1:16 p.m.
Hi!
I'm trying to get CMC signed enrollment to work.
What I want to do is create certificate requests via a web based tool
on one server, and ship them to the CA for auto-vetting. It looks like in
my situation using signed CMC is the most simple solution.
I *think* I have set everything up correctly but, when I try to test my
assumption by using either CMCEnroll or CMCRequest to create a CMC request
I get the following error:
[root@ebbe test]# CMCEnroll -d "/root/test/cmc-agent/" -n "cmc" -r
"/root/test/test3.csr" -p "bla"
cert/key prefix =
path = /root/test/cmc-agent/
java.io.IOException: Internal Error - java.io.IOException: Sequence tag
error 9
at com.netscape.cmstools.CMCEnroll.getCMCBlob(CMCEnroll.java:133)
at com.netscape.cmstools.CMCEnroll.main(CMCEnroll.java:412)
and the same error comes when using CMCRequest.
Now, this is NOT an error with the CA setup, as the CA doesn't come in
play yet, no? Unfortunately I haven't debugged enough Java problems yet
to understand what the error means. Maybe there's some library/class
missing somewhere?
If anyone could help out that would be great :)
I'm running Fedora 9 and DogTag 1.00, package list is below:
[root@ebbe test]# yum list | grep pki
pki-ca.noarch 1.0.0-6.fc9 installed
pki-ca-ui.noarch 1.0.0-1.fc9 installed
pki-common.noarch 1.0.0-8.fc9 installed
pki-common-ui.noarch 1.0.0-2.fc9 installed
pki-console.noarch 1.0.0-4.fc9 installed
pki-console-ui.noarch 1.0.0-1.fc9 installed
pki-java-tools.noarch 1.0.0-1.fc9 installed
pki-native-tools.i386 1.0.0-1.fc9 installed
pki-ra.noarch 1.0.0-2.fc9 installed
pki-ra-ui.noarch 1.0.0-1.fc9 installed
pki-setup.noarch 1.0.0-2.fc9 installed
pki-util.noarch 1.0.0-2.fc9 installed
krb5-pkinit-openssl.i386 1.6.3-10.fc9 fedora
pki-common-javadoc.noarch 1.0.0-8.fc9 pki
pki-java-tools-javadoc.noarch 1.0.0-1.fc9 pki
pki-kra.noarch 1.0.0-2.fc9 pki
pki-kra-ui.noarch 1.0.0-2.fc9 pki
pki-manage.noarch 1.0.0-1.fc9 pki
pki-migrate.noarch 1.0.0-1.fc9 pki
pki-ocsp.noarch 1.0.0-2.fc9 pki
pki-ocsp-ui.noarch 1.0.0-1.fc9 pki
pki-silent.noarch 1.0.0-1.fc9 pki
pki-tks.noarch 1.0.0-2.fc9 pki
pki-tks-ui.noarch 1.0.0-1.fc9 pki
pki-tps.i386 1.0.0-2.fc9 pki
pki-tps-ui.noarch 1.0.0-2.fc9 pki
pki-util-javadoc.noarch 1.0.0-2.fc9 pki
The contents of test3.csr:
[root@ebbe test]# cat test3.csr
Certificate request generated by Netscape certutil
Phone: (not specified)
Common Name: test4
Email: (not specified)
Organization: (not specified)
State: (not specified)
Country: (not specified)
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBTzCBuQIBADAQMQ4wDAYDVQQDEwV0ZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA5wv8VPSNH7HH0Nsdr2/3xu3fqglDbQUz8CxhFvFHXm26a1DlyC+l
pqZXCgozJzpb1N5EXDR/Wg1VVbcJNnKyvJOa4XqOqqAPFKLfH5GhAijOIIQRuLL/
WHlUeY2LUHcLCZ257b9QEOTrR6iVZPp74r2l7CBkXQ3zvx4PRfX2eY8CAwEAAaAA
MA0GCSqGSIb3DQEBBQUAA4GBAB6R3Gf4koSXucYifCIFri3vTSt2ThK7GpKrYe86
JLYOTk4aNdaL/wZDNBLnnw8if8Gv2y/LcpR7Qvto52uckCA2+rRWEYmHhDs8NF6U
q0HuaYaUgN1kdOqrzjGFaZxG5eSJkLnmFpKlp+9OsnNfz43v9zzeomzqSdRHpPEZ
pmFM
-----END NEW CERTIFICATE REQUEST-----
The contents of the certificate database that's used for the CMC agent:
[root@ebbe test]# certutil -L -d /root/test/cmc-agent
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CMC Agent - NetherNordic SLCS u,u,u
cmc u,u,u
ca c,c,c
--
Jan