Hello Brian,
I am glad this did finally help.
And...I like the book suggestion! as well as the timeframe challenge ;-)
But we also have quite a lot of documentation.
Yes, you can change to validity dates per enrollment profile, it is even
encouraged to do so to respect the local custom PKI policies /
certification practice statement / CPS / certificate policy rules.
Those enrollment profiles were designed to be very flexible, and it may
take some time to understand how they work (trade-off)
Changing the enrollment/renewal/revocation profiles can be done using the
pkiconsole, the pki command line,
5.4.6. Using and Customizing Certificate Profiles
and
CHAPTER 2. MAKING RULES FOR ISSUING CERTIFICATES (CERTIFICATE PROFILES)
or manually:
you are correct for the upstream doc at
but I prefer to edit manually to keep the order of the lines in the text
file of the profile.
( not profiles may also be stored into the LDAP backend)
stop the CA, then
cd /var/lib/pki/some-string-here/ca/profiles/ca/
If this is about the caadmin, the enrollment profile we want to modify
is caAdminCert.cfg
cp -p caAdminCert.cfg caAdminCert.cfg.orig
then edit the file caAdminCert to tune the parameters
policyset.adminCertSet.2.constraint.params.range=365
policyset.adminCertSet.2.default.params.range=365
also review the
policyset.adminCertSet.3.constraint.params.keyParameters
extra note:
In a 2 steps installation
(
7.6. TWO-STEP INSTALLATION
)
, it is a good practice to do the same for the CA's internal profiles, set
constraints and policies for validity dates, encryption, extensions, SANs,
custom OIDs , etc.:
caCACert.cfg
caOCSPCert.cfg
caServerCert.cfg
caSubsystemCert.cfg
caSignedLogCert.cfg
and for example, for end user and server certificates:
caUserCert.cfg
caServerCert.cfg
A lot of those default profiles are provided as working examples to be used
for customization (like file signing, smartcards)
Thanks,
Marc S.
On Tue, Feb 18, 2020 at 2:39 PM Wolf, Brian <Brian.Wolf(a)risd.org> wrote:
That did it! I can now access the agent page. I still get the Java
“Error”
pop-ups, but I can click through those and get to where I need. Now I get
to renew the caadmin cert and repeat this exercise, and then document
everything for next time!
Since we’re only using dogtag for a single internal application, it would
be nice to extend these longer than 2 years each time. I found
https://frasertweedale.github.io/blog-redhat/posts/2019-03-04-dogtag-syst...
that discusses how to adjust the maximum certificate lifetimes. Also
https://www.dogtagpki.org/wiki/PKI_CA_Profile_CLI . Do you have any
recommendations on that, as in am I better off just leaving well-enough
alone?
Thanks again for all of your help! If you ever decide to write a “Dogtag
for Dummies” book, I’ll buy a copy! Of course I’ll probably be retiring
within the next 5 years, so you’ll need to get it done before that!
- Brian
*From:* Marc Sauton <msauton(a)redhat.com>
*Sent:* Tuesday, February 18, 2020 3:15 PM
*To:* Wolf, Brian <Brian.Wolf(a)risd.org>
*Cc:* pki-users(a)redhat.com
*Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console
I may have forgotten a detail:
the "decrisption" value that needs to be updated ( the pkiconsole would do
that)
search for the caadmin entry:
ldapsearch -xLLL -D "cn=directory manager" -W
-b ou=people,dc=ca,dc=risd,dc=org uid=caadmin description
and verify that description attribute needs a value in the form of
2;serial-number;issuer-subject-DN;subject-DN
if the serial is 0x33 / 51 , it needs to be like for example:
description: 2;51;CN=CA Signing Certificate,OU=suba1,O=Sub CA1 Example
Test; CN=PKI Administrator,E=caadmin(a)example.test,OU=subca1,O=Sub CA1
Example Test
So another ldapmodify is needed (could have been done in one).
Thanks,
M.
On Tue, Feb 18, 2020 at 9:05 AM Wolf, Brian <Brian.Wolf(a)risd.org> wrote:
Marc-
I used this
dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org
changetype: modify
delete: userCertificate
-
add: userCertificate
userCertificate:: MII….
-
And now ldapsearch gives me:
dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org
userCertificate:: MII….
I restarted the pki-tomcat service for the instance. Now when I try to
access it, I am back to the simple “Invalid Credential” error.
/var/log/pki/risd-ise/ca/system says:
0.http-bio-8373-exec-1 - [18/Feb/2020:10:25:12 CST] [6] [3] Cannot
authenticate agent with certificate Serial 0x33 Subject DN CN=PKI
Administrator,E=caadmin(a)risdca1.risd.org,OU=risd-ise,O=RISD.ORG. Error:
User not found
Could the problem be that there is no naming context for risd-ise, so it’s
not matching the caadmin user? From your first response yesterday, it
seems like you expected there to be, but I just have dc=ca,dc=risd,dc=org.
