[Pki-users] Usage Clarification

Thu Jan 19 19:47:05 UTC 2012

On 01/19/2012 11:13 AM, Nathanael D. Noblet wrote:
> On 01/19/2012 11:45 AM, Mike Helm wrote:
>> What is func?
>>
>> Is it this?
>>
>> https://fedorahosted.org/func/
>
> Yes.
>
>
>>> #1 - given the above, is dog tag able to deal with these 
>>> certificates (I
>>> am so far under the impression that indeed it can)
>>
>> Deal with - what do you mean?  Do you mean, process requests and provide
>> a certificate that these apps can understand?  (If so the answer is 
>> probably
>> yes; we use certs in many services, but we don't happen to use puppet or
>> func, altho  I would like to).
>
> Yeah, that's what I was asking. I'm fairly new to the intricacies of 
> certificates, I've used them for https, but when looking at 
> certificates for https based websites, and the certs used for/by 
> puppet there were numerous differences. I presume though that most of 
> the differences are in the certificate creation process, and not the 
> signing.
>
>>
>>> #2 - How does one request a certificate from the installed pki-ca?
>>
>> There are a couple possibilities.  You can essentially screen scrape&
>> script the posting of  the requests to the request interface.
>>
>> You can use the RA and either adapt some of the existing scripts in 
>> the RA or
>> just focus on the submission portion of the RA and build an appropriate
>> request.  Usually, you have to adjust the profile to do the right 
>> thing -
>> to expect the right variables from the PUT url.
>>
>> You can adapt the XML interface (I think - haven't explored that).
>>>
>>> requesting a certificate would submit some form of authentication.
>>
>> They could be authenticated or not.  The RA would allow you to use
>> whatever authentication you wanted - eg you could accept any request
>> from designated IP addresses, or network masks, or you could probably
>> use OAuth or Kerberos, or something else entirely.
>>
>> Or you could leave the requests to queue up unauthenticated&  have
>> an agent verify the requests before manually issuing them.
>>
>> Other possibilities exist probably.
>
> Great, that's some good information.
>
>
>>> don't expect any device to request a certificate without me knowing it
>>> needs one an initiating the process somehow, so the added 
>>> authentication
>>> seems un-needed in my case.
>>
>>> At the moment I'm used to puppet or func you have a puppetca function
>>> that can tell me the certificate signing requests pending approval, is
>>> this workflow fundamentally different than dogtag?
>>
>> I don't know puppet or what sounds like its internal CA (puppetca) so 
>> I couldn't
>> be sure how it works.  You should get a response back from either the 
>> dogtag
>> CA or RA that something happened to the request 
>> (accepted/approved/rejected/error)
>> and you can act on that returned value.   How flexible the app is would
>> determine how useful that message will be.
>>
>> Usual disclaimers - I could be wrong!
>
>
> So an additional issue, once I configured the CA, it gives me a link 
> to a page that has XXXXXX Certificate System and lists "SSL End Users 
> Services" as well as "Agent Services". All I did was go through the 
> setup of the CA service. If I click on either of those, I get a white 
> blank screen. I have no idea how to debug this, I can't seem to find 
> any error messages in /var/log/pki-ca to even point me anywhere, when 
> I do request those pages, *nothing* shows up in any of the many log 
> files in that directory. Any pointers?
>
> The urls are:
>
> https://hostname:9445/ca/services
>
> which has links to:
>
> https://hostname:9444/ca/ee/ca
> https://hostname:9443/ca/agent/ca
>
> Pointers would be much appreciated.
>
You can get request status using HTTP or HTTPS from the "ee" / "end 
entity" interface, HTTPS with client authentication for agent interface.
To get the forms, the path are like

enrolling for a SSL server cert using the profile caServerCert
from HTTPS no client auth interface
https://...:9444/ca/ee/ca/profileSelect?profileId=caServerCert

for a given request:
https://...:9444/ca/ee/ca/checkRequest.html

using client auth for an "agent"
https://...:9443/ca/agent/ca/profileReview?requestId=x

I suggest to see the 8.1 online doc (not 7.3 like referenced earlier)
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/index.html

if e-mail notifications are needed for some enrollment and issuance 
events, see:
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Notifications.html#Types_of_Automated_Notifications

There is some information in the web.xml file, located for example at
/var/lib/pki-ca/webapps/ca/WEB-INF/web.xml
see
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/removing-unused-web.xml.html

The XML API will likely be updated and documented later upstream or as 
part of common criteria.
M.