Hi Andrew, Thanks again for getting back to me. Unfortunately, I didn't get very far. I've shown below what I have done and what it resulted in: o) Go to the <server>:9443/ca/agent/ca URL and list the certificates stored in Dogtag. o) Make a note of of the Certificate Serial Numbers of the following certificates and change the hex value into decimal: CN=OCSP Signing Certificate E.G. 2 CN=<primary server> E.G. 3 CN=CA Subsystem Certificate E.G. 4 CN=CA Audit Signing Certificate E.G. 5 CN=<secondary server> E.G. 268369921 o) Go to the <server>:9444/ca/ee/ca URL o) Click on "Renewal: Renew certificate to be manually approved by agents" o) Submit each of the Certificate Serial Numbers noted above and make a note of the request ID For each Certificate Serial Number listed above that I submit, I get the following: Sorry, your request is not submitted. The reason is "Profile caServerCert Not Found". Please could you help me further. Many thanks. Richard. From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 12 October 2013 00:47 To: Richard Thomas Cc: pki-users(a)redhat.com Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/11/2013 07:04 AM, Richard Thomas wrote: Hi Andrew, Thanks for those tips, I had some success, then difficulty and then success. Below is what I did, with some of my comments inline. Before I get to that though, there are some other certificates that are due to run out soon, but I think they should be easier to renew. The Common Name of those other certificates are: o) CN=OCSP Signing Certificate o) CN=<servername> o) CN=CA Subsystem Certificate o) CN=CA Audit Signing Certificate As I noticed below, that your server provides option to "Renew certificate to be manually approved by agents". You should used this option for all your renewals. Then start pkiconsole go to "System Keys and Certificates", select "Local Certificates", click on "Add/Renew", "Next" and "Install a certificate" Please could you help me and let me know what steps I should take for renewing these too. Thank you. Anyway, back to what I did to get the admin certificate updated. Your steps are still numbered, the ones that I did around them are identified with o) Here goes: o) Edit /var/lib/pki-ca/profiles/ca/caUserCert.cfg Change: visible=false enable=false To: visible=true enable=true o) Restart service "pki-cad" 1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/) and select "Manual User Dual-Use Certificate Enrollment" 2. Fill out the form and submit request 3. Go to Agent interface (typically https://<hostname>:9443/ca/agent/ca/) and approve submitted request 4. Return to EE interface, select "Retrieval" tab and "Check Request Status". 5. Type in request number and press submit. 6. Click on issued certificate serial number. 7. Go to the end of page displaying certificate and press "Import Your Certificate" This probably means that browser which generated certificate request (and the key) is not the same browser used to import certificate. o) Go to the <server>:9444/ca/ee/ca URL o) Click on "Renewal: Renew certificate to be manually approved by agents" (make a note of the number) o) Go to the <server>:9443/ca/agent/ca URL to approve my request. (Use the number above) o) Go to the <server>:9444/ca/ee/ca URL to retrieve the certificate. (Use the number above) and click on the Issued certificate o) Extract the Base 64 encoded part of the certificate and save as <new certificate name>.pem o) Transfer <old certificate bundle name>.p12 and <new certificate name>.pem to a machine with openssl installed on it o) On a machine with openssl installed on it, submit following command: $openssl pkcs12 -in <old certificate bundle name>.p12 -out <old certificate bundle name>.pem -nodes o) Copy <old certificate bundle name>.pem to <new certificate bundle name>.pem o) Update <new certificate bundle name>.pem by replacing the relevant part of it with the contents of <new certificate name>.pem o) Cut the key part of <new certificate bundle name>.pem and create <certificate name>.key from it o) Submit following command: $openssl pkcs12 -export -in <new certificate bundle name>.pem -inkey <certificate name>.key -out <new certificate bundle name>.p12 o) Transfer <new certificate bundle name>.p12 to the machine with the web browser that you want to access Dog Tag from. o) Import <new certificate bundle name>.p12 into the machine. 8. Start pkiconsole (typically by running "pkiconsole https://`hostname`:9445/ca") 9. Select "Users and Groups" and select your admin entry. 10. Press "Certificates" button then "Import" and paste in the contents of <new certificate name>.pem, then OK and "Done" 11. Clear SSL cache in the browser or restart your browser. 12. You should now be able to use your new certificate to access Agent interface From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 08 October 2013 19:26 To: Richard Thomas Cc: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/07/2013 11:41 AM, Richard Thomas wrote: Hi Andrew, Thanks very much for sending this to me. The first thing I'd like to point out is that I'm using the pre-Red Hat enterprise variant of DogTag (dogtag-pki-1.3.0-2.el5) I have been trying to adapt the instructions as best I can and have so nearly got there, but not quite.. I have been referring to chapter 4.8.2 of that article by going to the <server>:9444/ca/ee/ca URL and the only 2 Certificate Profiles I have to choose from are: o) Renewal: Renew certificate to be manually approved by agents o) Cisco VPN Client Enrolment The second option is for end users of our Cisco VPN to generate new certificates with, so I don't do anything with that. The first option looked promising, as it asked for a certificate number, so I used the <server>:9443/ca/agent/ca URL to find the certificate number of the current "CA Administrator of Instance pki-ca" certificate, make a note of it and enter it into the certificate renewal page. I then use the <server>:9443/ca/agent/ca URL to approve my request. Back to the <server>:9444/ca/ee/ca URL to retrieve the certificate. I then updated the .p12 (.pfx) certificate with the one that appeared from the step above, with quite a bit of open_ssl commands, but I am confident that my new .p12 has everything in it as before (including the private key), with the exception of the "CA Administrator of Instance pki-ca" certificate being my updated one instead of the current one. I manage to import it into by machine's browser and when I navigate to <server>:9443/ca/agent/ca, the new certificate comes up as an option to present to Dog Tag, so things are looking good at this stage and I select it. After that is where the first thing looks different, but I wasn't too worried about. I get a message saying "Request For Permission to Use a Key", so I grant permission. Then things don't look go at all, as once I'm past that, all the pages say "Invalid Credential". I have probably gone about things in a way that's more complicated than it should be and I guess it's because I'm using an earlier version of Dog Tag. Do you have any ideas where I have gone wrong with this please. Thank you very much. Richard. Unfortunately your version is old enough to miss new renewal profiles, which would make your task easier. Here is a simple way to renew your CA administrator certificate: 1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/) and select "Manual User Dual-Use Certificate Enrollment" 2. Fill out the form and submit request 3. Go to Agent interface (typically https://<hostname>:9443/ca/agent/ca/) and approve submitted request 4. Return to EE interface, select "Retrieval" tab and "Check Request Status". 