On Wed, Apr 01, 2015 at 03:37:58PM -0500, Steve Neuharth wrote: > Hello everyone, > > I have a requirement to provide a service to our internal linux systems to > allow them to self-register and receive a certificate representing the host > itself and then a cert representing any application on that host. I have > installed DogTag, it's up and running and seems to be working. > > I'd like to be able to use REST to request a certificate and have it > auto-signed. I know that DogTag has a REST interface and while the > interface is documented, there are no examples where I can see how it would > actually be used to post a CSR, fetch a cert, etc. > > Normally, I'd just sniff a request made with getcert but as I'm using just > dogtag as a standalone install and not as a part of FreeIPA, getcert has no > knowledge of my local DogTag CA: > > *[root@dogtag lib]# getcert list-casCA 'SelfSign': is-default: > no ca-type: INTERNAL:SELF next-serial-number: 01CA > 'IPA': is-default: no ca-type: EXTERNAL > helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster': > is-default: no ca-type: EXTERNAL helper-location: > /usr/libexec/certmonger/certmaster-submitCA > 'dogtag-ipa-renew-agent': is-default: no ca-type: > EXTERNAL helper-location: > /usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local': > is-default: no ca-type: EXTERNAL helper-location: > /usr/libexec/certmonger/local-submit* > > so... how do I make it aware? I'm using fedora21 so I'm at > certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. It > looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure what > to add. If you're after something you can use to poke at the server from the command line, the 'pki' tool from the 'pki-tools' package may be closer to what you're looking for. If not, well, here's more than you probably want to know. The CAs which certmonger knows about by default are the ones that don't require any additional configuration to be passed to them. For example, the ipa-submit helper can dig up all of the configuration that it needs from the IPA configuration files. Along similar lines, the dogtag-ipa-renew-agent-submit helper can dig through IPA's configuration for some settings, and have hardwired defaults for the rest. The general-purpose dogtag-submit helper doesn't have that expectation, and it hasn't seen much use yet, so you may find some bugs (well, more than usual). Anyway, a new file telling certmonger how to invoke it would look something like this: id=Dogtag ca_type=EXTERNAL ca_external_helper=/usr/libexec/certmonger/dogtag-submit ... The flags that would be passed to the dogtag-submit helper depend on whether or not it's expected to use agent creds to use Dogtag's agent services to approve the signing requests that it submits. Briefly: -T caServerCert The name of the Dogtag enrollment profile to use. -E http://server:8080/ca/ee/ca The location of Dogtag's end-user service. -A https://server:8443/ca/agent/ca The location of Dogtag's agent services, if agent creds will be used. -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt The location of the agent creds, if agent creds will be used. Some words of caution: the helper doesn't use the new REST API, but rather the old forms-based one, due to a combination of wanting to remain compatible with older versions of Dogtag and wanting to avoid adding new dependencies to the server via the REST API. If you try to use agent creds to auto-approve things, but the enrollment profile doesn't provide defaults for every extension value that it populates, the logic in dogtag-submit that tries to use agent creds to approve requests won't be able to tell the server to just use the defaults, and things could go awry. The -O flag may help here. You may want to run dogtag-submit interactively to get the flags sorted out, passing in previous output using the -S flag to mimic the certmonger daemon running it iteratively. > I apologize in advance for the pedestrian questions. I have read the docs > and the getting started guide and while they provide examples for > self-signed certs and for using FreeIPA, I don't see much info on using > getcert with DogTag as a standalone product. I'd also like to explore using > SCEP for requesting certs