I’ve been doing the ldapmodifies on it.
If there ever was an entry for risd-ise, I don’t know what happened to it.
I definitely didn’t intentionally delete it, because I didn’t really even
know about the directory server part beyond the steps in the Installation
Guide.
ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base
namingcontexts
Enter LDAP Password:
dn:
namingcontexts: dc=ca,dc=risd,dc=org
namingcontexts: dc=risd,dc=org
ldapsearch -xLLL -D "cn=directory manager" -W -b
ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember
dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org
uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org
dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org
uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org
dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org
uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org
uniqueMember: uid=bwolf,ou=People,dc=ca,dc=risd,dc=org
…
- Brian
*From:* Marc Sauton <msauton(a)redhat.com>
*Sent:* Monday, February 17, 2020 7:12 PM
*To:* Wolf, Brian <Brian.Wolf(a)risd.org>
*Cc:* pki-users(a)redhat.com
*Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console
Extra note, a ldapmodify "replace" should be used as the userCertificate
can be multi valued, and the first sample may be used from a LDAP search
result set, which can be the older certificate, so it is better to either
del/add or replace it to avoid confusion.
Thanks,
M.
On Mon, Feb 17, 2020 at 5:05 PM Marc Sauton <msauton(a)redhat.com> wrote:
For the pkiconsole:
correct for RHEL, would need the RHCS subscription.
but it is available from Fedora:
pki-console-10.7.3-3.fc31.noarch : PKI Console Package
Repo : fedora
I do not think we have the pkiconsole in CentOS (
http://mirror.centos.org/centos/7.7.1908/ )
For the ldapmodify, add the colon char twice because the value is already
base-64 encoded, like for example:
dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org
changetype: modify
delete: userCertificate
-
add: userCertificate
userCertificate:: MII...
That should solve the issue!
Thanks,
M.
On Mon, Feb 17, 2020 at 3:13 PM Wolf, Brian <Brian.Wolf(a)risd.org> wrote:
Marc-
You were correct that the directory manager had the serial #6 version. I
tried to replace it with the #33 version, but now when I try to connect, I
get the error “You did not provide a valid certificate for this operation.”
Instead of “Invalid credential.”
First, you mentioned using pkiconsole. I don’t have pkiconsole installed.
I think we found that that was part of RHCS, and we don’t have a
subscription for RHCS. So I’m just wading through the CLI commands.
Also, I didn’t find any naming contexts specifically referencing the
instance. Caadmin showed up in the Agents and Administrators queries for
dc=ca,dc=risd,dc=org.
And there is no CN=PKI Administrator entry in the list of Administrators.
# ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base
namingcontexts
Enter LDAP Password:
dn:
namingcontexts: dc=ca,dc=risd,dc=org
namingcontexts: dc=risd,dc=org
# ldapsearch -xLLL -D "cn=directory manager" -W -b
ou=groups,dc=risd,dc=org cn=*Agents dn uniqueMember
Enter LDAP Password:
[root@risdca1 tmp]#
# ldapsearch -xLLL -D "cn=directory manager" -W -b
ou=groups,dc=ca,dc=risd,dc=org cn=*Agents dn uniqueMember
Enter LDAP Password:
dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=risd,dc=org
uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org
uniqueMember: uid=pkidbuser,ou=People,dc=ca,dc=risd,dc=org
dn: cn=Registration Manager Agents,ou=groups,dc=ca,dc=risd,dc=org
# ldapsearch -xLLL -D "cn=directory manager" -W -b
ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember
Enter LDAP Password:
dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org
uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org
uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org
dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org
uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org
dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org
uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org
uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org
dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=risd,dc=org
uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=or
The user certificate appeared to be in X509 format. I copied that to a
file and verified that it was the expired #6 version.
# ldapsearch -xLLL -D "cn=directory manager" -W -b
ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate
Enter LDAP Password:
dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org
userCertificate::
MII********************************************************
S***************************************************************************
G***************************************************************************
…
**********************************************************************M7nQ==
I didn’t find any examples of multi-line values in the ldapmodify file, so
I tried using the same format as the search used, with the second and
subsequent lines beginning with a space and a “-“ on the last line.
$ cat ldapmodify.caadmin.txt
dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org
changetype: modify
replace: userCertificate
userCertificate:
MII*********************************************************
S****************************************************************************
…
P***********************************************************************mDw==
-
# ldapmodify -x -D "cn=directory manager" -W -f /tmp/ldapmodify.caadmin.txt
Enter LDAP Password:
modifying entry "uid=caadmin,ou=people,dc=ca,dc=risd,dc=org"
#
# ldapsearch -xLLL -D "cn=directory manager" -W -b
ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate
Enter LDAP Password:
dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org
userCertificate:
MII****************************************************************************
V******************************************************************************************
….