5. Type in request number and press submit. 6. Click on issued certificate serial number. 7. Go to the end of page displaying certificate and press "Import Your Certificate" 8. Start pkiconsole (typically by running "pkiconsole https://`hostname`:9445/ca") 9. Select "Users and Groups" and select your admin entry. 10. Press "Certificates" button then "Import" and paste in your new base64 encoded certificate, then OK and "Done" 11. Clear SSL cache in the browser or restart your browser. 12. You should now be able to use your new certificate to access Agent interface Thanks, Andrew ________________________________________ From: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com> [pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com>] On Behalf Of Andrew Wnuk [awnuk@redhat.com<mailto:awnuk@redhat.com>] Sent: Thursday, October 03, 2013 6:05 PM To: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca Hi Richard, You can renew certificate using: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... and then add new certificate to CA administrator entry using console. Best, Andrew On 10/03/2013 08:49 AM, Richard Thomas wrote: Hi all, I hope someone would be able to help me with this. I have taken over a Dog Tag system and I have little knowledge of it. I need to renew the "CA Administrator of Instance pki-ca" certificate, as it is running out in a few weeks. Would someone be able to point me in the direction of any documentation on how to do this or let me know how to do it. I would massively appreciate any guidance on this. Thanks in advance, Richard. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com><mailto:info@the-logic-group.com><mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com><http://w... Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. _______________________________________________ Pki-users mailing list Pki-users@redhat.com<mailto:Pki-users@redhat.com><mailto:Pki-users@redhat.com><mailto:Pki-users@redhat.com> https://www.redhat.com/mailman/listinfo/pki-users The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info(a)the-logic-group.com www.the-logic-group.com Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system.

Hi Andrew, Thanks for your email, I got past that issue once I made some edits to some .cfg files in /var/lib/pki-ca/profiles/ca/ (shown at the bottom of this email). That meant I could get as far as "Install a certificate" and I got a choice of the following when doing so: o) Certificate Manager CA Signing Certificate(s) o) OCSP Signing Certificate(s) o) SSL Server Certificate(s) o) Cross-signed Certificate(s) o) Other Certificate(s) Please could you let me know which of the above option I should select. Thank you. Richard. Here's what I did to be able to "Renew certificate to be manually approved by agents". Edit file /var/lib/pki-ca/profiles/ca/caServerCert.cfg Change: visible=false enable=false To: visible=true enable=true Edit file /var/lib/pki-ca/profiles/ca/caOCSPCert.cfg Change: visible=false enable=false To: visible=true enable=true Edit file /var/lib/pki-ca/profiles/ca/caSignedLogCert.cfg Change: visible=false enable=false To: visible=true enable=true service pki-cad restart From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 15 October 2013 17:41 To: Richard Thomas Cc: pki-users(a)redhat.com Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/15/2013 02:35 AM, Richard Thomas wrote: Hi Andrew, Thanks again for getting back to me. Unfortunately, I didn't get very far. I've shown below what I have done and what it resulted in: o) Go to the <server>:9443/ca/agent/ca URL and list the certificates stored in Dogtag. o) Make a note of of the Certificate Serial Numbers of the following certificates and change the hex value into decimal: CN=OCSP Signing Certificate E.G. 2 CN=<primary server> E.G. 3 CN=CA Subsystem Certificate E.G. 4 CN=CA Audit Signing Certificate E.G. 5 CN=<secondary server> E.G. 268369921 o) Go to the <server>:9444/ca/ee/ca URL o) Click on "Renewal: Renew certificate to be manually approved by agents" o) Submit each of the Certificate Serial Numbers noted above and make a note of the request ID For each Certificate Serial Number listed above that I submit, I get the following: Sorry, your request is not submitted. The reason is "Profile caServerCert Not Found". Check if caServerCert.cfg is listed under /var/lib/pki-ca/profiles/ca and then check if /var/lib/pki-ca/conf/CS.cfg includes profile.list= . . . ,caServerCert, . . . . . . profile.caServerCert.class_id=caEnrollImpl profile.caServerCert.config=/var/lib/pki-ca/profiles/ca/caServerCert.cfg . . . Please could you help me further. Many thanks. Richard. From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 12 October 2013 00:47 To: Richard Thomas Cc: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/11/2013 07:04 AM, Richard Thomas wrote: Hi Andrew, Thanks for those tips, I had some success, then difficulty and then success. Below is what I did, with some of my comments inline. Before I get to that though, there are some other certificates that are due to run out soon, but I think they should be easier to renew. The Common Name of those other certificates are: o) CN=OCSP Signing Certificate o) CN=<servername> o) CN=CA Subsystem Certificate o) CN=CA Audit Signing Certificate As I noticed below, that your server provides option to "Renew certificate to be manually approved by agents". You should used this option for all your renewals. Then start pkiconsole go to "System Keys and Certificates", select "Local Certificates", click on "Add/Renew", "Next" and "Install a certificate" Please could you help me and let me know what steps I should take for renewing these too. Thank you. Anyway, back to what I did to get the admin certificate updated. Your steps are still numbered, the ones that I did around them are identified with o) Here goes: o) Edit /var/lib/pki-ca/profiles/ca/caUserCert.cfg Change: visible=false enable=false To: visible=true enable=true o) Restart service "pki-cad" 1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/) and select "Manual User Dual-Use Certificate Enrollment" 2. Fill out the form and submit request 3. Go to Agent interface (typically https://<hostname>:9443/ca/agent/ca/) and approve submitted request 4. Return to EE interface, select "Retrieval" tab and "Check Request Status". 