Dogtag User Certs setup and OCSP Signing

Thursday, 16 May 2013

So far attempts to setup user certs using Dogtag CA fail, while self-signed Client
Certificates work fine.
The end goal is to have tomcat pass a user cert to an application, which will authenticate
and bypass the initial login screen.

The details,
Dogtag 9.0 installed on a CentOS 6.4 server
Server cert is set up correctly in the local keystore and the tomcat server.xml is
configured

        <Connector SSLEnabled="true"

                   maxThreads="150"
                   maxSpareThreads="75"
                   minSpareThreads="25"
                   acceptCount="100"
                   clientAuth="true"
                   disableUploadTimeout="true"

                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   URIEncoding="UTF-8"

                   keyAlias="tomcat"
                   keystoreFile="/opt/SSL-keystore.jks"
                   keystorePass="PKI-server-cert"
                   keystoreType="JKS"
                   truststoreFile="/opt/SSL-truststore.p12"
                   truststorePass="PKI-CA-cert"
                   truststoreType="PKCS12"
                   port="8443"
                   scheme="https"
                   secure="true"
                   sslProtocol="TLS"/>

This works correctly with a self-signed user cert, the browser requests a user cert before
displaying the initial login screen.
The next step is to create a truststore entry referencing Dogtag's CA certificate and
user cert.

Searching the web for dogtag user certs, openssl and Fedora/user documentation has not
yielded any detailed User Guides or user notes.
Both the Admin and Agent Guide were useful for defining admin and agent usage, but did not
provide detailed information on importing a cert
authority into a truststore or using the truststore to sign an X509 client certificate.
Once the client certificate handshake is established, can tomcat parse the certificate or
would apache mod_SSL be a better choice?
Finally can/should the application use an openssl ocsp call to validate the certificate?

At this point, I'm not knowledgeable enough with PKI and Dogtag to define a workable
solution.
Have I missed some essential documentation?
Has anyone found or written any Dogtag User Notes or have references to Dogtag usage?

Any recommendations would be appreciated.

Chris Grijalva
Configuration Management | Data Fusion & Analytics
Sotera Defense Solutions, Inc.
o: 512.814.0186
c: 713.291.2215
f:  512.814.0308
e: chris.grijalva@soteradefense.com<mailto:firstinitialsurname@potomacfusion.com>
w: www.soteradefense.com<http://www.soteradefense.com>
Potomac Fusion, LLC is now the Data Fusion & Analytics business of Sotera Defense
Solutions

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008