Thanks again for the information. I have a couple more questions for you.
first is that I have added a new 'Dogtag' ca in
/var/lib/certmonger/cas/20150331194831-5
*id=Dogtagca_aka=Dogtag
PKIca_is_default=0ca_type=EXTERNALca_external_helper=/usr/libexec/certmonger/dogtag-submitca_required_enroll_attributes=template-subjectca_required_renewal_attributes=template-subject*
however, when I run getcert list-cas, it does not appear
The next question is regarding the dogtag-submit helper itself. I'm trying
to execute this:
*/usr/libexec/certmonger/dogtag-submit -vv -c ~/test.crt -k ~/test.key -E
-T caServerCert -d
/etc/httpd/alias -n caadmin -p /etc/pki/pki-tomcat/alias/pwdfile.txt -C
/etc/pki/pki-tomcat/alias*
and then I paste in my csr and hit 'ctrl-d' and I get:
*code = 77code_text = "Problem with the SSL CA cert (path? access
rights?)"results = "(null)"Error 77 connecting to
;: Problem with the SSL
CA cert (path? access rights?).*
I guess I'm not sure what CA cert path it's talking about. I've tried the
pki-tomcat alias path and I've tried pointing to the CAcert that I
downloaded from the WebUI on the 'Import CA Certificate Chain' page but I
always get the same error.
Thanks for your help,
--steve
On Wed, Apr 1, 2015 at 4:43 PM, Nalin Dahyabhai <nalin(a)redhat.com> wrote:
On Wed, Apr 01, 2015 at 03:37:58PM -0500, Steve Neuharth wrote:
> Hello everyone,
>
> I have a requirement to provide a service to our internal linux systems
to
> allow them to self-register and receive a certificate representing the
host
> itself and then a cert representing any application on that host. I have
> installed DogTag, it's up and running and seems to be working.
>
> I'd like to be able to use REST to request a certificate and have it
> auto-signed. I know that DogTag has a REST interface and while the
> interface is documented, there are no examples where I can see how it
would
> actually be used to post a CSR, fetch a cert, etc.
>
> Normally, I'd just sniff a request made with getcert but as I'm using
just
> dogtag as a standalone install and not as a part of FreeIPA, getcert has
no
> knowledge of my local DogTag CA:
>
> *[root@dogtag lib]# getcert list-casCA 'SelfSign': is-default:
> no ca-type: INTERNAL:SELF next-serial-number: 01CA
> 'IPA': is-default: no ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster':
> is-default: no ca-type: EXTERNAL helper-location:
> /usr/libexec/certmonger/certmaster-submitCA
> 'dogtag-ipa-renew-agent': is-default: no ca-type:
> EXTERNAL helper-location:
> /usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local':
> is-default: no ca-type: EXTERNAL helper-location:
> /usr/libexec/certmonger/local-submit*
>
> so... how do I make it aware? I'm using fedora21 so I'm at
> certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. It
> looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure
what
> to add.
If you're after something you can use to poke at the server from the
command line, the 'pki' tool from the 'pki-tools' package may be closer
to what you're looking for.
If not, well, here's more than you probably want to know.
The CAs which certmonger knows about by default are the ones that don't
require any additional configuration to be passed to them. For example,
the ipa-submit helper can dig up all of the configuration that it needs
from the IPA configuration files. Along similar lines, the
dogtag-ipa-renew-agent-submit helper can dig through IPA's configuration
for some settings, and have hardwired defaults for the rest.
The general-purpose dogtag-submit helper doesn't have that expectation,
and it hasn't seen much use yet, so you may find some bugs (well, more
than usual). Anyway, a new file telling certmonger how to invoke it
would look something like this:
id=Dogtag
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/dogtag-submit ...
The flags that would be passed to the dogtag-submit helper depend on
whether or not it's expected to use agent creds to use Dogtag's agent
services to approve the signing requests that it submits. Briefly:
-T caServerCert
The name of the Dogtag enrollment profile to use.
-E
http://server:8080/ca/ee/ca
The location of Dogtag's end-user service.
-A
https://server:8443/ca/agent/ca
The location of Dogtag's agent services, if agent creds will be used.
-d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt
The location of the agent creds, if agent creds will be used.
Some words of caution: the helper doesn't use the new REST API, but
rather the old forms-based one, due to a combination of wanting to
remain compatible with older versions of Dogtag and wanting to avoid
adding new dependencies to the server via the REST API.
If you try to use agent creds to auto-approve things, but the enrollment
profile doesn't provide defaults for every extension value that it
populates, the logic in dogtag-submit that tries to use agent creds to
approve requests won't be able to tell the server to just use the
defaults, and things could go awry. The -O flag may help here.
You may want to run dogtag-submit interactively to get the flags sorted
out, passing in previous output using the -S flag to mimic the
certmonger daemon running it iteratively.
> I apologize in advance for the pedestrian questions. I have read the docs
> and the getting started guide and while they provide examples for
> self-signed certs and for using FreeIPA, I don't see much info on using
> getcert with DogTag as a standalone product. I'd also like to explore
using
> SCEP for requesting certs from our MS PKI. Is there a guide or info
setting
> up certmonger/getcert to hit a SCEP URL?
That functionality was new in 0.77, and I've just submitted a candidate
update build for F21, so hopefully some will be available in the
updates-testing tree this week. Anyway, the short version of how to use
an SCEP server is:
* Use "getcert add-scep-ca -u $URL -c $NAME" to point the service at
your SCEP server's URL and give the CA a nickname.
* If it's an HTTPS URL, use the -R flag to point it to a PEM-formatted
copy of the CA's certificate. If not, use "getcert list" and
"getcert list-cas" to display request and certificate fingerprints
for manual verification.
* Use "getcert -c $NAME" to request a certificate.
* Use the -L or -l flag to supply the enrollment PIN or point to a
file that contains the enrollment PIN.
A lot of the logic for supporting SCEP is new, so if you run into
problems in that area, please make sure to let us know.
HTH,
Nalin