newer article at
https://access.redhat.com/solutions/6380011
How to do bulk issuance with Red Hat Certificate System 10 and 9

On Fri, Oct 1, 2021 at 9:39 PM Marc Sauton <msauton@redhat.com> wrote:
update:

the interface is also different, and we have Python tools, so the procedure can be completely changed into this "better" example using the command line tools "pki" with the module cert-request-submit, ( but it may be slower):

# some variables
#
export d=/var/tmp/testDir
export p=password
export f=/var/tmp/server.csr.txt
export nick="CA agent cert"
export cahost=1.2.3.4
export caport=8443

cat << EOF > ${d}/pwd.txt
password
EOF

# needs a NSS db for an agent with SSL client certificate for automatic cert issuance
#
pki -d ${d}-c ${p} client-init
# have the admin PKCS# 12 file from a prior CA install, import it
pk12util -i ~/ca_admin_cert.p12 -d ${d}
# need the CA cert
pki-server cert-export ca_signing -i subca1 --cert-file ${d}/myca.crt
# import that CA cert  
pki -d ${d} -n "${nick}" -C ${d}/pwd.txt client-cert-import myCA --ca-cert ${d}/myca.crt
# verify the admin cert trust chain
certutil -O -d ${d}/ -n "PKI Administrator for example.test"
"myCA" [CN=CA Signing Certificate,OU=rootca1,O=Root CA1 Example Test]
  "PKI Administrator for example.test" [CN=PKI Administrator,E=caadmin@example.test,OU=rootca1,O=Root CA1 Example Test]

# create some CSR individual files with header and footer
#
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o ${f}.${i} -n "cn=testms${i}.example.test"; done

# sequentially submit those CSR files to the CA
#
tail -f /var/log/pki/subca1/ca/transactions &
time for i in {1..10}; do pki -U https://${cahost}:${caport}/ca -d ${d} -n "${nick}" -C ${d}/pwd.txt ca-cert-request-submit --profile caAgentServerCert --csr-file ${f}.${i} ; done


Thanks,
M.

On Fri, Oct 1, 2021 at 7:25 PM Marc Sauton <msauton@redhat.com> wrote:
those steps come from an older article at https://access.redhat.com/solutions/44042 , originally on RHEL-5 for RHCS-8 ( and my fault).
I think the the perl command in the step 4 after the loop on PKCS10Client , is now incorrect, the goal was to remove the header and footer of the CSR, but it seems the resulting file with several CSR is now incorrect with mangled headers.

so I would change the step 4 from
"
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o ${f}.${i} -s "cn=testms${i}.example.com"; cat ${f}.${i} >> ${f}; done
perl -pi -e 's/\r\n//;s/\+/%2B/g;s/\//%2F/g' ${f}
wc -l ${f}
"

to create a request and make it one line without header and footer within the loop:
"
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o ${f}.${i} -n "cn=testms${i}.example.com"; sed -i.orig -rn '/^-----BEGIN CERTIFICATE REQUEST-----$/{:1;n;/^-----END CERTIFICATE REQUEST-----$/b2;H;b1};:2;${x;s/\s//g;p}' ${f}.${i} ; cat ${f}.${i} >> ${f}; done
wc -l ${f}
"

and the sslget command did work ok for me.

and note the CA restart is not needed in the step 1 ( is not in the original article) 

There are different ways to create and submit CSR, this was one example.

I am going to correct the article and open a doc bug.

Thanks for pointing this out, and your patience.
M.

On Wed, Sep 22, 2021 at 2:25 PM Hank Hotz <Hank_Hotz@na.honda.com> wrote:

I’m trying to demonstrate that Dogtag could support issuing certs to a Linux version which I can’t get information on. Using Fedora 34 for initial proof-of-concept.

 

I’ve managed to work through a lot of the errors in https://access.redhat.com/documentation/en-us/red_hat_certificate_system/10/html/administration_guide/bulk-issuance. (The page doesn’t seem to be maintained. Where can I submit corrections?)

 

I’m stuck on the last step though. Until I get a working example, I can’t tell what’s wrong with the format of the request. The error I get follows. If other info would be useful, like the full traceback, or the request as actually formatted by the perl command, just let me know.

 

2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] WARNING: CertProcessor: No authenticator credentials required

2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: DBSSession: reading cn=8,ou=certificateRepository, ou=ca, o=pki-tomcat-CA

2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: AgentCertAuthentication: authenticated uid=newcaagent,ou=people,o=pki-tomcat-CA

2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: EnrollProfile: Parsing PKCS #10 request:

2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE: Unable to parse PKCS #10 request: Sequence tag error -1

java.io.IOException: Sequence tag error -1

        at org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)

[ . . . traceback with no explicit errors . . . ]

2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE: ProfileSubmitServlet: error in processing request: Invalid Request

Invalid Request

        at com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:247)

[ . . . traceback including . . . ]

        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)

        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.base/java.lang.Thread.run(Thread.java:829)

Caused by: java.io.IOException: Sequence tag error -1

        at org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)

        at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:143)

        at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:234)

        at com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:238)

        ... 50 more

 

Thanks for any help. If I get past proof of concept, I can engage Honda’s support contract with IBM, but I’m not there yet.

 

Confidentiality Notice: This transmission (including any attachments) may contain confidential information belonging to the sender and is intended only for the use of the party or entity to which it is addressed. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, retention or the taking of action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender and erase all information and attachments.
_______________________________________________
Pki-users mailing list -- users@lists.dogtagpki.org
To unsubscribe send an email to users-leave@lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s