9:25 p.m.
those steps come from an older article at
https://access.redhat.com/solutions/44042 , originally on RHEL-5 for RHCS-8
( and my fault).
I think the the perl command in the step 4 after the loop on PKCS10Client ,
is now incorrect, the goal was to remove the header and footer of the CSR,
but it seems the resulting file with several CSR is now incorrect with
mangled headers.
so I would change the step 4 from
"
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
${f}.${i} -s "cn=testms${i}.example.com"; cat ${f}.${i} >> ${f}; done
perl -pi -e 's/\r\n//;s/\+/%2B/g;s/\//%2F/g' ${f}
wc -l ${f}
"
to create a request and make it one line without header and footer within
the loop:
"
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
${f}.${i} -n "cn=testms${i}.example.com"; sed -i.orig -rn '/^-----BEGIN
CERTIFICATE REQUEST-----$/{:1;n;/^-----END CERTIFICATE
REQUEST-----$/b2;H;b1};:2;${x;s/\s//g;p}' ${f}.${i} ; cat ${f}.${i} >>
${f}; done
wc -l ${f}
"
and the sslget command did work ok for me.
and note the CA restart is not needed in the step 1 ( is not in the
original article)
There are different ways to create and submit CSR, this was one example.
I am going to correct the article and open a doc bug.
Thanks for pointing this out, and your patience.
M.
On Wed, Sep 22, 2021 at 2:25 PM Hank Hotz <Hank_Hotz(a)na.honda.com> wrote:
I’m trying to demonstrate that Dogtag could support issuing certs to
a
Linux version which I can’t get information on. Using Fedora 34 for initial
proof-of-concept.
I’ve managed to work through a lot of the errors in
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/....
(The page doesn’t seem to be maintained. Where can I submit corrections?)
I’m stuck on the last step though. Until I get a working example, I can’t
tell what’s wrong with the format of the request. The error I get follows.
If other info would be useful, like the full traceback, or the request as
actually formatted by the perl command, just let me know.
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] WARNING: CertProcessor:
No authenticator credentials required
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: DBSSession:
reading cn=8,ou=certificateRepository, ou=ca, o=pki-tomcat-CA
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO:
AgentCertAuthentication: authenticated
uid=newcaagent,ou=people,o=pki-tomcat-CA
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: EnrollProfile:
Parsing PKCS #10 request:
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE: Unable to parse
PKCS #10 request: Sequence tag error -1
java.io.IOException: Sequence tag error -1
at
org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)
[ . . . traceback with no explicit errors . . . ]
2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE:
ProfileSubmitServlet: error in processing request: Invalid Request
Invalid Request
at
com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:247)
[ . . . traceback including . . . ]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.io.IOException: Sequence tag error -1
at
org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)
at
org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:143)
at
org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:234)
at
com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:238)
... 50 more
Thanks for any help. If I get past proof of concept, I can engage Honda’s
support contract with IBM, but I’m not there yet.
Confidentiality Notice: This transmission (including any attachments) may
contain confidential information belonging to the sender and is intended
only for the use of the party or entity to which it is addressed. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, retention or the taking of action in
reliance on the contents of this transmission is strictly prohibited. If
you have received this transmission in error, please immediately notify the
sender and erase all information and attachments.
_______________________________________________
Pki-users mailing list -- users(a)lists.dogtagpki.org
To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
11:39 p.m.
New subject: Bulk Issuance Problem.
