/.dogtag/pki-tomcat/ca/password.conf
Notice: Trust flag u is set automatically if the private key is present.
pkispawn    : INFO     ....... pk12util -d
/root/.dogtag/pki-tomcat/ca/alias -o
/root/.dogtag/pki-tomcat/ca_admin_cert.p12 -n PKI Administrator -w
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf -k
/root/.dogtag/pki-tomcat/ca/password.conf
pkispawn    : INFO     ... finalizing
'pki.server.deployment.scriptlets.finalization'
pkispawn    : INFO     ....... cp -p
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141101020655
pkispawn    : INFO     ....... generating manifest file called
'/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
pkispawn    : INFO     ....... cp -p
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141101020655
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl restart
pki-tomcatd(a)pki-tomcat.service&#39;
Job for pki-tomcatd(a)pki-tomcat.service canceled.
pkispawn    : ERROR    ....... subprocess.CalledProcessError:  Command
'['systemctl', 'restart',
&#39;pki-tomcatd(a)pki-tomcat.service&#39;]&#39; returned
non-zero exit status 1!

Installation failed.

Kindly let me know if any specific configuration has to be done in my
openssl CA. Attaching the config file i am using currently

Thanks
Kritee

On Fri, Oct 31, 2014 at 10:36 PM, Christina Fu <cfu(a)redhat.com&gt; wrote:

...
  Kritee,

 At the minimum, you need the fixes I talked about. They were checked into
 the master but has not been built officially so yum is not going to get you
 the right rpm.  However, you can check it out and build it yourself.
 Here is how you check out the master:

 git clone git://git.fedorahosted.org/git/pki.git

 You can then use the build scripts to build.

 Finally, I apologize that we are not supposed to respond to private
 emails.  Dogtag is a community where we share our knowledge.  In the future
 please send requests to the mailing list.
 I took the exception this time to look at your CSR and certs and I could
 see that you need the fixes I talked about.  I don't know if you have other
 issues though, but AFAIK you need those two fixes.

 Hope this helps.
 Christina

 On 10/29/2014 01:16 AM, kritee jhawar wrote:

 Hi Christina

  I have done the default configuration for 389ds and haven't specifically
 turned on ssl for it.

  Initially I tried using Microsoft and OpenSSL CA as external CAs. This
 is about a month back and I pull the Rpms using yum (so I assume they are
 the latest ones with the fix you mentioned).
 With this, my pki spawn went fine. Infect the admin cert got generated
 using the externally provided root cert as well. But dogtag couldn't
 connect to the ds. As mentioned earlier it gave me a PKIException error
 listing the certs with error code 500.
 Looking at the ds logs I found that the error was 'bad search filter'.
 However when I tried the same steps with dogtag as external CA the setup
 went through without a glitch. The chain I imported was directly from the
 GUI of dogtag. In fact I included the header and footer as well.

  When I tried to reverse engineer the chain, I took the root cert of
 external dogtag ca and used OpenSSL to convert it into pkcs7. This chain
 was not the same as provided from the GUI. Hence I thought that there is
 some particular format for the chain because of which the other CAs aren't
 working.

  Also, I updated the Rpms using yum and tried to generate the CSR with
 the extra attributes. My csr still doesn't reflect those added attributes.

  Is yum not the correct way to get the latest code ?

  I am very new to this, really appreciate your assistance and time.

  Regards
 Kritee

 On Wednesday, 29 October 2014, Christina Fu <cfu(a)redhat.com&gt; wrote:

>  the cert chain you provide in the file specified under
> pki_external_ca_cert_chain_path
> should be just pkcs7 without header/footer.
>
> I don't know why it would not talk to the DS (did you turn on ssl for the
> ds?).
> Not sure if you build your Dogtag from the master, if you do, I'd suggest
> you get the most updated so you get fixes from the tickets I provided
> previously which would address at least two issues relating to external CA.
>
> Christina
>
> On 10/27/2014 07:55 PM, kritee jhawar wrote:
>
> Hi Christina
>
>  I was undertaking this activity last month where Microsoft CA didn't
> work out but Dogtag as external CA did.
>
>  While using Microsoft CA or OpenSSL CA, pki spawn goes through
> without any error but dogtag stops communications to 389ds. Upon calling
> the rest Api /ca/rest/certs I get a "PKIException error listing the
certs".
>
>  Is there a particular format for the ca cert chain that we need to
> provide ? I was trying to reverse engineer the chain provided by dogtag.
>
>  Thanks
> Kritee
>
>
>
> On Monday, 27 October 2014, Christina Fu <cfu(a)redhat.com&gt; wrote:
>
>>  If you meant the following two:
>> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not
>> preserved at issuance with signing cert signed by an external CA
>> https://fedorahosted.org/pki/ticket/1110 - pkispawn (configuration)
>> does not provide CA extensions in subordinate certificate signing requests
>> (CSR)
>>
>> They have just recently been fixed upstream so I imagine you could use
>> Microsoft CA now.  Theoretically any other CA can be used as an external
>> CA, but if you run into issues, please feel free to report.
>>
>> Christina
>>
>>
>> On 10/27/2014 12:15 AM, kritee jhawar wrote:
>>
>> Hi
>>
>>  In my recent thread i read that there is a bug due to which Microsoft
>> CA can't work as external CA for dogtag.
>> Can OpenSSL be used ?
>>
>>  Thanks
>> Kritee
>>
>>
>> _______________________________________________
>> Pki-users mailing
listPki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>

 _______________________________________________
 Pki-users mailing list
 Pki-users(a)redhat.com
 https://www.redhat.com/mailman/listinfo/pki-users

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Re: [Pki-users] Can OpensSSL be used as external CA ?