5. Type in request number and press submit. 6. Click on issued certificate serial number. 7. Go to the end of page displaying certificate and press "Import Your Certificate" This probably means that browser which generated certificate request (and the key) is not the same browser used to import certificate. o) Go to the <server>:9444/ca/ee/ca URL o) Click on "Renewal: Renew certificate to be manually approved by agents" (make a note of the number) o) Go to the <server>:9443/ca/agent/ca URL to approve my request. (Use the number above) o) Go to the <server>:9444/ca/ee/ca URL to retrieve the certificate. (Use the number above) and click on the Issued certificate o) Extract the Base 64 encoded part of the certificate and save as <new certificate name>.pem o) Transfer <old certificate bundle name>.p12 and <new certificate name>.pem to a machine with openssl installed on it o) On a machine with openssl installed on it, submit following command: $openssl pkcs12 -in <old certificate bundle name>.p12 -out <old certificate bundle name>.pem -nodes o) Copy <old certificate bundle name>.pem to <new certificate bundle name>.pem o) Update <new certificate bundle name>.pem by replacing the relevant part of it with the contents of <new certificate name>.pem o) Cut the key part of <new certificate bundle name>.pem and create <certificate name>.key from it o) Submit following command: $openssl pkcs12 -export -in <new certificate bundle name>.pem -inkey <certificate name>.key -out <new certificate bundle name>.p12 o) Transfer <new certificate bundle name>.p12 to the machine with the web browser that you want to access Dog Tag from. o) Import <new certificate bundle name>.p12 into the machine. 8. Start pkiconsole (typically by running "pkiconsole https://`hostname`:9445/ca") 9. Select "Users and Groups" and select your admin entry. 10. Press "Certificates" button then "Import" and paste in the contents of <new certificate name>.pem, then OK and "Done" 11. Clear SSL cache in the browser or restart your browser. 12. You should now be able to use your new certificate to access Agent interface From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 08 October 2013 19:26 To: Richard Thomas Cc: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/07/2013 11:41 AM, Richard Thomas wrote: Hi Andrew, Thanks very much for sending this to me. The first thing I'd like to point out is that I'm using the pre-Red Hat enterprise variant of DogTag (dogtag-pki-1.3.0-2.el5) I have been trying to adapt the instructions as best I can and have so nearly got there, but not quite.. I have been referring to chapter 4.8.2 of that article by going to the <server>:9444/ca/ee/ca URL and the only 2 Certificate Profiles I have to choose from are: o) Renewal: Renew certificate to be manually approved by agents o) Cisco VPN Client Enrolment The second option is for end users of our Cisco VPN to generate new certificates with, so I don't do anything with that. The first option looked promising, as it asked for a certificate number, so I used the <server>:9443/ca/agent/ca URL to find the certificate number of the current "CA Administrator of Instance pki-ca" certificate, make a note of it and enter it into the certificate renewal page. I then use the <server>:9443/ca/agent/ca URL to approve my request. Back to the <server>:9444/ca/ee/ca URL to retrieve the certificate. I then updated the .p12 (.pfx) certificate with the one that appeared from the step above, with quite a bit of open_ssl commands, but I am confident that my new .p12 has everything in it as before (including the private key), with the exception of the "CA Administrator of Instance pki-ca" certificate being my updated one instead of the current one. I manage to import it into by machine's browser and when I navigate to <server>:9443/ca/agent/ca, the new certificate comes up as an option to present to Dog Tag, so things are looking good at this stage and I select it. After that is where the first thing looks different, but I wasn't too worried about. I get a message saying "Request For Permission to Use a Key", so I grant permission. Then things don't look go at all, as once I'm past that, all the pages say "Invalid Credential". I have probably gone about things in a way that's more complicated than it should be and I guess it's because I'm using an earlier version of Dog Tag. Do you have any ideas where I have gone wrong with this please. Thank you very much. Richard. Unfortunately your version is old enough to miss new renewal profiles, which would make your task easier. Here is a simple way to renew your CA administrator certificate: 1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/) and select "Manual User Dual-Use Certificate Enrollment" 2. Fill out the form and submit request 3. Go to Agent interface (typically https://<hostname>:9443/ca/agent/ca/) and approve submitted request 4. Return to EE interface, select "Retrieval" tab and "Check Request Status". 5. Type in request number and press submit. 6. Click on issued certificate serial number. 7. Go to the end of page displaying certificate and press "Import Your Certificate" 8. Start pkiconsole (typically by running "pkiconsole https://`hostname`:9445/ca") 9. Select "Users and Groups" and select your admin entry. 10. Press "Certificates" button then "Import" and paste in your new base64 encoded certificate, then OK and "Done" 11. Clear SSL cache in the browser or restart your browser. 12. You should now be able to use your new certificate to access Agent interface Thanks, Andrew ________________________________________ From: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com> [pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com>] On Behalf Of Andrew Wnuk [awnuk@redhat.com<mailto:awnuk@redhat.com>] Sent: Thursday, October 03, 2013 6:05 PM To: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca Hi Richard, You can renew certificate using: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... and then add new certificate to CA administrator entry using console. Best, Andrew On 10/03/2013 08:49 AM, Richard Thomas wrote: Hi all, I hope someone would be able to help me with this. I have taken over a Dog Tag system and I have little knowledge of it. I need to renew the "CA Administrator of Instance pki-ca" certificate, as it is running out in a few weeks. Would someone be able to point me in the direction of any documentation on how to do this or let me know how to do it. I would massively appreciate any guidance on this. Thanks in advance, Richard. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com><mailto:info@the-logic-group.com><mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com><http://w... Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. _______________________________________________ Pki-users mailing list Pki-users@redhat.com<mailto:Pki-users@redhat.com><mailto:Pki-users@redhat.com><mailto:Pki-users@redhat.com> https://www.redhat.com/mailman/listinfo/pki-users The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England Number 2609323 [cid:image001.jpg@01CECA7C.5AE95680] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England Number 2609323 [cid:image001.jpg@01CECA7C.5AE95680] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info(a)the-logic-group.com www.the-logic-group.com Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system.

