Hi Emily, Please see my in-line reply below. Actually, you might want to read my last comment first, and then circle back, so you won't get confused. Christina On 04/08/2015 02:38 PM, Emily Stemmerich wrote: > Hi, > > I was referred to this email list by alee on the #dogtag-pki IRC > group to get some help on automatic certificate renewals. We are > trying to get Dogtag 10.2.1 set up to be a certificate authority for > Cisco routers' identity certificates. For the first step I have > things working to get a certificate using the caRouterCert.cfg > profile with a one-time password in the flatfile.txt. For the second > step I'm trying to get auto-renewal of the identity certificates > working. Here is where I stand: > If you intend to do auto-enrollment, then one-time pin is not the right authentication method. See my reply to #2 below. > 1. For testing, I have set the validity to 1 day so that the renewal > attempt happens the next day... I don't see a way of making it any > shorter to expedite testing. a trick I hear in testing is to reset the clock > > 2. I have added "renewal=true" to the caRouterCert.cfg hoping that it > will enable auto-renewal. I'm not sure if using the same profile > would require that a "one-time" password needs to be in flatfile.txt > again (which isn't practical)? If I would need a different profile > for the renewal I'm not clear on how to add and then use it for the > renewal. the caRouterCert profile works just like all the other profiles where the authentication/authorization are configurable. Here is a link that explains how authentication works and how to configure in profiles: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... You have choices of authentication. For example, if you want auto-approval (without agent manual approval), you will need to set up directory-based authentication. > > 3. I have renewal.graceBefore=10 and renewal.graceAfter=1 in the > profile just for testing purposes. > > 4. I have confirmed on the router that the expiration is as expected > (24hrs) and it shows a date/time that it will attempt to renew > automatically (the link below discusses cert renewal from the > perspective of IOS). > http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrast... > > 5. When the renewal time comes on the router, I see lots of activity > in the dogtag debug log, but am unsure of what to look for to > troubleshoot it failing. Please note that the renewal feature is not intended for the router. You can read the doc here: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... In case of router renewal, you just need to go through the same caRouterCert profile. As you can see from the renewal link above, renewal can take two forms: 1. reuse keys - in this case, you just need to resubmit the same request 2. new keys - in this case, you generate a new request to submit Hope this helps. Christina > > Please advise on what to change and/or look for. I can also send > logs and/or config files if that would help. > > Best Regards, > -Emily > > > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users

Thanks Christina, Looks like I will need to figure out directory auth for the routers instead of the one-time flatfile since the routers need to be able to auto-renew their identities prior to expiration, otherwise their VPN connections will drop. Do you have any quick links to using directory-based auth for certificate profiles? Unfortunately I can't do any clock manipulation for testing since that would break things working on the Cisco router -- ntp clock synchronization is a requirement. Any additional advise or information on this is welcome. Thanks, -Emily From: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>> Date: Friday, April 10, 2015 at 3:02 PM To: &quot;pki-users(a)redhat.com <mailto:pki-users@redhat.com>" <pki-users(a)redhat.com <mailto:pki-users@redhat.com>> Subject: Re: [Pki-users] Router identity certificate auto-renewal questions reposting, since I Emily possibly joined the mailing list after I replied ;-). Christina On 04/10/2015 09:14 AM, Christina Fu wrote: > Hi Emily, > Please see my in-line reply below. > Actually, you might want to read my last comment first, and then > circle back, so you won't get confused. > > Christina > > On 04/08/2015 02:38 PM, Emily Stemmerich wrote: >> Hi, >> >> I was referred to this email list by alee on the #dogtag-pki IRC >> group to get some help on automatic certificate renewals. We are >> trying to get Dogtag 10.2.1 set up to be a certificate authority for >> Cisco routers' identity certificates. For the first step I have >> things working to get a certificate using the caRouterCert.cfg >> profile with a one-time password in the flatfile.txt. For the >> second step I'm trying to get auto-renewal of the identity >> certificates working. Here is where I stand: >> > If you intend to do auto-enrollment, then one-time pin is not the > right authentication method. See my reply to #2 below. > >> 1. For testing, I have set the validity to 1 day so that the >> renewal attempt happens the next day... I don't see a way of making >> it any shorter to expedite testing. > a trick I hear in testing is to reset the clock > >> >> 2. I have added "renewal=true" to the caRouterCert.cfg hoping that >> it will enable auto-renewal. I'm not sure if using the same profile >> would require that a "one-time" password needs to be in flatfile.txt >> again (which isn't practical)? If I would need a different profile >> for the renewal I'm not clear on how to add and then use it for the >> renewal. > the caRouterCert profile works just like all the other profiles where > the authentication/authorization are configurable. > Here is a link that explains how authentication works and how to > configure in profiles: > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... > > You have choices of authentication. For example, if you want > auto-approval (without agent manual approval), you will need to set > up directory-based authentication. > >> >> 3. I have renewal.graceBefore=10 and renewal.graceAfter=1 in the >> profile just for testing purposes. >> >> 4. I have confirmed on the router that the expiration is as >> expected (24hrs) and it shows a date/time that it will attempt to >> renew automatically (the link below discusses cert renewal from the >> perspective of IOS). >> http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrast... >> >> 5. When the renewal time comes on the router, I see lots of >> activity in the dogtag debug log, but am unsure of what to look for >> to troubleshoot it failing. > > Please note that the renewal feature is not intended for the router. > You can read the doc here: > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... > > In case of router renewal, you just need to go through the same > caRouterCert profile. As you can see from the renewal link above, > renewal can take two forms: > 1. reuse keys - in this case, you just need to resubmit the same request > 2. new keys - in this case, you generate a new request to submit > > Hope this helps. > Christina > > >> >> Please advise on what to change and/or look for. I can also send >> logs and/or config files if that would help. >> >> Best Regards, >> -Emily >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users