[Pki-users] CA Administrator of Instance pki-ca

Andrew Wnuk awnuk at redhat.com
Tue Oct 8 18:32:48 UTC 2013 

On 10/07/2013 11:41 AM, Richard Thomas wrote:
> Hi Andrew,
>
> Thanks very much for sending this to me.
>
> The first thing I'd like to point out is that I'm using the pre-Red Hat enterprise variant of DogTag (dogtag-pki-1.3.0-2.el5)
>
> I have been trying to adapt the instructions as best I can and have so nearly got there, but not quite..
>
> I have been referring to chapter 4.8.2 of that article by going to the <server>:9444/ca/ee/ca URL and the only 2 Certificate Profiles I have to choose from are:
> o) Renewal: Renew certificate to be manually approved by agents
> o) Cisco VPN Client Enrolment
>
> The second option is for end users of our Cisco VPN to generate new certificates with, so I don't do anything with that.
>
> The first option looked promising, as it asked for a certificate number, so I used the <server>:9443/ca/agent/ca URL to find the certificate number of the current "CA Administrator of Instance pki-ca" certificate, make a note of it and enter it into the certificate renewal page.
>
> I then use the <server>:9443/ca/agent/ca URL to approve my request.
>
> Back to the <server>:9444/ca/ee/ca URL to retrieve the certificate.
>
> I then updated the .p12 (.pfx) certificate with the one that appeared from the step above, with quite a bit of open_ssl commands, but I am confident that my new .p12 has everything in it as before (including the private key), with the exception of the "CA Administrator of Instance pki-ca" certificate being my updated one instead of the current one.
>
> I manage to import it into by machine's browser and when I navigate to <server>:9443/ca/agent/ca, the new certificate comes up as an option to present to Dog Tag, so things are looking good at this stage and I select it.
>
> After that is where the first thing looks different, but I wasn't too worried about.  I get a message saying "Request For Permission to Use a Key", so I grant permission.
>
> Then things don't look go at all, as once I'm past that, all the pages say "Invalid Credential".
>
> I have probably gone about things in a way that's more complicated than it should be and I guess it's because I'm using an earlier version of Dog Tag.
>
> Do you have any ideas where I have gone wrong with this please.
>
> Thank you very much.
>
> Richard.

Unfortunately your version is old enough to miss new renewal profiles, 
which would make your task easier.

Here is a simple way to renew your CA administrator certificate:

 1. Go to EE interface (typically https://<hostname>:9444/ca/ee/ca/) and
    select "Manual User Dual-Use Certificate Enrollment"
 2. Fill out the form and submit request
 3. Go to Agent interface (typically
    https://<hostname>:9443/ca/agent/ca/) and approve submitted request
 4. Return to EE interface, select "Retrieval" tab and "Check Request
    Status".
 5. Type in request number and press submit.
 6. Click on issued certificate serial number.
 7. Go to the end of page displaying certificate and press "Import Your
    Certificate"
 8. Start pkiconsole (typically by running "pkiconsole
    https://`hostname`:9445/ca")
 9. Select "Users and Groups" and select your admin entry.
10. Press "Certificates" button then "Import" and paste in your new
    base64 encoded certificate, then OK and "Done"
11. Clear SSL cache in the browser or restart your browser.
12. You should now be able to use your new certificate to access Agent
    interface

Thanks,
Andrew


>
> ________________________________________
> From: pki-users-bounces at redhat.com [pki-users-bounces at redhat.com] On Behalf Of Andrew Wnuk [awnuk at redhat.com]
> Sent: Thursday, October 03, 2013 6:05 PM
> To: pki-users at redhat.com
> Subject: Re: [Pki-users] CA Administrator of Instance pki-ca
>
> Hi Richard,
>
> You can renew certificate using: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/renewing-certificates.html
> and then add new certificate to CA administrator entry using console.
>
> Best,
> Andrew
>
> On 10/03/2013 08:49 AM, Richard Thomas wrote:
> Hi all,
>
> I hope someone would be able to help me with this.
>
> I have taken over a Dog Tag system and I have little knowledge of it.
>
> I need to renew the “CA Administrator of Instance pki-ca” certificate, as it is running out in a few weeks.
>
> Would someone be able to point me in the direction of any documentation on how to do this or let me know how to do it.
>
> I would massively appreciate any guidance on this.
>
> Thanks in advance,
>
> Richard.
>
> The world’s first PCI accreditation for a Point to Point Encryption application. Find out more…<http://www.the-logic-group.com/pressrelease/Worlds-First-Accreditation-for-PCI-P2PE-Application>
> The Logic Group
> Enterprises Limited
>                  Logic House
> Waterfront Business Park
> Fleet, Hampshire
> GU51 3SB
> United Kingdom          phone
> fax
> email
> web     +44 1252 776 700
> +44 1252 776 738
> info at the-logic-group.com<mailto:info at the-logic-group.com>
> www.the-logic-group.com<http://www.the-logic-group.com>                 Registered in England
> Number 2609323          [http://www.the-logic-group.com/UploadedImages/34e428b6-82a8-46f4-999d-89403051ff3c.jpg]
>
>
>
> The Logic Group Enterprises Limited, Logic House, Waterfront Business Park, Fleet Road, Fleet,
> Hampshire, GU51 3SB, United Kingdom. Registered in England. Registered No. 2609323
>
> The information in this email and any attachments are confidential and may be legally privileged and protected by law. It is for the intended recipient only. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system.
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com<mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20131008/f231132e/attachment.htm>

More information about the Pki-users mailing list