Hi Andrew, Thanks for that, I've been using certutil on a set of files that I have copied from /var/lib/pki-ca/alias/ to /tmp/alias/ so that I can practice on non live certificate database files. Here is what I have done whilst in the /tmp/alias/ directory: $certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u $certutil -d . -A -n 'ocspSigningCert cert-pki-ca' -t 'u,u,u' -a -i '/tmp/OCSP Signing Certificate-2013-2014.pem' $certutil -d . -A -n 'subsystemCert cert-pki-ca' -t 'u,u,u' -a -i '/tmp/CA Subsystem Certificate-2013-2014.pem' $certutil -d . -A -n 'caSigningCert cert-pki-ca' -t 'CTu,Cu,Cu' -a -i '/tmp/OCSP Signing Certificate-2013-2014.pem' $certutil -d . -A -n 'Server-Cert cert-pki-ca' -t 'u,u,u' -a -i '/tmp/<primary server>-2013-2014.pem' $certutil -d . -A -n 'auditSigningCert cert-pki-ca' -t 'u,u,u' -a -i '/tmp/CA Audit Signing Certificate-2013-2014.pem' $certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca CTu,Cu,Cu caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u I have a few queries about what I have done.... 1) The old and new certificates are in the database store, so how does DogTag know when to use the old and new certificates? E.G. Would I also have to update each ca.<cert type>.cert= parameter of /etc/pki-ca/CS.cfg with the new b64-encoded certificate? E.G. ca.audit_signing.cert=, ca.ocsp_signing.cert= etc. 2) I notice the following differences between original and new CA Audit Signing Certificates (may be on the others, but haven't looked yet). Is this anything to worry about? Original: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: <snip> Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://<primary server name>:9180/ca/ocsp Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.4 New cert that I generated: Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 77:2E:A7:DA:1D:1C:AF:3A:2A:5C:09:02:80:B8:DD:31: 28:05:51:9A Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: B9:B9:F0:09:0C:A2:F3:E4:A2:D3:F6:B9:63:6B:EA:2C: 96:52:22:55 Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Thanks again, Richard Thomas Senior Network Engineer direct +44 (0)1252 644 265 switchboard +44 (0)1252 776755 email richard.thomas@the-logic-group.com<mailto:firstname.lastname@the-logic-group.com> From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 17 October 2013 01:43 To: Richard Thomas Cc: pki-users(a)redhat.com Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/16/2013 06:31 AM, Richard Thomas wrote: Hi Andrew, Thanks for your email, I got past that issue once I made some edits to some .cfg files in /var/lib/pki-ca/profiles/ca/ (shown at the bottom of this email). That meant I could get as far as "Install a certificate" and I got a choice of the following when doing so: o) Certificate Manager CA Signing Certificate(s) o) OCSP Signing Certificate(s) o) SSL Server Certificate(s) o) Cross-signed Certificate(s) o) Other Certificate(s) Please could you let me know which of the above option I should select. The first 3 options should work for your CA but you are missing entries for subsytem and audit certificates. You may import certificates manually using certutil. For this you need to 1. stop your CA 2. change directory to /var/lib/pki-ca/alias/ 3. check current content of CA's NSS-DB by running 4. certutil -d . -L 1. import certificates using identical trust bits and nicknames certutil -d . -A -n '<nickname>' -t '<trust>' -a -i '<file including b64-encoded certificate>' 2. start your CA If you need to alter nicknames, please reflect this in CS.cfg file. Thank you. Richard. Here's what I did to be able to "Renew certificate to be manually approved by agents". Edit file /var/lib/pki-ca/profiles/ca/caServerCert.cfg Change: visible=false enable=false To: visible=true enable=true Edit file /var/lib/pki-ca/profiles/ca/caOCSPCert.cfg Change: visible=false enable=false To: visible=true enable=true Edit file /var/lib/pki-ca/profiles/ca/caSignedLogCert.cfg Change: visible=false enable=false To: visible=true enable=true visible=true makes enrollment visible on enrollment list page enable=true enables specific enrollment profile Both changes are fine. service pki-cad restart From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 15 October 2013 17:41 To: Richard Thomas Cc: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/15/2013 02:35 AM, Richard Thomas wrote: Hi Andrew, Thanks again for getting back to me. Unfortunately, I didn't get very far. I've shown below what I have done and what it resulted in: o) Go to the <server>:9443/ca/agent/ca URL and list the certificates stored in Dogtag. o) Make a note of of the Certificate Serial Numbers of the following certificates and change the hex value into decimal: CN=OCSP Signing Certificate E.G. 2 CN=<primary server> E.G. 3 CN=CA Subsystem Certificate E.G. 4 CN=CA Audit Signing Certificate E.G. 5 CN=<secondary server> E.G. 268369921 o) Go to the <server>:9444/ca/ee/ca URL o) Click on "Renewal: Renew certificate to be manually approved by agents" o) Submit each of the Certificate Serial Numbers noted above and make a note of the request ID For each Certificate Serial Number listed above that I submit, I get the following: Sorry, your request is not submitted. The reason is "Profile caServerCert Not Found". Check if caServerCert.cfg is listed under /var/lib/pki-ca/profiles/ca and then check if /var/lib/pki-ca/conf/CS.cfg includes profile.list= . . . ,caServerCert, . . . . . . profile.caServerCert.class_id=caEnrollImpl profile.caServerCert.config=/var/lib/pki-ca/profiles/ca/caServerCert.cfg . . . Please could you help me further. Many thanks. Richard. From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 12 October 2013 00:47 To: Richard Thomas Cc: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/11/2013 07:04 AM, Richard Thomas wrote: Hi Andrew, Thanks for those tips, I had some success, then difficulty and then success. Below is what I did, with some of my comments inline. Before I get to that though, there are some other certificates that are due to run out soon, but I think