update:
the interface is also different, and we have Python tools, so the procedure
can be completely changed into this "better" example using the command line
tools "pki" with the module cert-request-submit, ( but it may be slower):
# some variables
#
export d=/var/tmp/testDir
export p=password
export f=/var/tmp/server.csr.txt
export nick="CA agent cert"
export cahost=1.2.3.4
export caport=8443
cat << EOF > ${d}/pwd.txt
password
EOF
# needs a NSS db for an agent with SSL client certificate for automatic
cert issuance
#
pki -d ${d}-c ${p} client-init
# have the admin PKCS# 12 file from a prior CA install, import it
pk12util -i ~/ca_admin_cert.p12 -d ${d}
# need the CA cert
pki-server cert-export ca_signing -i subca1 --cert-file ${d}/myca.crt
# import that CA cert
pki -d ${d} -n "${nick}" -C ${d}/pwd.txt client-cert-import myCA --ca-cert
${d}/myca.crt
# verify the admin cert trust chain
certutil -O -d ${d}/ -n "PKI Administrator for example.test"
"myCA" [CN=CA Signing Certificate,OU=rootca1,O=Root CA1 Example Test]
"PKI Administrator for example.test" [CN=PKI
Administrator,E=caadmin(a)example.test,OU=rootca1,O=Root CA1 Example Test]
# create some CSR individual files with header and footer
#
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
${f}.${i} -n "cn=testms${i}.example.test"; done
# sequentially submit those CSR files to the CA
#
tail -f /var/log/pki/subca1/ca/transactions &
time for i in {1..10}; do pki -U https://${cahost}:${caport}/ca -d ${d} -n
"${nick}" -C ${d}/pwd.txt ca-cert-request-submit --profile
caAgentServerCert --csr-file ${f}.${i} ; done
Thanks,
M.
On Fri, Oct 1, 2021 at 7:25 PM Marc Sauton <msauton(a)redhat.com> wrote:
those steps come from an older article at
https://access.redhat.com/solutions/44042 , originally on RHEL-5 for
RHCS-8 ( and my fault).
I think the the perl command in the step 4 after the loop on
PKCS10Client , is now incorrect, the goal was to remove the header and
footer of the CSR, but it seems the resulting file with several CSR is now
incorrect with mangled headers.
so I would change the step 4 from
"
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
${f}.${i} -s "cn=testms${i}.example.com"; cat ${f}.${i} >> ${f}; done
perl -pi -e 's/\r\n//;s/\+/%2B/g;s/\//%2F/g' ${f}
wc -l ${f}
"
to create a request and make it one line without header and footer within
the loop:
"
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
${f}.${i} -n "cn=testms${i}.example.com"; sed -i.orig -rn '/^-----BEGIN
CERTIFICATE REQUEST-----$/{:1;n;/^-----END CERTIFICATE
REQUEST-----$/b2;H;b1};:2;${x;s/\s//g;p}' ${f}.${i} ; cat ${f}.${i} >>
${f}; done
wc -l ${f}
"
and the sslget command did work ok for me.
and note the CA restart is not needed in the step 1 ( is not in the
original article)
There are different ways to create and submit CSR, this was one example.
I am going to correct the article and open a doc bug.
Thanks for pointing this out, and your patience.
M.
On Wed, Sep 22, 2021 at 2:25 PM Hank Hotz <Hank_Hotz(a)na.honda.com> wrote:
> I’m trying to demonstrate that Dogtag could support issuing certs to a
> Linux version which I can’t get information on. Using Fedora 34 for initial
> proof-of-concept.
>
>
>
> I’ve managed to work through a lot of the errors in
>
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/....
> (The page doesn’t seem to be maintained. Where can I submit corrections?)
>
>
>
> I’m stuck on the last step though. Until I get a working example, I can’t
> tell what’s wrong with the format of the request. The error I get follows.
> If other info would be useful, like the full traceback, or the request as
> actually formatted by the perl command, just let me know.
