Re: [Pki-users] Problems with Dogtag and CA cert signed by External CA

On 10/17/2012 03:52 PM, Dwayne MacKinnon wrote: > Hi all, > > A helpful fellow called alee on #dogtag-pki suggested I write the list. > I've been playing with dogtag-pki-9.0.0-10 on 64-bit Fedora 17. > > I'm looking to use dogtag to run a subordinate CA that does all our > everyday PKI stuff. So when I used pki-create and went into the webform, > I went the "create a csr" route and signed it using a root CA I'd set up > using openssl. > > Everything seemed to work out fine, until I got to the point where I was > restarting pki-cad (using systemctl restart pki-cad(a)pki-ca.service). It > wouldn't start. > > With alee's help I tracked it down to a failure of SystemCertsVerification > during the selftests. > > He asked me to submit my debug log to the list, so here it is. Interestingly enough I'm in the middle of tracking down why NSS will not validate a self signed cert as a CA. I suspect dogtag is calling NSS's CERT_VerifyCertificateNow (or it's equivalent) and passing it a specific usage parameter. There are very specific requirements to accept a CA cert as valid. More valuable than the log would be show us what the cert looks like. I would ordinarily tell you to dump the cert in text form using openssl x509 -text but openssl often omits detailed information on the cert extensions which are critical (no pun intended) here. How about if you also provide us with a PEM formatted version of the cert and we'll use our tools to examine it's contents.