[Pki-users] Problems with Dogtag and CA cert signed by External CA
Dwayne MacKinnon
dmk at ncf.ca
Thu Oct 18 15:49:43 UTC 2012
On October 17, 2012 04:52:52 PM John Dennis wrote:
> On 10/17/2012 03:52 PM, Dwayne MacKinnon wrote:
> > Hi all,
> >
> > A helpful fellow called alee on #dogtag-pki suggested I write the list.
> > I've been playing with dogtag-pki-9.0.0-10 on 64-bit Fedora 17.
> >
> > I'm looking to use dogtag to run a subordinate CA that does all our
> > everyday PKI stuff. So when I used pki-create and went into the webform,
> > I went the "create a csr" route and signed it using a root CA I'd set up
> > using openssl.
> >
> > Everything seemed to work out fine, until I got to the point where I was
> > restarting pki-cad (using systemctl restart pki-cad at pki-ca.service). It
> > wouldn't start.
> >
> > With alee's help I tracked it down to a failure of SystemCertsVerification
> > during the selftests.
> >
> > He asked me to submit my debug log to the list, so here it is.
>
> Interestingly enough I'm in the middle of tracking down why NSS will not
> validate a self signed cert as a CA. I suspect dogtag is calling NSS's
> CERT_VerifyCertificateNow (or it's equivalent) and passing it a specific
> usage parameter.
>
> There are very specific requirements to accept a CA cert as valid. More
> valuable than the log would be show us what the cert looks like. I would
> ordinarily tell you to dump the cert in text form using openssl x509
> -text but openssl often omits detailed information on the cert
> extensions which are critical (no pun intended) here. How about if you
> also provide us with a PEM formatted version of the cert and we'll use
> our tools to examine it's contents.
Sure. I've generated a clone cert with phony credentials. It's attached.
Thanks for the assistance.
Cheers,
DMK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: subca_cert.pem
Type: application/x-x509-ca-cert
Size: 7313 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20121018/358bd9a3/attachment.bin>
More information about the Pki-users
mailing list