Kritee,
At the minimum, you need the fixes I talked about. They were checked
into the master but has not been built officially so yum is not going to
get you the right rpm. However, you can check it out and build it yourself.
Here is how you check out the master:
git clone
git://git.fedorahosted.org/git/pki.git
You can then use the build scripts to build.
Finally, I apologize that we are not supposed to respond to private
emails. Dogtag is a community where we share our knowledge. In the
future please send requests to the mailing list.
I took the exception this time to look at your CSR and certs and I could
see that you need the fixes I talked about. I don't know if you have
other issues though, but AFAIK you need those two fixes.
Hope this helps.
Christina
On 10/29/2014 01:16 AM, kritee jhawar wrote:
Hi Christina
I have done the default configuration for 389ds and haven't
specifically turned on ssl for it.
Initially I tried using Microsoft and OpenSSL CA as external CAs. This
is about a month back and I pull the Rpms using yum (so I assume they
are the latest ones with the fix you mentioned).
With this, my pki spawn went fine. Infect the admin cert got generated
using the externally provided root cert as well. But dogtag couldn't
connect to the ds. As mentioned earlier it gave me a PKIException
error listing the certs with error code 500.
Looking at the ds logs I found that the error was 'bad search filter'.
However when I tried the same steps with dogtag as external CA the
setup went through without a glitch. The chain I imported was directly
from the GUI of dogtag. In fact I included the header and footer as well.
When I tried to reverse engineer the chain, I took the root cert of
external dogtag ca and used OpenSSL to convert it into pkcs7. This
chain was not the same as provided from the GUI. Hence I thought that
there is some particular format for the chain because of which the
other CAs aren't working.
Also, I updated the Rpms using yum and tried to generate the CSR with
the extra attributes. My csr still doesn't reflect those added
attributes.
Is yum not the correct way to get the latest code ?
I am very new to this, really appreciate your assistance and time.
Regards
Kritee
On Wednesday, 29 October 2014, Christina Fu <cfu(a)redhat.com
<mailto:cfu@redhat.com>> wrote:
the cert chain you provide in the file specified under
pki_external_ca_cert_chain_path
should be just pkcs7 without header/footer.
I don't know why it would not talk to the DS (did you turn on ssl
for the ds?).
Not sure if you build your Dogtag from the master, if you do, I'd
suggest you get the most updated so you get fixes from the tickets
I provided previously which would address at least two issues
relating to external CA.
Christina
On 10/27/2014 07:55 PM, kritee jhawar wrote:
> Hi Christina
>
> I was undertaking this activity last month where Microsoft CA
> didn't work out but Dogtag as external CA did.
>
> While using Microsoft CA or OpenSSL CA, pki spawn goes through
> without any error but dogtag stops communications to 389ds. Upon
> calling the rest Api /ca/rest/certs I get a "PKIException error
> listing the certs".
>
> Is there a particular format for the ca cert chain that we need
> to provide ? I was trying to reverse engineer the chain provided
> by dogtag.
>
> Thanks
> Kritee
>
>
>
> On Monday, 27 October 2014, Christina Fu <cfu(a)redhat.com
> <javascript:_e(%7B%7D,'cvml','cfu@redhat.com');>>
wrote:
>
> If you meant the following two:
>
https://fedorahosted.org/pki/ticket/1190 CA: issuer DN
> encoding not preserved at issuance with signing cert signed
> by an external CA
>
https://fedorahosted.org/pki/ticket/1110 - pkispawn
> (configuration) does not provide CA extensions in subordinate
> certificate signing requests (CSR)
>
> They have just recently been fixed upstream so I imagine you
> could use Microsoft CA now. Theoretically any other CA can be
> used as an external CA, but if you run into issues, please
> feel free to report.
>
> Christina
>
>
> On 10/27/2014 12:15 AM, kritee jhawar wrote:
>> Hi
>>
>> In my recent thread i read that there is a bug due to which
>> Microsoft CA can't work as external CA for dogtag.
>> Can OpenSSL be used ?
>>
>> Thanks
>> Kritee
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/pki-users
>