Thanks Christina,
Looks like I will need to figure out directory auth for the routers instead of the
one-time flatfile since the routers need to be able to auto-renew their identities prior
to expiration, otherwise their VPN connections will drop. Do you have any quick links to
using directory-based auth for certificate profiles?
Unfortunately I can’t do any clock manipulation for testing since that would break things
working on the Cisco router – ntp clock synchronization is a requirement.
Any additional advise or information on this is welcome.
Thanks,
-Emily
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Friday, April 10, 2015 at 3:02 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Router identity certificate auto-renewal questions
reposting, since I Emily possibly joined the mailing list after I replied ;-).
Christina
On 04/10/2015 09:14 AM, Christina Fu wrote:
Hi Emily,
Please see my in-line reply below.
Actually, you might want to read my last comment first, and then circle back, so you
won't get confused.
Christina
On 04/08/2015 02:38 PM, Emily Stemmerich wrote:
Hi,
I was referred to this email list by alee on the #dogtag-pki IRC group to get some help on
automatic certificate renewals. We are trying to get Dogtag 10.2.1 set up to be a
certificate authority for Cisco routers’ identity certificates. For the first step I have
things working to get a certificate using the caRouterCert.cfg profile with a one-time
password in the flatfile.txt. For the second step I’m trying to get auto-renewal of the
identity certificates working. Here is where I stand:
If you intend to do auto-enrollment, then one-time pin is not the right authentication
method. See my reply to #2 below.
1. For testing, I have set the validity to 1 day so that the renewal attempt happens the
next day… I don’t see a way of making it any shorter to expedite testing.
a trick I hear in testing is to reset the clock
2. I have added “renewal=true” to the caRouterCert.cfg hoping that it will enable
auto-renewal. I’m not sure if using the same profile would require that a “one-time”
password needs to be in flatfile.txt again (which isn’t practical)? If I would need a
different profile for the renewal I’m not clear on how to add and then use it for the
renewal.
the caRouterCert profile works just like all the other profiles where the
authentication/authorization are configurable.
Here is a link that explains how authentication works and how to configure in profiles:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
You have choices of authentication. For example, if you want auto-approval (without agent
manual approval), you will need to set up directory-based authentication.
3. I have renewal.graceBefore=10 and renewal.graceAfter=1 in the profile just for testing
purposes.
4. I have confirmed on the router that the expiration is as expected (24hrs) and it shows
a date/time that it will attempt to renew automatically (the link below discusses cert
renewal from the perspective of IOS).
http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrast...
5. When the renewal time comes on the router, I see lots of activity in the dogtag debug
log, but am unsure of what to look for to troubleshoot it failing.
Please note that the renewal feature is not intended for the router. You can read the doc
here:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
In case of router renewal, you just need to go through the same caRouterCert profile. As
you can see from the renewal link above, renewal can take two forms:
1. reuse keys - in this case, you just need to resubmit the same request
2. new keys - in this case, you generate a new request to submit
Hope this helps.
Christina
Please advise on what to change and/or look for. I can also send logs and/or config files
if that would help.
Best Regards,
-Emily
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com<mailto:Pki-users@redhat.com>https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com<mailto:Pki-users@redhat.com>https://www.redhat.com/mailman/listinfo/pki-users