Hi, I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? Thanks, Michelle Taggart _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users

Hi Christina, I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;) I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need?

Thanks, Michelle Taggart ----- Original Message ----- From: "Christina Fu"<cfu(a)redhat.com> To: pki-users(a)redhat.com Sent: Monday, July 22, 2013 4:56:16 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR Dogtag only supports CSR in the following formats: 1. CRMF 2. PKCS #10 3. CMC with either CRMF or PKCS #10 I am not aware that a CSR can be represented in PKCS #7, but I always keep an open mind to learn new (or old) things, so I'd appreciate it if you can send us a reference link to the RFC that specifies such CSR representation using PKCS #7. If it gives us enough good reasons to support it, we will gladly consider supporting that in the future. Christina On 07/22/2013 11:47 AM, Taggart, Michelle wrote: > Hi, > > I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? > > > > Thanks, > > Michelle Taggart > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users

Hi Christina, I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;) I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need?

Thanks, Michelle Taggart ----- Original Message ----- From: "Christina Fu"<cfu(a)redhat.com> To: pki-users(a)redhat.com Sent: Monday, July 22, 2013 4:56:16 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR Dogtag only supports CSR in the following formats: 1. CRMF 2. PKCS #10 3. CMC with either CRMF or PKCS #10 I am not aware that a CSR can be represented in PKCS #7, but I always keep an open mind to learn new (or old) things, so I'd appreciate it if you can send us a reference link to the RFC that specifies such CSR representation using PKCS #7. If it gives us enough good reasons to support it, we will gladly consider supporting that in the future. Christina On 07/22/2013 11:47 AM, Taggart, Michelle wrote: > Hi, > > I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? > > > > Thanks, > > Michelle Taggart > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users

That's quite helpful! I'll dig deep into that and see if there's any indication of the error. What I'm actually not finding is the GUI version of the creation of the certificate profile. I don't have a desktop for my test Fedora, so I'm doing everything through SSH CLI or the GUI from the dogtag-pki-thene. Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "John Magne" <jmagne(a)redhat.com&gt; To: "Michelle Taggart" <mdemansana(a)philasd.org&gt; Cc: "Christina Fu" <cfu(a)redhat.com&gt;, pki-users(a)redhat.com Sent: Monday, July 22, 2013 6:27:13 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR Try looking or even posting the /var/lib/pki-ca/logs/debug log file. This is a finely grained debug log that could provide clues to the reason for the rejection. ----- Original Message ----- From: "Michelle Taggart" <mdemansana(a)philasd.org&gt; To: "Christina Fu" <cfu(a)redhat.com&gt; Cc: pki-users(a)redhat.com Sent: Monday, July 22, 2013 3:17:14 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR I did see that. I tried to submit the CSR into the Manual Certificate Manager Signing Certificate Enrollment form but it keeps on failing, with the following message in the ee: Certificate Profile Sorry, your request has been rejected. The reason is "Request Rejected - {0}" And here's the message/entry within the Agent page: Request Information Request ID: 35 Request Type: enrollment Request Status: rejected Requestor Host: null Assigned To: Creation Time: Mon Jul 22 18:12:09 EDT 2013 Modification Time: Mon Jul 22 18:12:09 EDT 2013 Certificate Profile Information Certificate Profile Id: caCACert Approved By: admin Certificate Profile Name: Manual Certificate Manager Signing Certificate Enrollment Certificate Profile Description: This certificate profile is for enrolling Certificate Authority certificates. Additional Notes Certificate Profile Inputs Id Input Names Input Values cert_request_type Certificate Request Type pkcs10 cert_request Certificate Request -----BEGIN CERTIFICATE REQUEST----- MIIB9DCCAV0CAQAwgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEOMAwGA1UE BxMFUGhpbGExDDAKBgNVBAoTA1NEUDELMAkGA1UECxMCVFMxITAfBgNVBAMTGHBy b3h5LmNhLm5vYy5waGlsYXNkLm5ldDEfMB0GCSqGSIb3DQEJARYQdGVzdEBwaGls YXNkLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3KwR0oL7P3MMG7tT e6mjSEO2FeE48zUJXtUUpyKK+5NNQUiBSpt6R4yj4oKO8vfQ6Qdt3l6YGH8Ro33x TlccgPB1nWOPcaCPE5dC+l5+bigOEFVj1CtHA9iARnMqb2f4E1kSik4ZcI5pM+Q4 mogs4jVP/IIF9Go8gUy9vSQbnS0CAwEAAaAqMBIGCSqGSIb3DQEJAjEFFgNTRFAw FAYJKoZIhvcNAQkHMQcTBTEyMzQ1MA0GCSqGSIb3DQEBBQUAA4GBAAuRGYp7izMN cG9hPXjsKONLXNez05IVcvsgQLNkUXeuID88oXXW2CPHCLoA1mEf0A7I2zgAz4t3 FE7SOCFf3o5kkSrh4ZSsC//GJjmQfKYRRp9HC2o3hUDTTLnRp3ugiN6J6XfvSIyR OXeuevCypLnrbxnYdxUMLNCHiwbTCuf+ -----END CERTIFICATE REQUEST----- requestor_name Requestor Name test requestor_email Requestor Email test(a)philasd.net requestor_phone Requestor Phone I can't find any other reason for the rejection, is there a log file for it? Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "Christina Fu" <cfu(a)redhat.com&gt; To: pki-users(a)redhat.com Sent: Monday, July 22, 2013 6:03:05 PM Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR On 07/22/2013 02:14 PM, Taggart, Michelle wrote: > Hi Christina, > > I'm sorry for the confusion, let's skip the PKCS#7, I read the settings wrong ;) > > I'm actually trying to generate a certificate that is also an intermediary CA. Which Certificate Profile should best fit that need? > The "Manual Certificate Manager Signing Certificate Enrollment" (caCACert profile) is for a generic CA signing cert enrollment. People can customize it to fit their own site requirements. For information on how to do that, you can check the documentation (Admin guide specifically): https://access.redhat.com/site/documentation/Red_Hat_Certificate_System/ Christina > > Thanks, > > Michelle Taggart > > > ----- Original Message ----- > From: "Christina Fu&quot;&lt;cfu(a)redhat.com&gt; > To: pki-users(a)redhat.com > Sent: Monday, July 22, 2013 4:56:16 PM > Subject: Re: [Pki-users] Generate certificate for proxy using a PKCS#7 as the CSR > > Dogtag only supports CSR in the following formats: > 1. CRMF > 2. PKCS #10 > 3. CMC with either CRMF or PKCS #10 > > I am not aware that a CSR can be represented in PKCS #7, but I always > keep an open mind to learn new (or old) things, so I'd appreciate it if > you can send us a reference link to the RFC that specifies such CSR > representation using PKCS #7. If it gives us enough good reasons to > support it, we will gladly consider supporting that in the future. > > Christina > > On 07/22/2013 11:47 AM, Taggart, Michelle wrote: >> Hi, >> >> I'm working on getting a CSR approved through Dogtag 10.0.3 on Fedora Core 19. The CSR is in PKCS#7 format. I'm using the Manual Certificate Manager Signing Certificate Enrollment form since I need the certificate to be an intermediary CA. After submitting the form, I get an "Sorry, your request has been rejected. The reason is "Request Rejected - {0}" error. Any ideas on what's causing this? >> >> >> >> Thanks, >> >> Michelle Taggart >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users