Re: [Pki-users] Looking for a short path to auto signing server certificates.

I should add too that *curl --cacert ca.crt https://dogtag.test.org:8443/ca/services <https://dogtag.test.org:8443/ca/services> *does get a valid response while using that file with the -C switch on dogtag-submit does not. On Fri, Apr 3, 2015 at 3:47 PM, Steve Neuharth <steve(a)sylvation.com&gt; wrote: > Thanks again for the information. I have a couple more questions for you. > > first is that I have added a new 'Dogtag' ca in > /var/lib/certmonger/cas/20150331194831-5 > > > > > > > > > *id=Dogtagca_aka=Dogtag > PKIca_is_default=0ca_type=EXTERNALca_external_helper=/usr/libexec/certmonger/dogtag-submitca_required_enroll_attributes=template-subjectca_required_renewal_attributes=template-subject* > > however, when I run getcert list-cas, it does not appear > > The next question is regarding the dogtag-submit helper itself. I'm > trying to execute this: > > */usr/libexec/certmonger/dogtag-submit -vv -c ~/test.crt -k ~/test.key -E > https://dogtag.test.org:8443/ca/ee/ca > <https://dogtag.test.org:8443/ca/ee/ca> -A > https://dogtag.test.org:8443/ca/agent/ca > <https://dogtag.test.org:8443/ca/agent/ca> -T caServerCert -d > /etc/httpd/alias -n caadmin -p /etc/pki/pki-tomcat/alias/pwdfile.txt -C > /etc/pki/pki-tomcat/alias* > > and then I paste in my csr and hit 'ctrl-d' and I get: > > > > > > > *code = 77code_text = "Problem with the SSL CA cert (path? access > rights?)"results = "(null)"Error 77 connecting to > https://dogtag.test.org:8443/ca/ee/ca/profileSubmit > <https://dogtag.test.org:8443/ca/ee/ca/profileSubmit>;: Problem with the SSL > CA cert (path? access rights?).* > I guess I'm not sure what CA cert path it's talking about. I've tried the > pki-tomcat alias path and I've tried pointing to the CAcert that I > downloaded from the WebUI on the 'Import CA Certificate Chain' page but > I always get the same error. > > Thanks for your help, > --steve > > On Wed, Apr 1, 2015 at 4:43 PM, Nalin Dahyabhai <nalin(a)redhat.com&gt; wrote: > >> On Wed, Apr 01, 2015 at 03:37:58PM -0500, Steve Neuharth wrote: >> > Hello everyone, >> > >> > I have a requirement to provide a service to our internal linux >> systems to >> > allow them to self-register and receive a certificate representing the >> host >> > itself and then a cert representing any application on that host. I >> have >> > installed DogTag, it's up and running and seems to be working. >> > >> > I'd like to be able to use REST to request a certificate and have it >> > auto-signed. I know that DogTag has a REST interface and while the >> > interface is documented, there are no examples where I can see how it >> would >> > actually be used to post a CSR, fetch a cert, etc. >> > >> > Normally, I'd just sniff a request made with getcert but as I'm using >> just >> > dogtag as a standalone install and not as a part of FreeIPA, getcert >> has no >> > knowledge of my local DogTag CA: >> > >> > *[root@dogtag lib]# getcert list-casCA 'SelfSign': is-default: >> > no ca-type: INTERNAL:SELF next-serial-number: 01CA >> > 'IPA': is-default: no ca-type: EXTERNAL >> > helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster': >> > is-default: no ca-type: EXTERNAL helper-location: >> > /usr/libexec/certmonger/certmaster-submitCA >> > 'dogtag-ipa-renew-agent': is-default: no ca-type: >> > EXTERNAL helper-location: >> > /usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local': >> > is-default: no ca-type: EXTERNAL helper-location: >> > /usr/libexec/certmonger/local-submit* >> > >> > so... how do I make it aware? I'm using fedora21 so I'm at >> > certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. >> It >> > looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure >> what >> > to add. >> >> If you're after something you can use to poke at the server from the >> command line, the 'pki' tool from the 'pki-tools' package may be closer >> to what you're looking for. >> >> If not, well, here's more than you probably want to know. >> >> The CAs which certmonger knows about by default are the ones that don't >> require any additional configuration to be passed to them. For example, >> the ipa-submit helper can dig up all of the configuration that it needs >> from the IPA configuration files. Along similar lines, the >> dogtag-ipa-renew-agent-submit helper can dig through IPA's configuration >> for some settings, and have hardwired defaults for the rest. >> >> The general-purpose dogtag-submit helper doesn't have that expectation, >> and it hasn't seen much use yet, so you may find some bugs (well, more >> than usual). Anyway, a new file telling certmonger how to invoke it >> would look something like this: >> >> id=Dogtag >> ca_type=EXTERNAL >> ca_external_helper=/usr/libexec/certmonger/dogtag-submit ... >> >> The flags that would be passed to the dogtag-submit helper depend on >> whether or not it's expected to use agent creds to use Dogtag's agent >> services to approve the signing requests that it submits. Briefly: >> -T caServerCert >> The name of the Dogtag enrollment profile to use. >> -E http://server:8080/ca/ee/ca >> The location of Dogtag's end-user service. >> -A https://server:8443/ca/agent/ca >> The location of Dogtag's agent services, if agent creds will be used. >> -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt >> The location of the agent creds, if agent creds will be used. >> >> Some words of caution: the helper doesn't use the new REST API, but >> rather the old forms-based one, due to a combination of wanting to >> remain compatible with older versions of Dogtag and wanting to avoid >> adding new dependencies to the server via the REST API. >> >> If you try to use agent creds to auto-approve things, but the enrollment >> profile doesn't provide defaults for every extension value that it >> populates, the logic in dogtag-submit that tries to use agent creds to >> approve requests won't be able to tell the server to just use the >> defaults, and things could go awry. The -O flag may help here. >> >> You may want to run dogtag-submit interactively to get the flags sorted >> out, passing in previous output using the -S flag to mimic the >> certmonger daemon running it iteratively. >> >> > I apologize in advance for the pedestrian questions. I have read the >> docs >> > and the getting started guide and while they provide examples for >> > self-signed certs and for using FreeIPA, I don't see much info on using >> > getcert with DogTag as a standalone product. I'd also like to explore >> using >> > SCEP for requesting certs from our MS PKI. Is there a guide or info >> setting >> > up certmonger/getcert to hit a SCEP URL? >> >> That functionality was new in 0.77, and I've just submitted a candidate >> update build for F21, so hopefully some will be available in the >> updates-testing tree this week. Anyway, the short version of how to use >> an SCEP server is: >> >> * Use "getcert add-scep-ca -u $URL -c $NAME" to point the service at >> your SCEP server's URL and give the CA a nickname. >> * If it's an HTTPS URL, use the -R flag to point it to a PEM-formatted >> copy of the CA's certificate. If not, use "getcert list" and >> "getcert list-cas" to display request and certificate fingerprints >> for manual verification. >> * Use "getcert -c $NAME" to request a certificate. >> * Use the -L or -l flag to supply the enrollment PIN or point to a >> file that contains the enrollment PIN. >> >> A lot of the logic for supporting SCEP is new, so if you run into >> problems in that area, please make sure to let us know. >> >> HTH, >> >> Nalin >> > >