K***********************************************************************************mdw==
So it took what I gave it. I noticed that for the old cert, ldapsearch
displayed “userCertificate::” (two colons), and now it only has
“userCertificate:” (one colon). Is that significant? I tried changing the
input file to read userCertificate::, and then ldapsearch showed both
colons again, but I still got the “you did not provide a valid credential…”
error when I tried to connect from my laptop.
I verified that Firefox on my laptop is using PKI Administrator [33] for
identification.
- Brian
*From:* Marc Sauton <msauton(a)redhat.com>
*Sent:* Monday, February 17, 2020 2:00 PM
*To:* Wolf, Brian <Brian.Wolf(a)risd.org>
*Cc:* pki-users(a)redhat.com
*Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console
The entry
CN=PKI Administrator,E=caadmin(a)MyServer.MyDomain,OU=MyInstance,O=MyDomain
likely has the older cert with serial 6, it just needs the newer one with
serial 0x33 / 51
It may be easier to use the pkiconsole to add it, under"
"Configuration | Users and Groups | Users | admin | Certificates | Import"
Thanks,
M.
On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton <msauton(a)redhat.com> wrote:
Hello,
Probably either there is no caadmin (uid=admin may set from the older
environment), or the SSL client certificate is simply missing from the
administrator or agent groups.
Try for example:
locate the LDAP base DN of the PKI repository:
ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base
namingcontexts
output example:
dn:
namingcontexts: dc=example,dc=test
namingcontexts: o=rootca1-CA
namingcontexts: o=subca1-CA
note it could be also in the form of namingcontexts:
dc=ca1.example.test-pki-ca1
and in your case it may be similar to o=risd-ise-CA
then search into that LDAP backend to verify the values of the attribute
uniquemember of the entries, like as this example but by replacing the
string o=subca1-CA to match your environment:
either for the agent users:
ldapsearch -xLLL -D "cn=directory manager" -w password -b
ou=groups,o=subca1-CA cn=*Agents dn uniqueMember
or the administrators (admin or caadmin is the default one, like a "root"
user):
ldapsearch -xLLL -D "cn=directory manager" -w password -b
ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember
then verify the uniqueMember value correspond to a valid existing LDAP
entry, like for example:
dn: uid=caadmin,ou=people,o=subca1-CA
and then verify that admin or agent user entry has a corresponding user
certificate, like for example:
ldapsearch -LLLx -D "cn=directory manager" -W -b
ou=people,o=subca1-CA uid=caadmin userCertificate
you may have to update the value of the userCertificate with ldapmodify to
match the certificate with serial number 0x33 and subject DN
CN=PKI Administrator,E=caadmin(a)MyServer.MyDomain,OU=MyInstance,O=MyDomain
from the NSS db at ~/.dogtag/risd-ise/ca/alias/
Note this can be done using the pkiconsole.
Thanks,
M.
On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian <Brian.Wolf(a)risd.org> wrote:
I installed PKI-CA several years ago on a Redhat 7 (actually Oracle
Unbreakable Linux) server. I used it to create certificates for an
application and have not really used it since. I had to renew the base
certificates last year. That took some effort, but I got it to work. Now I
am unable to connect to the web-based agent page. I copied the PKI
Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and
installed it under “Your Certificates and the signing certificate under
Authorities in Firefox. When I try to connect to the agent page (
https://.../ca/agent/ca), the padlock goes green, but I get an “Invalid
Credential” error. /var/log/pki/risd-ise/ca/system contains
Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI
Administrator,E=caadmin(a)MyServer.MyDomain,OU=MyInstance,O=MyDomain.
Error: User not found
The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are
actually two entries- the current one and the previous expired one. It is
also in /etc/pki/ca-trust/source/anchors
What it is looking for and where?
- Brian
# certutil -L -d ~/.dogtag/MyInstance/ca/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - MyDomain CT,c,
caadmin u,u,u
caadmin u,u,u
# certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 51 (0x33)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain"
Validity:
Not Before: Tue Feb 26 04:20:43 2019
Not After : Wed Feb 26 04:20:43 2020
Subject: "CN=PKI Administrator,E=caadmin(a)MyServer.MyDomain
,OU=MyInstance
,O=MyDomain"
Subject Public Key Info:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain"
Validity:
Not Before: Fri Mar 10 22:38:25 2017
Not After : Thu Feb 28 22:38:25 2019
Subject: "CN=PKI Administrator,E=caadmin(a)MyServer.MyDomainr
,OU=MyInstance
,O=MyDomain"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
# certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator -
MyDomain"
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 51 (0x33)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain"
Validity:
Not Before: Tue Feb 26 04:20:43 2019
Not After : Wed Feb 26 04:20:43 2020
Subject: "CN=PKI Administrator,E=caadmin(a)MyServer.MyDomain
,OU=MyInstance
,O=MyDomain"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
Current versions:
Current versions:
Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM
pki-base-10.5.16-6
pki-base-java-10.5.16-6.el7_7.noarch
java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users