>
>
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] WARNING: CertProcessor:
> No authenticator credentials required
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: DBSSession:
> reading cn=8,ou=certificateRepository, ou=ca, o=pki-tomcat-CA
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO:
> AgentCertAuthentication: authenticated
> uid=newcaagent,ou=people,o=pki-tomcat-CA
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: EnrollProfile:
> Parsing PKCS #10 request:
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE: Unable to parse
> PKCS #10 request: Sequence tag error -1
>
> java.io.IOException: Sequence tag error -1
>
> at
>
org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)
>
> [ . . . traceback with no explicit errors . . . ]
>
> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE:
> ProfileSubmitServlet: error in processing request: Invalid Request
>
> Invalid Request
>
> at
> com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:247)
>
> [ . . . traceback including . . . ]
>
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>
> at
>
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
>
> at
>
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>
> at java.base/java.lang.Thread.run(Thread.java:829)
>
> Caused by: java.io.IOException: Sequence tag error -1
>
> at
>
org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)
>
> at
> org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:143)
>
> at
> org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:234)
>
> at
> com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:238)
>
> ... 50 more
>
>
>
> Thanks for any help. If I get past proof of concept, I can engage Honda’s
> support contract with IBM, but I’m not there yet.
>
>
> Confidentiality Notice: This transmission (including any attachments) may
> contain confidential information belonging to the sender and is intended
> only for the use of the party or entity to which it is addressed. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, retention or the taking of action in
> reliance on the contents of this transmission is strictly prohibited. If
> you have received this transmission in error, please immediately notify the
> sender and erase all information and attachments.
> _______________________________________________
> Pki-users mailing list -- users(a)lists.dogtagpki.org
> To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
11:54 p.m.
New subject: Bulk Issuance Problem.
newer article at
https://access.redhat.com/solutions/6380011
How to do bulk issuance with Red Hat Certificate System 10 and 9
On Fri, Oct 1, 2021 at 9:39 PM Marc Sauton <msauton(a)redhat.com> wrote:
update:
the interface is also different, and we have Python tools, so the
procedure can be completely changed into this "better" example using the
command line tools "pki" with the module cert-request-submit, ( but it may
be slower):
# some variables
#
export d=/var/tmp/testDir
export p=password
export f=/var/tmp/server.csr.txt
export nick="CA agent cert"
export cahost=1.2.3.4
export caport=8443
cat << EOF > ${d}/pwd.txt
password
EOF
# needs a NSS db for an agent with SSL client certificate for automatic
cert issuance
#
pki -d ${d}-c ${p} client-init
# have the admin PKCS# 12 file from a prior CA install, import it
pk12util -i ~/ca_admin_cert.p12 -d ${d}
# need the CA cert
pki-server cert-export ca_signing -i subca1 --cert-file ${d}/myca.crt
# import that CA cert
pki -d ${d} -n "${nick}" -C ${d}/pwd.txt client-cert-import myCA --ca-cert
${d}/myca.crt
# verify the admin cert trust chain
certutil -O -d ${d}/ -n "PKI Administrator for example.test"
"myCA" [CN=CA Signing Certificate,OU=rootca1,O=Root CA1 Example Test]
"PKI Administrator for example.test" [CN=PKI
Administrator,E=caadmin(a)example.test,OU=rootca1,O=Root CA1 Example Test]
# create some CSR individual files with header and footer
#
time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
${f}.${i} -n "cn=testms${i}.example.test"; done
# sequentially submit those CSR files to the CA
#
tail -f /var/log/pki/subca1/ca/transactions &
time for i in {1..10}; do pki -U https://${cahost}:${caport}/ca -d ${d}
-n "${nick}" -C ${d}/pwd.txt ca-cert-request-submit --profile
caAgentServerCert --csr-file ${f}.${i} ; done
Thanks,
M.
On Fri, Oct 1, 2021 at 7:25 PM Marc Sauton <msauton(a)redhat.com> wrote:
> those steps come from an older article at
> https://access.redhat.com/solutions/44042 , originally on RHEL-5 for
> RHCS-8 ( and my fault).
> I think the the perl command in the step 4 after the loop on
> PKCS10Client , is now incorrect, the goal was to remove the header and
> footer of the CSR, but it seems the resulting file with several CSR is now
> incorrect with mangled headers.