from our MS PKI. Is there a guide or info setting > up certmonger/getcert to hit a SCEP URL? That functionality was new in 0.77, and I've just submitted a candidate update build for F21, so hopefully some will be available in the updates-testing tree this week. Anyway, the short version of how to use an SCEP server is: * Use "getcert add-scep-ca -u $URL -c $NAME" to point the service at your SCEP server's URL and give the CA a nickname. * If it's an HTTPS URL, use the -R flag to point it to a PEM-formatted copy of the CA's certificate. If not, use "getcert list" and "getcert list-cas" to display request and certificate fingerprints for manual verification. * Use "getcert -c $NAME" to request a certificate. * Use the -L or -l flag to supply the enrollment PIN or point to a file that contains the enrollment PIN. A lot of the logic for supporting SCEP is new, so if you run into problems in that area, please make sure to let us know. HTH, Nalin

I should add too that *curl --cacert ca.crt https://dogtag.test.org:8443/ca/services <https://dogtag.test.org:8443/ca/services> *does get a valid response while using that file with the -C switch on dogtag-submit does not. On Fri, Apr 3, 2015 at 3:47 PM, Steve Neuharth <steve(a)sylvation.com&gt; wrote: > Thanks again for the information. I have a couple more questions for you. > > first is that I have added a new 'Dogtag' ca in > /var/lib/certmonger/cas/20150331194831-5 > > > > > > > > > *id=Dogtagca_aka=Dogtag > PKIca_is_default=0ca_type=EXTERNALca_external_helper=/usr/libexec/certmonger/dogtag-submitca_required_enroll_attributes=template-subjectca_required_renewal_attributes=template-subject* > > however, when I run getcert list-cas, it does not appear > > The next question is regarding the dogtag-submit helper itself. I'm > trying to execute this: > > */usr/libexec/certmonger/dogtag-submit -vv -c ~/test.crt -k ~/test.key -E > https://dogtag.test.org:8443/ca/ee/ca > <https://dogtag.test.org:8443/ca/ee/ca> -A > https://dogtag.test.org:8443/ca/agent/ca > <https://dogtag.test.org:8443/ca/agent/ca> -T caServerCert -d > /etc/httpd/alias -n caadmin -p /etc/pki/pki-tomcat/alias/pwdfile.txt -C > /etc/pki/pki-tomcat/alias* > > and then I paste in my csr and hit 'ctrl-d' and I get: > > > > > > > *code = 77code_text = "Problem with the SSL CA cert (path? access > rights?)"results = "(null)"Error 77 connecting to > https://dogtag.test.org:8443/ca/ee/ca/profileSubmit > <https://dogtag.test.org:8443/ca/ee/ca/profileSubmit>;: Problem with the SSL > CA cert (path? access rights?).* > I guess I'm not sure what CA cert path it's talking about. I've tried the > pki-tomcat alias path and I've tried pointing to the CAcert that I > downloaded from the WebUI on the 'Import CA Certificate Chain' page but > I always get the same error. > > Thanks for your help, > --steve > > On Wed, Apr 1, 2015 at 4:43 PM, Nalin Dahyabhai <nalin(a)redhat.com&gt; wrote: > >> On Wed, Apr 01, 2015 at 03:37:58PM -0500, Steve Neuharth wrote: >> > Hello everyone, >> > >> > I have a requirement to provide a service to our internal linux >> systems to >> > allow them to self-register and receive a certificate representing the >> host >> > itself and then a cert representing any application on that host. I >> have >> > installed DogTag, it's up and running and seems to be working. >> > >> > I'd like to be able to use REST to request a certificate and have it >> > auto-signed. I know that DogTag has a REST interface and while the >> > interface is documented, there are no examples where I can see how it >> would >> > actually be used to post a CSR, fetch a cert, etc. >> > >> > Normally, I'd just sniff a request made with getcert but as I'm using >> just >> > dogtag as a standalone install and not as a part of FreeIPA, getcert >> has no >> > knowledge of my local DogTag CA: >> > >> > *[root@dogtag lib]# getcert list-casCA 'SelfSign': is-default: >> > no ca-type: INTERNAL:SELF next-serial-number: 01CA >> > 'IPA': is-default: no ca-type: EXTERNAL >> > helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster': >> > is-default: no ca-type: EXTERNAL helper-location: >> > /usr/libexec/certmonger/certmaster-submitCA >> > 'dogtag-ipa-renew-agent': is-default: no ca-type: >> > EXTERNAL