What is func? Is it this? https://fedorahosted.org/func/

> #1 - given the above, is dog tag able to deal with these certificates (I > am so far under the impression that indeed it can) Deal with - what do you mean? Do you mean, process requests and provide a certificate that these apps can understand? (If so the answer is probably yes; we use certs in many services, but we don't happen to use puppet or func, altho I would like to).

> #2 - How does one request a certificate from the installed pki-ca? There are a couple possibilities. You can essentially screen scrape& script the posting of the requests to the request interface. You can use the RA and either adapt some of the existing scripts in the RA or just focus on the submission portion of the RA and build an appropriate request. Usually, you have to adjust the profile to do the right thing - to expect the right variables from the PUT url. You can adapt the XML interface (I think - haven't explored that). > > requesting a certificate would submit some form of authentication. They could be authenticated or not. The RA would allow you to use whatever authentication you wanted - eg you could accept any request from designated IP addresses, or network masks, or you could probably use OAuth or Kerberos, or something else entirely. Or you could leave the requests to queue up unauthenticated& have an agent verify the requests before manually issuing them. Other possibilities exist probably.

> don't expect any device to request a certificate without me knowing it > needs one an initiating the process somehow, so the added authentication > seems un-needed in my case. > At the moment I'm used to puppet or func you have a puppetca function > that can tell me the certificate signing requests pending approval, is > this workflow fundamentally different than dogtag? I don't know puppet or what sounds like its internal CA (puppetca) so I couldn't be sure how it works. You should get a response back from either the dogtag CA or RA that something happened to the request (accepted/approved/rejected/error) and you can act on that returned value. How flexible the app is would determine how useful that message will be. Usual disclaimers - I could be wrong!

Hi, > So an additional issue, once I configured the CA, it gives me a link to a > page that has XXXXXX Certificate System and lists "SSL End Users Services" > as well as "Agent Services". All I did was go through the setup of the CA > service. If I click on either of those, I get a white blank screen. I have > no idea how to debug this, I can't seem to find any error messages in > /var/log/pki-ca to even point me anywhere, when I do request those pages, > *nothing* shows up in any of the many log files in that directory. Any > pointers? I have had the same experience using dogtag on CentOS 6.x. I have successful installations on CentOS 5.x

Do you happen to know the cause? Or have a bug # someplace for it?

On 01/19/2012 11:45 AM, Mike Helm wrote: > What is func? > > Is it this? > > https://fedorahosted.org/func/ Yes. >> #1 - given the above, is dog tag able to deal with these >> certificates (I >> am so far under the impression that indeed it can) > > Deal with - what do you mean? Do you mean, process requests and provide > a certificate that these apps can understand? (If so the answer is > probably > yes; we use certs in many services, but we don't happen to use puppet or > func, altho I would like to). Yeah, that's what I was asking. I'm fairly new to the intricacies of certificates, I've used them for https, but when looking at certificates for https based websites, and the certs used for/by puppet there were numerous differences. I presume though that most of the differences are in the certificate creation process, and not the signing. > >> #2 - How does one request a certificate from the installed pki-ca? > > There are a couple possibilities. You can essentially screen scrape& > script the posting of the requests to the request interface. > > You can use the RA and either adapt some of the existing scripts in > the RA or > just focus on the submission portion of the RA and build an appropriate > request. Usually, you have to adjust the profile to do the right > thing - > to expect the right variables from the PUT url. > > You can adapt the XML interface (I think - haven't explored that). >> >> requesting a certificate would submit some form of authentication. > > They could be authenticated or not. The RA would allow you to use > whatever authentication you wanted - eg you could accept any request > from designated IP addresses, or network masks, or you could probably > use OAuth or Kerberos, or something else entirely. > > Or you could leave the requests to queue up unauthenticated& have > an agent verify the requests before manually issuing them. > > Other possibilities exist probably. Great, that's some good information. >> don't expect any device to request a certificate without me knowing it >> needs one an initiating the process somehow, so the added >> authentication >> seems un-needed in my case. > >> At the moment I'm used to puppet or func you have a puppetca function >> that can tell me the certificate signing requests pending approval, is >> this workflow fundamentally different than dogtag? > > I don't know puppet or what sounds like its internal CA (puppetca) so > I couldn't > be sure how it works. You should get a response back from either the > dogtag > CA or RA that something happened to the request > (accepted/approved/rejected/error) > and you can act on that returned value. How flexible the app is would > determine how useful that message will be. > > Usual disclaimers - I could be wrong! So an additional issue, once I configured the CA, it gives me a link to a page that has XXXXXX Certificate System and lists "SSL End Users Services" as well as "Agent Services". All I did was go through the setup of the CA service. If I click on either of those, I get a white blank screen. I have no idea how to debug this, I can't seem to find any error messages in /var/log/pki-ca to even point me anywhere, when I do request those pages, *nothing* shows up in any of the many log files in that directory. Any pointers? The urls are: https://hostname:9445/ca/services which has links to: https://hostname:9444/ca/ee/ca https://hostname:9443/ca/agent/ca Pointers would be much appreciated.