they should be easier to renew. The Common Name of those other certificates are: o) CN=OCSP Signing Certificate o) CN=<servername> o) CN=CA Subsystem Certificate o) CN=CA Audit Signing Certificate As I noticed below, that your server provides option to "Renew certificate to be manually approved by agents". You should used this option for all your renewals. Then start pkiconsole go to "System Keys and Certificates", select "Local Certificates", click on "Add/Renew", "Next" and "Install a certificate" Please could you help me and let me know what steps I should take for renewing these too. Thank you. Anyway, back to what I did to get the admin certificate updated. Your steps are still numbered, the ones that I did around them are identified with o) Here goes: o) Edit /var/lib/pki-ca/profiles/ca/caUserCert.cfg Change: visible=false enable=false To: visible=true enable=true o) Restart service "pki-cad" 1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/) and select "Manual User Dual-Use Certificate Enrollment" 2. Fill out the form and submit request 3. Go to Agent interface (typically https://<hostname>:9443/ca/agent/ca/) and approve submitted request 4. Return to EE interface, select "Retrieval" tab and "Check Request Status". 5. Type in request number and press submit. 6. Click on issued certificate serial number. 7. Go to the end of page displaying certificate and press "Import Your Certificate" This probably means that browser which generated certificate request (and the key) is not the same browser used to import certificate. o) Go to the <server>:9444/ca/ee/ca URL o) Click on "Renewal: Renew certificate to be manually approved by agents" (make a note of the number) o) Go to the <server>:9443/ca/agent/ca URL to approve my request. (Use the number above) o) Go to the <server>:9444/ca/ee/ca URL to retrieve the certificate. (Use the number above) and click on the Issued certificate o) Extract the Base 64 encoded part of the certificate and save as <new certificate name>.pem o) Transfer <old certificate bundle name>.p12 and <new certificate name>.pem to a machine with openssl installed on it o) On a machine with openssl installed on it, submit following command: $openssl pkcs12 -in <old certificate bundle name>.p12 -out <old certificate bundle name>.pem -nodes o) Copy <old certificate bundle name>.pem to <new certificate bundle name>.pem o) Update <new certificate bundle name>.pem by replacing the relevant part of it with the contents of <new certificate name>.pem o) Cut the key part of <new certificate bundle name>.pem and create <certificate name>.key from it o) Submit following command: $openssl pkcs12 -export -in <new certificate bundle name>.pem -inkey <certificate name>.key -out <new certificate bundle name>.p12 o) Transfer <new certificate bundle name>.p12 to the machine with the web browser that you want to access Dog Tag from. o) Import <new certificate bundle name>.p12 into the machine. 8. Start pkiconsole (typically by running "pkiconsole https://`hostname`:9445/ca") 9. Select "Users and Groups" and select your admin entry. 10. Press "Certificates" button then "Import" and paste in the contents of <new certificate name>.pem, then OK and "Done" 11. Clear SSL cache in the browser or restart your browser. 12. You should now be able to use your new certificate to access Agent interface From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 08 October 2013 19:26 To: Richard Thomas Cc: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/07/2013 11:41 AM, Richard Thomas wrote: Hi Andrew, Thanks very much for sending this to me. The first thing I'd like to point out is that I'm using the pre-Red Hat enterprise variant of DogTag (dogtag-pki-1.3.0-2.el5) I have been trying to adapt the instructions as best I can and have so nearly got there, but not quite.. I have been referring to chapter 4.8.2 of that article by going to the <server>:9444/ca/ee/ca URL and the only 2 Certificate Profiles I have to choose from are: o) Renewal: Renew certificate to be manually approved by agents o) Cisco VPN Client Enrolment The second option is for end users of our Cisco VPN to generate new certificates with, so I don't do anything with that. The first option looked promising, as it asked for a certificate number, so I used the <server>:9443/ca/agent/ca URL to find the certificate number of the current "CA Administrator of Instance pki-ca" certificate, make a note of it and enter it into the certificate renewal page. I then use the <server>:9443/ca/agent/ca URL to approve my request. Back to the <server>:9444/ca/ee/ca URL to retrieve the certificate. I then updated the .p12 (.pfx) certificate with the one that appeared from the step above, with quite a bit of open_ssl commands, but I am confident that my new .p12 has everything in it as before (including the private key), with the exception of the "CA Administrator of Instance pki-ca" certificate being my updated one instead of the current one. I manage to import it into by machine's browser and when I navigate to <server>:9443/ca/agent/ca, the new certificate comes up as an option to present to Dog Tag, so things are looking good at this stage and I select it. After that is where the first thing looks different, but I wasn't too worried about. I get a message saying "Request For Permission to Use a Key", so I grant permission. Then things don't look go at all, as once I'm past that, all the pages say "Invalid Credential". I have probably gone about things in a way that's more complicated than it should be and I guess it's because I'm using an earlier version of Dog Tag. Do you have any ideas where I have gone wrong with this please. Thank you very much. Richard. Unfortunately your version is old enough to miss new renewal profiles, which would make your task easier. Here is a simple way to renew your CA administrator certificate: 1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/) and select "Manual User Dual-Use Certificate Enrollment" 2. Fill out the form and submit request 3. Go to Agent interface (typically https://<hostname>:9443/ca/agent/ca/) and approve submitted request 4. Return to EE interface, select "Retrieval" tab and "Check Request Status". 5. Type in request number and press submit. 6. Click on issued certificate serial number. 7. Go to the end of page displaying certificate and press "Import Your Certificate" 8. Start pkiconsole (typically by running "pkiconsole https://`hostname`:9445/ca") 9. Select "Users and Groups" and select your admin entry. 10. Press "Certificates" button then "Import" and paste in your new base64 encoded certificate, then OK and "Done" 11. Clear SSL cache in the browser or restart your browser. 