Hi Emily,
Please see my in-line reply below.
Actually, you might want to read my last comment first, and then
circle back, so you won't get confused.
Christina
On 04/08/2015 02:38 PM, Emily
Stemmerich wrote:
Hi,
I was referred to this email list by alee on the #dogtag-pki
IRC group to get some help on automatic certificate renewals.
We are trying to get Dogtag 10.2.1 set up to be a certificate
authority for Cisco routers’ identity certificates. For the
first step I have things working to get a certificate using the
caRouterCert.cfg profile with a one-time password in the
flatfile.txt. For the second step I’m trying to get
auto-renewal of the identity certificates working. Here is
where I stand:
If you intend to do auto-enrollment, then one-time pin is not the
right authentication method. See my reply to #2 below.
1. For testing, I have set the validity to 1 day so that the
renewal attempt happens the next day… I don’t see a way of
making it any shorter to expedite testing.
a trick I hear in testing is to reset the clock
2. I have added “renewal=true” to the caRouterCert.cfg hoping
that it will enable auto-renewal. I’m not sure if using the
same profile would require that a “one-time” password needs to
be in flatfile.txt again (which isn’t practical)? If I would
need a different profile for the renewal I’m not clear on how to
add and then use it for the renewal.
the caRouterCert profile works just like all the other profiles
where the authentication/authorization are configurable.
Here is a link that explains how authentication works and how to
configure in profiles:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authentication_for_Enrolling_Certificates.html
You have choices of authentication. For example, if you want
auto-approval (without agent manual approval), you will need to set
up directory-based authentication.
3. I have renewal.graceBefore=10 and renewal.graceAfter=1 in
the profile just for testing purposes.
4. I have confirmed on the router that the expiration is as
expected (24hrs) and it shows a date/time that it will attempt
to renew automatically (the link below discusses cert renewal
from the perspective of IOS).
5. When the renewal time comes on the router, I see lots of
activity in the dogtag debug log, but am unsure of what to look
for to troubleshoot it failing.
Please note that the renewal feature is not intended for the
router. You can read the doc here:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Renewing_Certificates.html
In case of router renewal, you just need to go through the same
caRouterCert profile. As you can see from the renewal link above,
renewal can take two forms:
1. reuse keys - in this case, you just need to resubmit the same
request
2. new keys - in this case, you generate a new request to submit
Hope this helps.
Christina
Please advise on what to change and/or look for. I can also
send logs and/or config files if that would help.
Best Regards,
-Emily
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users