helper-location: >> > /usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local': >> > is-default: no ca-type: EXTERNAL helper-location: >> > /usr/libexec/certmonger/local-submit* >> > >> > so... how do I make it aware? I'm using fedora21 so I'm at >> > certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. >> It >> > looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure >> what >> > to add. >> >> If you're after something you can use to poke at the server from the >> command line, the 'pki' tool from the 'pki-tools' package may be closer >> to what you're looking for. >> >> If not, well, here's more than you probably want to know. >> >> The CAs which certmonger knows about by default are the ones that don't >> require any additional configuration to be passed to them. For example, >> the ipa-submit helper can dig up all of the configuration that it needs >> from the IPA configuration files. Along similar lines, the >> dogtag-ipa-renew-agent-submit helper can dig through IPA's configuration >> for some settings, and have hardwired defaults for the rest. >> >> The general-purpose dogtag-submit helper doesn't have that expectation, >> and it hasn't seen much use yet, so you may find some bugs (well, more >> than usual). Anyway, a new file telling certmonger how to invoke it >> would look something like this: >> >> id=Dogtag >> ca_type=EXTERNAL >> ca_external_helper=/usr/libexec/certmonger/dogtag-submit ... >> >> The flags that would be passed to the dogtag-submit helper depend on >> whether or not it's expected to use agent creds to use Dogtag's agent >> services to approve the signing requests that it submits. Briefly: >> -T caServerCert >> The name of the Dogtag enrollment profile to use. >> -E http://server:8080/ca/ee/ca >> The location of Dogtag's end-user service. >> -A https://server:8443/ca/agent/ca >> The location of Dogtag's agent services, if agent creds will be used. >> -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt >> The location of the agent creds, if agent creds will be used. >> >> Some words of caution: the helper doesn't use the new REST API, but >> rather the old forms-based one, due to a combination of wanting to >> remain compatible with older versions of Dogtag and wanting to avoid >> adding new dependencies to the server via the REST API. >> >> If you try to use agent creds to auto-approve things, but the enrollment >> profile doesn't provide defaults for every extension value that it >> populates, the logic in dogtag-submit that tries to use agent creds to >> approve requests won't be able to tell the server to just use the >> defaults, and things could go awry. The -O flag may help here. >> >> You may want to run dogtag-submit interactively to get the flags sorted >> out, passing in previous output using the -S flag to mimic the >> certmonger daemon running it iteratively. >> >> > I apologize in advance for the pedestrian questions. I have read the >> docs >> > and the getting started guide and while they provide examples for >> > self-signed certs and for using FreeIPA, I don't see much info on using >> > getcert with DogTag as a standalone product. I'd also like to explore >> using >> > SCEP for requesting certs from our MS PKI. Is there a guide or info >> setting >> > up certmonger/getcert to hit a SCEP URL? >> >> That functionality was new in 0.77, and I've just submitted a candidate >> update build for F21, so hopefully some will be available in the >> updates-testing tree this week. Anyway, the short version of how to use >> an SCEP server is: >> >> * Use "getcert add-scep-ca -u $URL -c $NAME" to point the service at >> your SCEP server's URL and give the CA a nickname. >> * If it's an HTTPS URL, use the -R flag to point it to a PEM-formatted >> copy of the CA's certificate. If not, use "getcert list" and >> "getcert list-cas" to display request and certificate fingerprints >> for manual verification. >> * Use "getcert -c $NAME" to request a certificate. >> * Use the -L or -l flag to supply the enrollment PIN or point to a >> file that contains the enrollment PIN. >> >> A lot of the logic for supporting SCEP is new, so if you run into >> problems in that area, please make sure to let us know. >> >> HTH, >> >> Nalin >> > >