12. You should now be able to use your new certificate to access Agent interface Thanks, Andrew ________________________________________ From: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com> [pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com>] On Behalf Of Andrew Wnuk [awnuk@redhat.com<mailto:awnuk@redhat.com>] Sent: Thursday, October 03, 2013 6:05 PM To: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca Hi Richard, You can renew certificate using: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... and then add new certificate to CA administrator entry using console. Best, Andrew On 10/03/2013 08:49 AM, Richard Thomas wrote: Hi all, I hope someone would be able to help me with this. I have taken over a Dog Tag system and I have little knowledge of it. I need to renew the "CA Administrator of Instance pki-ca" certificate, as it is running out in a few weeks. Would someone be able to point me in the direction of any documentation on how to do this or let me know how to do it. I would massively appreciate any guidance on this. Thanks in advance, Richard. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com><mailto:info@the-logic-group.com><mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com><http://w... Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. _______________________________________________ Pki-users mailing list Pki-users@redhat.com<mailto:Pki-users@redhat.com><mailto:Pki-users@redhat.com><mailto:Pki-users@redhat.com> https://www.redhat.com/mailman/listinfo/pki-users The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England Number 2609323 [cid:image001.jpg@01CECB4C.A6C403E0] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England Number 2609323 [cid:image001.jpg@01CECB4C.A6C403E0] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info(a)the-logic-group.com www.the-logic-group.com Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system.

Hi Andrew, Thanks for that, it's been a while before I've been able to try the steps in https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... Below are the results of those steps. Step 3 resulted in: #certutil -K -d . certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 422b5af15b44ea69130671f9eea3c047c0ad0080 (orphan) < 1> rsa 7ee73faba7c4f1a027f5b309d9175089a8a6f084 Server-Cert cert-pki-ca < 2> rsa 7bfe57e8f1adbe5d00f945be6cb167ce905dac3f ocspSigningCert cert-pki-ca < 3> rsa 78b0a760918b4a9ec312cc75408a23e551dbd615 caSigningCert cert-pki-ca < 4> rsa 99c4c03f6dd0bd4c90933b62c4b023d942f79d9e subsystemCert cert-pki-ca < 5> rsa 9b839620f5d6802fb4c938fe6f06bcc9a1de8a85 auditSigningCert cert-pki-ca Step 4 resulted in: #cp -r /var/lib/pki-ca/alias /tmp/alias/ #cd /tmp/alias/ #certutil -D -n "Server-Cert cert-pki-ca" -d . #certutil -D -n "ocspSigningCert cert-pki-ca" -d . #certutil -D -n "caSigningCert cert-pki-ca" -d . #certutil -D -n "subsystemCert cert-pki-ca" -d . #certutil -D -n "auditSigningCert cert-pki-ca" -d . Step 5 resulted in: #certutil -d . -R -k "NSS Certificate DB:cert-pki-ca" -s "<snip>" -a -o <snip>.req2.txt certutil: NSS Certificate DB:cert-pki-ca is neither a key-type nor a nickname: security library: bad database. #certutil -d . -R -k "NSS Certificate DB:cert-pki-ca" -s "CN=OCSP Signing Certificate,<snip>" -a -o OCSP.req2.txt certutil: NSS Certificate DB:cert-pki-ca is neither a key-type nor a nickname: security library: bad database. #certutil -d . -R -k "NSS Certificate DB:cert-pki-ca" -s "CN=<snip>" -a -o <snip>.req2.txt certutil: NSS Certificate DB:cert-pki-ca is neither a key-type nor a nickname: security library: bad database. #certutil -d . -R -k "NSS Certificate DB:cert-pki-ca" -s "CN=CA Subsystem Certificate,<snip>" -a -o CASub.req2.txt certutil: NSS Certificate DB:cert-pki-ca is neither a key-type nor a nickname: security library: bad database. #certutil -d . -R -k "NSS Certificate DB:cert-pki-ca" -s "CN=CA Audit Signing Certificate,<snip>" -a -o CAAudit.req2.txt certutil: NSS Certificate DB:cert-pki-ca is neither a key-type nor a nickname: security library: bad database. # I also tried the blow for the key-type or nickname and got the equivalent results: #certutil -d . -R -k "caSigningCert cert-pki-ca" ...etc #certutil -d . -R -k "ocspSigningCert cert-pki-ca" ...etc #certutil -d . -R -k "Server-Cert cert-pki-ca" ...etc #certutil -d . -R -k "subsystemCert cert-pki-ca" ...etc #certutil -d . -R -k "auditSigningCert cert-pki-ca" ...etc Please could you help me with these errors. Thank you. Richard Thomas Senior Network Engineer direct +44 (0)1252 644 265 switchboard +44 (0)1252 776755 email richard.thomas@the-logic-group.com<mailto:firstname.lastname@the-logic-group.com> From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 18 October 2013 18:27 To: Richard Thomas Cc: pki-users(a)redhat.com Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/17/2013 08:36 AM, Richard Thomas wrote: Hi Andrew, Thanks for that, I've been using certutil on a set of files that I have copied from /var/lib/pki-ca/alias/ to /tmp/alias/ so that I can practice on non live certificate database files. Here is what I have done whilst in the /tmp/alias/ directory: $certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u $certutil -d . -A -n 'ocspSigningCert cert-pki-ca' -t 'u,u,u' -a -i '/tmp/OCSP Signing Certificate-2013-2014.pem' $certutil -d . -A -n 'subsystemCert cert-pki-ca' -t 'u,u,u' -a -i '/tmp/CA Subsystem Certificate-2013-2014.pem' $certutil -d . -A -n 'caSigningCert cert-pki-ca' -t 'CTu,Cu,Cu' -a -i '/tmp/OCSP Signing Certificate-2013-2014.pem' $certutil -d . -A -n 'Server-Cert cert-pki-ca' -t 'u,u,u' -a -i '/tmp/<primary server>-2013-2014.pem' $certutil -d . -A -n 'auditSigningCert cert-pki-ca' -t 'u,u,u' -a -i '/tmp/CA Audit Signing Certificate-2013-2014.pem' $certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca CTu,Cu,Cu OCSP trust bits should stay as "u,u,u" caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u I have a few queries about what I have done.... 1) The old and new certificates are in the database store, so how does DogTag know when to use the old and new certificates? Dogtag requests certificates by nickname. NSS library is providing the best choice based on nickname provided by Dogtag. To avoid any potential problem, you may choose to remove old certificates before importing the new certificates as suggested in the following documentation: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... 2) E.G. Would I also have to update each ca.