[Pki-users] Usage Clarification
Nathanael D. Noblet
nathanael at gnat.ca
Thu Jan 19 19:13:53 UTC 2012
On 01/19/2012 11:45 AM, Mike Helm wrote:
> What is func?
>
> Is it this?
>
> https://fedorahosted.org/func/
Yes.
>> #1 - given the above, is dog tag able to deal with these certificates (I
>> am so far under the impression that indeed it can)
>
> Deal with - what do you mean? Do you mean, process requests and provide
> a certificate that these apps can understand? (If so the answer is probably
> yes; we use certs in many services, but we don't happen to use puppet or
> func, altho I would like to).
Yeah, that's what I was asking. I'm fairly new to the intricacies of
certificates, I've used them for https, but when looking at certificates
for https based websites, and the certs used for/by puppet there were
numerous differences. I presume though that most of the differences are
in the certificate creation process, and not the signing.
>
>> #2 - How does one request a certificate from the installed pki-ca?
>
> There are a couple possibilities. You can essentially screen scrape&
> script the posting of the requests to the request interface.
>
> You can use the RA and either adapt some of the existing scripts in the RA or
> just focus on the submission portion of the RA and build an appropriate
> request. Usually, you have to adjust the profile to do the right thing -
> to expect the right variables from the PUT url.
>
> You can adapt the XML interface (I think - haven't explored that).
>>
>> requesting a certificate would submit some form of authentication.
>
> They could be authenticated or not. The RA would allow you to use
> whatever authentication you wanted - eg you could accept any request
> from designated IP addresses, or network masks, or you could probably
> use OAuth or Kerberos, or something else entirely.
>
> Or you could leave the requests to queue up unauthenticated& have
> an agent verify the requests before manually issuing them.
>
> Other possibilities exist probably.
Great, that's some good information.
>> don't expect any device to request a certificate without me knowing it
>> needs one an initiating the process somehow, so the added authentication
>> seems un-needed in my case.
>
>> At the moment I'm used to puppet or func you have a puppetca function
>> that can tell me the certificate signing requests pending approval, is
>> this workflow fundamentally different than dogtag?
>
> I don't know puppet or what sounds like its internal CA (puppetca) so I couldn't
> be sure how it works. You should get a response back from either the dogtag
> CA or RA that something happened to the request (accepted/approved/rejected/error)
> and you can act on that returned value. How flexible the app is would
> determine how useful that message will be.
>
> Usual disclaimers - I could be wrong!
So an additional issue, once I configured the CA, it gives me a link to
a page that has XXXXXX Certificate System and lists "SSL End Users
Services" as well as "Agent Services". All I did was go through the
setup of the CA service. If I click on either of those, I get a white
blank screen. I have no idea how to debug this, I can't seem to find any
error messages in /var/log/pki-ca to even point me anywhere, when I do
request those pages, *nothing* shows up in any of the many log files in
that directory. Any pointers?
The urls are:
https://hostname:9445/ca/services
which has links to:
https://hostname:9444/ca/ee/ca
https://hostname:9443/ca/agent/ca
Pointers would be much appreciated.
--
Nathanael d. Noblet
t 403.875.4613
More information about the Pki-users
mailing list