>
> so I would change the step 4 from
> "
> time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
> ${f}.${i} -s "cn=testms${i}.example.com"; cat ${f}.${i} >> ${f};
done
> perl -pi -e 's/\r\n//;s/\+/%2B/g;s/\//%2F/g' ${f}
> wc -l ${f}
> "
>
> to create a request and make it one line without header and footer within
> the loop:
> "
> time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o
> ${f}.${i} -n "cn=testms${i}.example.com"; sed -i.orig -rn
'/^-----BEGIN
> CERTIFICATE REQUEST-----$/{:1;n;/^-----END CERTIFICATE
> REQUEST-----$/b2;H;b1};:2;${x;s/\s//g;p}' ${f}.${i} ; cat ${f}.${i} >>
> ${f}; done
> wc -l ${f}
> "
>
> and the sslget command did work ok for me.
>
> and note the CA restart is not needed in the step 1 ( is not in the
> original article)
>
> There are different ways to create and submit CSR, this was one example.
>
> I am going to correct the article and open a doc bug.
>
> Thanks for pointing this out, and your patience.
> M.
>
> On Wed, Sep 22, 2021 at 2:25 PM Hank Hotz <Hank_Hotz(a)na.honda.com> wrote:
>
>> I’m trying to demonstrate that Dogtag could support issuing certs to a
>> Linux version which I can’t get information on. Using Fedora 34 for initial
>> proof-of-concept.
>>
>>
>>
>> I’ve managed to work through a lot of the errors in
>>
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/....
>> (The page doesn’t seem to be maintained. Where can I submit corrections?)
>>
>>
>>
>> I’m stuck on the last step though. Until I get a working example, I
>> can’t tell what’s wrong with the format of the request. The error I get
>> follows. If other info would be useful, like the full traceback, or the
>> request as actually formatted by the perl command, just let me know.
>>
>>
>>
>> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] WARNING:
>> CertProcessor: No authenticator credentials required
>>
>> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: DBSSession:
>> reading cn=8,ou=certificateRepository, ou=ca, o=pki-tomcat-CA
>>
>> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO:
>> AgentCertAuthentication: authenticated
>> uid=newcaagent,ou=people,o=pki-tomcat-CA
>>
>> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] INFO: EnrollProfile:
>> Parsing PKCS #10 request:
>>
>> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE: Unable to
>> parse PKCS #10 request: Sequence tag error -1
>>
>> java.io.IOException: Sequence tag error -1
>>
>> at
>>
org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)
>>
>> [ . . . traceback with no explicit errors . . . ]
>>
>> 2021-09-21 17:55:08 [https-jsse-nio-8443-exec-16] SEVERE:
>> ProfileSubmitServlet: error in processing request: Invalid Request
>>
>> Invalid Request
>>
>> at
>> com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:247)
>>
>> [ . . . traceback including . . . ]
>>
>> at
>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>>
>> at
>>
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
>>
>> at
>>
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
>>
>> at
>>
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>
>> at java.base/java.lang.Thread.run(Thread.java:829)
>>
>> Caused by: java.io.IOException: Sequence tag error -1
>>
>> at
>>
org.mozilla.jss.netscape.security.util.DerInputStream.getSequence(DerInputStream.java:243)
>>
>> at
>> org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:143)
>>
>> at
>> org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:234)
>>
>> at
>> com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:238)
>>
>> ... 50 more
>>
>>
>>
>> Thanks for any help. If I get past proof of concept, I can engage
>> Honda’s support contract with IBM, but I’m not there yet.
>>
>>
>> Confidentiality Notice: This transmission (including any attachments)
>> may contain confidential information belonging to the sender and is
>> intended only for the use of the party or entity to which it is addressed.
>> If you are not the intended recipient, you are hereby notified that any
>> disclosure, copying, distribution, retention or the taking of action in
>> reliance on the contents of this transmission is strictly prohibited. If
>> you have received this transmission in error, please immediately notify the
>> sender and erase all information and attachments.
>> _______________________________________________
>> Pki-users mailing list -- users(a)lists.dogtagpki.org
>> To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
>
1176
days inactive
1176
days old
2 comments
1 participants
participants (1)
-
Marc Sauton