<cert type>.cert= parameter of /etc/pki-ca/CS.cfg with the new b64-encoded certificate? E.G. ca.audit_signing.cert=, ca.ocsp_signing.cert= etc. 3) I notice the following differences between original and new CA Audit Signing Certificates (may be on the others, but haven't looked yet). Is this anything to worry about? Original: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: <snip> Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://<primary server name>:9180/ca/ocsp Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.4 New cert that I generated: Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 77:2E:A7:DA:1D:1C:AF:3A:2A:5C:09:02:80:B8:DD:31: 28:05:51:9A Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: B9:B9:F0:09:0C:A2:F3:E4:A2:D3:F6:B9:63:6B:EA:2C: 96:52:22:55 Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key usage is the same so it should work as this is just auditing certificate. Thanks again, Richard Thomas Senior Network Engineer direct +44 (0)1252 644 265 switchboard +44 (0)1252 776755 email richard.thomas@the-logic-group.com<mailto:firstname.lastname@the-logic-group.com> From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 17 October 2013 01:43 To: Richard Thomas Cc: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/16/2013 06:31 AM, Richard Thomas wrote: Hi Andrew, Thanks for your email, I got past that issue once I made some edits to some .cfg files in /var/lib/pki-ca/profiles/ca/ (shown at the bottom of this email). That meant I could get as far as "Install a certificate" and I got a choice of the following when doing so: o) Certificate Manager CA Signing Certificate(s) o) OCSP Signing Certificate(s) o) SSL Server Certificate(s) o) Cross-signed Certificate(s) o) Other Certificate(s) Please could you let me know which of the above option I should select. The first 3 options should work for your CA but you are missing entries for subsytem and audit certificates. You may import certificates manually using certutil. For this you need to 1. stop your CA 2. change directory to /var/lib/pki-ca/alias/ 3. check current content of CA's NSS-DB by running 4. certutil -d . -L 1. import certificates using identical trust bits and nicknames certutil -d . -A -n '<nickname>' -t '<trust>' -a -i '<file including b64-encoded certificate>' 2. start your CA If you need to alter nicknames, please reflect this in CS.cfg file. Thank you. Richard. Here's what I did to be able to "Renew certificate to be manually approved by agents". Edit file /var/lib/pki-ca/profiles/ca/caServerCert.cfg Change: visible=false enable=false To: visible=true enable=true Edit file /var/lib/pki-ca/profiles/ca/caOCSPCert.cfg Change: visible=false enable=false To: visible=true enable=true Edit file /var/lib/pki-ca/profiles/ca/caSignedLogCert.cfg Change: visible=false enable=false To: visible=true enable=true visible=true makes enrollment visible on enrollment list page enable=true enables specific enrollment profile Both changes are fine. service pki-cad restart From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 15 October 2013 17:41 To: Richard Thomas Cc: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/15/2013 02:35 AM, Richard Thomas wrote: Hi Andrew, Thanks again for getting back to me. Unfortunately, I didn't get very far. I've shown below what I have done and what it resulted in: o) Go to the <server>:9443/ca/agent/ca URL and list the certificates stored in Dogtag. o) Make a note of of the Certificate Serial Numbers of the following certificates and change the hex value into decimal: CN=OCSP Signing Certificate E.G. 2 CN=<primary server> E.G. 3 CN=CA Subsystem Certificate E.G. 4 CN=CA Audit Signing Certificate E.G. 5 CN=<secondary server> E.G. 268369921 o) Go to the <server>:9444/ca/ee/ca URL o) Click on "Renewal: Renew certificate to be manually approved by agents" o) Submit each of the Certificate Serial Numbers noted above and make a note of the request ID For each Certificate Serial Number listed above that I submit, I get the following: Sorry, your request is not submitted. The reason is "Profile caServerCert Not Found". Check if caServerCert.cfg is listed under /var/lib/pki-ca/profiles/ca and then check if /var/lib/pki-ca/conf/CS.cfg includes profile.list= . . . ,caServerCert, . . . . . . profile.caServerCert.class_id=caEnrollImpl profile.caServerCert.config=/var/lib/pki-ca/profiles/ca/caServerCert.cfg . . . Please could you help me further. Many thanks. Richard. From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 12 October 2013 00:47 To: Richard Thomas Cc: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/11/2013 07:04 AM, Richard Thomas wrote: Hi Andrew, Thanks for those tips, I had some success, then difficulty and then success. Below is what I did, with some of my comments inline. Before I get to that though, there are some other certificates that are due to run out soon, but I think they should be easier to renew. The Common Name of those other certificates are: o) CN=OCSP Signing Certificate o) CN=<servername> o) CN=CA Subsystem Certificate o) CN=CA Audit Signing Certificate As I noticed below, that your server provides option to "Renew certificate to be manually approved by agents". You should used this option for all your renewals. Then start pkiconsole go to "System Keys and Certificates", select "Local Certificates", click on "Add/Renew", "Next" and "Install a certificate" Please could you help me and let me know what steps I should take for renewing these too. Thank you. Anyway, back to what I did to get the admin certificate updated. Your steps are still numbered, the ones that I did around them are identified with o) Here goes: o) Edit /var/lib/pki-ca/profiles/ca/caUserCert.cfg Change: visible=false enable=false To: visible=true enable=true o) Restart service "pki-cad" 1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/) and select "Manual User Dual-Use Certificate Enrollment" 2. Fill out the form and submit request 3. Go to Agent interface (typically https://<hostname>:9443/ca/agent/ca/) and approve submitted request 4. Return to EE interface, select "Retrieval" tab and "Check Request Status". 5. Type in request number and press submit. 6. Click on issued certificate serial number. 7. Go to the end of page displaying certificate and press "Import Your Certificate" This probably means that browser which generated certificate request (and the key) is not the same browser used to import certificate. o) Go to the <server>:9444/ca/ee/ca URL o) Click on "Renewal: Renew certificate to be manually approved by agents" (make a note of the number) o) Go to the <server>:9443/ca/agent/ca URL to approve my request. (Use the number above) o) Go to the <server>:9444/ca/ee/ca URL to retrieve the certificate. (Use the number above) and click on the Issued certificate o) Extract the Base 64 encoded part of the certificate and save as <new certificate name>.pem o) Transfer <old certificate bundle name>.p12 and <new certificate name>.pem to a machine with openssl installed on it o) On a machine with openssl installed on it, submit following command: $openssl pkcs12 -in <old certificate bundle name>.p12 -out <old certificate bundle name>.pem -nodes o) Copy <old certificate bundle name>.pem to <new certificate bundle name>.pem o) Update <new certificate bundle name>.pem by replacing the relevant part of it with the contents of <new certificate name>.pem o) Cut the key part of <new certificate bundle name>.pem and create <certificate name>.key from it o) Submit following command: $openssl pkcs12 -export -in <new certificate bundle name>.pem -inkey <certificate name>.key -out <new certificate bundle name>.p12 o) Transfer <new certificate bundle name>.p12 to the machine with the web browser that you want to access Dog Tag from. o) Import <new certificate bundle name>.p12 into the machine. 