[Pki-users] CErtificate profile validation

Arshad Noor arshad.noor at strongauth.com
Tue Mar 23 17:42:37 UTC 2010 

DogTag and RHCS follows a similar architecture regardless of which component
is being managed (RA, CA, DRM, etc.).  No matter which sub-system is running
on your machine (unless you have two sub-systems on your machine), the "Admin"
port listens for connections from the PKI console.  

When you installed the RA instance, you chose an Admin port (or it was chosen 
for you by default); all you need to do is bring up the PKI Console in exactly 
the same way you would on the CA, but connect to the hostname/port combination 
corresponding to the RA instance.  However, the Admin server has to be running
to respond to the connection.

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Thomas Shanthi-LST016" <Shanthi.Thomas at motorola.com>
To: "Arshad Noor" <arshad.noor at strongauth.com>
Cc: pki-users at redhat.com
Sent: Tuesday, March 23, 2010 8:31:26 AM (GMT-0800) America/Los_Angeles
Subject: RE: [Pki-users] CErtificate profile validation





Hi Arshad, 
I'm glad I asked the question. I have been reading the REdhat manuals to understand about dogtag - I knew these were not on the latest dogtag release i.e 1.3; but that was the most detailed documentation available. 
I have been trying to determine how to bring up the pkiconsole for the RA - but it eludes me. 

When I start the RA using 'service pki-rad create <instance-name> '. I do not see the pki console listed - it lists the URLs associated with the RA for agent, EE, etc. 
However, when I start the CA in a similar manner, the command for starting the PKI console is listed. So I am confused. 

So the question is, how do I bring up the PKI RA Console? 

Thanks! 
Shanthi 

-----Original Message----- 
From: Arshad Noor [ mailto:arshad.noor at strongauth.com ] 
Sent: Mon 3/22/2010 3:33 PM 
To: Thomas Shanthi-LST016 
Cc: pki-users at redhat.com 
Subject: Re: [Pki-users] CErtificate profile validation 

Hmmm... unless something has changed in a new version of the PKI software 
(it has been a few months since I last looked at DogTag), I've never had 
to modify a .vm or .cgi file to change a profile. 

The certificate profiles were always accessible through the PKI Console, 
regardless of whether it was an RA or CA instance. 

Arshad Noor 
StrongAuth, Inc. 

----- Original Message ----- 
From: "Thomas Shanthi-LST016" < Shanthi.Thomas at motorola.com > 
To: "Arshad Noor" < arshad.noor at strongauth.com > 
Cc: pki-users at redhat.com 
Sent: Monday, March 22, 2010 12:22:35 PM (GMT-0800) America/Los_Angeles 
Subject: RE: [Pki-users] CErtificate profile validation 

Thanks again for the prompt reply, Arshad. 

I had created the profile at the CA but had not configured it on the RA 
(just to check if the CA was validating it). But I will try it out 
completely and get back again. 

Also, to confirm - when you say profile configuration at the RA and CA, 
I'm assuming you mean the modification of the .vm and .cgi files at the 
RA, and at the CA the profile configuration is specified via the 
PKI-console. 

Thanks, 
Shanthi 

>>-----Original Message----- 
>>From: Arshad Noor [ mailto:arshad.noor at strongauth.com ] 
>>Sent: Monday, March 22, 2010 12:36 PM 
>>To: Thomas Shanthi-LST016 
>>Cc: pki-users at redhat.com 
>>Subject: Re: [Pki-users] CErtificate profile validation 
>> 
>>In order to accomplish what you're doing, Shanthi, what you 
>>need to do is have two profiles - one at the RA that performs 
>>verification tasks, and one at the CA that performs 
>>modifications. So, for example, you were creating a custom 
>>profile for a "Basic Assurance Signing Profile" 
>>(the name is just an example), you would use the same profile 
>>at the RA and the CA instances, but configure the profile at 
>>the RA to only verify the information you were expecting from 
>>the end-entity (such as name-form, key-size, key-type, etc.) 
>>and then send it to the CA where the profile adds the 
>>required extensions and constraints. 
>> 
>>What is confusing for many RHCS/DogTag users is that while 
>>the same profile can exist on the RA and the CA, they do not 
>>see each others' 
>>profile configurations - they only see their own 
>>configurations. You likely configured the profile at the RA 
>>instance, which the CA is logically ignoring. Modify/create 
>>your profile at the CA instance and you will get the 
>>certificates you want. 
>> 
>>Arshad Noor 
>>StrongAuth, Inc. 
>> 
>>----- Original Message ----- 
>>From: "Thomas Shanthi-LST016" < Shanthi.Thomas at motorola.com > 
>>To: "Arshad Noor" < arshad.noor at strongauth.com > 
>>Cc: pki-users at redhat.com 
>>Sent: Monday, March 22, 2010 9:48:28 AM (GMT-0800) America/Los_Angeles 
>>Subject: RE: [Pki-users] CErtificate profile validation 
>> 
>>Thanks, Arshad. Is there some way to enforce the CA to 
>>cross-check the CSR against the profile when the RA is also 
>>present? Or is this automatically enabled? 
>> 
>>I must have missed something when I set the cert preofile... 
>>When I tried this, it seemed as if the CA was not verifying 
>>correctness of the issued certificate against the cert 
>>profile. It seemed to be just adding its signature. Also it 
>>added the Authority Key Indentifier but not the subject key 
>>identifier (as per RFC 5280 it looks the CA adds this field) 
>>- though both were mentioned in the profile. 
>> 
>>>>-----Original Message----- 
>>>>From: Arshad Noor [ mailto:arshad.noor at strongauth.com ] 
>>>>Sent: Monday, March 22, 2010 11:43 AM 
>>>>To: Thomas Shanthi-LST016 
>>>>Cc: pki-users at redhat.com 
>>>>Subject: Re: [Pki-users] CErtificate profile validation 
>>>> 
>>>>Technically, it can occur at either or both locations. 
>>>>However, from a business and operational point-of-view, 
>>most PKIs do 
>>>>the verification at the RA. This is because it allows 
>>different RA's 
>>>>to use different policies, procedures and tools to do the 
>>>>key-generation, verification, etc., before sending the 
>>verified CSR to 
>>>>the CA for signing. 
>>>> 
>>>>From an operational point of view, having RAs do the verification 
>>>>allows you to scale a CA to sign more certificates in a 
>>given unit of 
>>>>time if it only had to sign certificates and CRLs instead 
>>of verifying 
>>>>and signing. 
>>>> 
>>>>Yes, the CA can indeed add all the required 
>>constraints/extensions as 
>>>>needed to the certificate based on the profile, before it signs the 
>>>>CSR. 
>>>> 
>>>>Arshad Noor 
>>>>StrongAuth, Inc. 
>>>> 
>>>>----- Original Message ----- 
>>>>From: "Thomas Shanthi-LST016" < Shanthi.Thomas at motorola.com > 
>>>>To: pki-users at redhat.com 
>>>>Sent: Monday, March 22, 2010 9:00:59 AM (GMT-0800) 
>>America/Los_Angeles 
>>>>Subject: [Pki-users] CErtificate profile validation 
>>>> 
>>>>_______________________________________________ 
>>>>Pki-users mailing list 
>>>> Pki-users at redhat.com 
>>>> https://www.redhat.com/mailman/listinfo/pki-users 
>>>> 
>>>> 
>> 
>>

More information about the Pki-users mailing list