[Pki-users] Usage Clarification

Mike Helm helm at fionn.es.net
Thu Jan 19 18:45:49 UTC 2012


What is func?

Is it this?

https://fedorahosted.org/func/

> #1 - given the above, is dog tag able to deal with these certificates (I 
> am so far under the impression that indeed it can)

Deal with - what do you mean?  Do you mean, process requests and provide
a certificate that these apps can understand?  (If so the answer is probably
yes; we use certs in many services, but we don't happen to use puppet or
func, altho  I would like to).

> #2 - How does one request a certificate from the installed pki-ca?

There are a couple possibilities.  You can essentially screen scrape &
script the posting of  the requests to the request interface.

You can use the RA and either adapt some of the existing scripts in the RA or 
just focus on the submission portion of the RA and build an appropriate
request.  Usually, you have to adjust the profile to do the right thing -
to expect the right variables from the PUT url.

You can adapt the XML interface (I think - haven't explored that).
> 
> requesting a certificate would submit some form of authentication. 

They could be authenticated or not.  The RA would allow you to use
whatever authentication you wanted - eg you could accept any request
from designated IP addresses, or network masks, or you could probably
use OAuth or Kerberos, or something else entirely.

Or you could leave the requests to queue up unauthenticated & have
an agent verify the requests before manually issuing them.

Other possibilities exist probably.

> don't expect any device to request a certificate without me knowing it 
> needs one an initiating the process somehow, so the added authentication 
> seems un-needed in my case.

> At the moment I'm used to puppet or func you have a puppetca function 
> that can tell me the certificate signing requests pending approval, is 
> this workflow fundamentally different than dogtag?

I don't know puppet or what sounds like its internal CA (puppetca) so I couldn't
be sure how it works.  You should get a response back from either the dogtag
CA or RA that something happened to the request (accepted/approved/rejected/error)
and you can act on that returned value.   How flexible the app is would
determine how useful that message will be.

Usual disclaimers - I could be wrong!

Thanks, ==mwh

Michael Helm
ESnet/LBNL




More information about the Pki-users mailing list