8. Start pkiconsole (typically by running "pkiconsole https://`hostname`:9445/ca") 9. Select "Users and Groups" and select your admin entry. 10. Press "Certificates" button then "Import" and paste in the contents of <new certificate name>.pem, then OK and "Done" 11. Clear SSL cache in the browser or restart your browser. 12. You should now be able to use your new certificate to access Agent interface From: Andrew Wnuk [mailto:awnuk@redhat.com] Sent: 08 October 2013 19:26 To: Richard Thomas Cc: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca On 10/07/2013 11:41 AM, Richard Thomas wrote: Hi Andrew, Thanks very much for sending this to me. The first thing I'd like to point out is that I'm using the pre-Red Hat enterprise variant of DogTag (dogtag-pki-1.3.0-2.el5) I have been trying to adapt the instructions as best I can and have so nearly got there, but not quite.. I have been referring to chapter 4.8.2 of that article by going to the <server>:9444/ca/ee/ca URL and the only 2 Certificate Profiles I have to choose from are: o) Renewal: Renew certificate to be manually approved by agents o) Cisco VPN Client Enrolment The second option is for end users of our Cisco VPN to generate new certificates with, so I don't do anything with that. The first option looked promising, as it asked for a certificate number, so I used the <server>:9443/ca/agent/ca URL to find the certificate number of the current "CA Administrator of Instance pki-ca" certificate, make a note of it and enter it into the certificate renewal page. I then use the <server>:9443/ca/agent/ca URL to approve my request. Back to the <server>:9444/ca/ee/ca URL to retrieve the certificate. I then updated the .p12 (.pfx) certificate with the one that appeared from the step above, with quite a bit of open_ssl commands, but I am confident that my new .p12 has everything in it as before (including the private key), with the exception of the "CA Administrator of Instance pki-ca" certificate being my updated one instead of the current one. I manage to import it into by machine's browser and when I navigate to <server>:9443/ca/agent/ca, the new certificate comes up as an option to present to Dog Tag, so things are looking good at this stage and I select it. After that is where the first thing looks different, but I wasn't too worried about. I get a message saying "Request For Permission to Use a Key", so I grant permission. Then things don't look go at all, as once I'm past that, all the pages say "Invalid Credential". I have probably gone about things in a way that's more complicated than it should be and I guess it's because I'm using an earlier version of Dog Tag. Do you have any ideas where I have gone wrong with this please. Thank you very much. Richard. Unfortunately your version is old enough to miss new renewal profiles, which would make your task easier. Here is a simple way to renew your CA administrator certificate: 1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/) and select "Manual User Dual-Use Certificate Enrollment" 2. Fill out the form and submit request 3. Go to Agent interface (typically https://<hostname>:9443/ca/agent/ca/) and approve submitted request 4. Return to EE interface, select "Retrieval" tab and "Check Request Status". 5. Type in request number and press submit. 6. Click on issued certificate serial number. 7. Go to the end of page displaying certificate and press "Import Your Certificate" 8. Start pkiconsole (typically by running "pkiconsole https://`hostname`:9445/ca") 9. Select "Users and Groups" and select your admin entry. 10. Press "Certificates" button then "Import" and paste in your new base64 encoded certificate, then OK and "Done" 11. Clear SSL cache in the browser or restart your browser. 12. You should now be able to use your new certificate to access Agent interface Thanks, Andrew ________________________________________ From: pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com> [pki-users-bounces@redhat.com<mailto:pki-users-bounces@redhat.com>] On Behalf Of Andrew Wnuk [awnuk@redhat.com<mailto:awnuk@redhat.com>] Sent: Thursday, October 03, 2013 6:05 PM To: pki-users@redhat.com<mailto:pki-users@redhat.com> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca Hi Richard, You can renew certificate using: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... and then add new certificate to CA administrator entry using console. Best, Andrew On 10/03/2013 08:49 AM, Richard Thomas wrote: Hi all, I hope someone would be able to help me with this. I have taken over a Dog Tag system and I have little knowledge of it. I need to renew the "CA Administrator of Instance pki-ca" certificate, as it is running out in a few weeks. Would someone be able to point me in the direction of any documentation on how to do this or let me know how to do it. I would massively appreciate any guidance on this. Thanks in advance, Richard. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com><mailto:info@the-logic-group.com><mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com><http://w... Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. _______________________________________________ Pki-users mailing list Pki-users@redhat.com<mailto:Pki-users@redhat.com><mailto:Pki-users@redhat.com><mailto:Pki-users@redhat.com> https://www.redhat.com/mailman/listinfo/pki-users The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England Number 2609323 [cid:image001.jpg@01CED4B1.64DF78B0] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England Number 2609323 [cid:image001.jpg@01CED4B1.64DF78B0] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info@the-logic-group.com<mailto:info@the-logic-group.com> www.the-logic-group.com<http://www.the-logic-group.com> Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. The world's first PCI accreditation for a Point to Point Encryption application. Find out more...<http://www.the-logic-group.com/pressrelease/Worlds-First-Accre... The Logic Group Enterprises Limited Logic House Waterfront Business Park Fleet, Hampshire GU51 3SB United Kingdom phone fax email web +44 1252 776 700 +44 1252 776 738 info(a)the-logic-group.com www.the-logic-group.com Registered in England Number 2609323 [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-894...] The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323 The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system.