[Pki-users] Can OpensSSL be used as external CA ?
kritee jhawar
kriteejhawar at gmail.com
Sat Nov 1 04:24:05 UTC 2014
Thanks Christina
I checked out the master branch and built it. Now i can see the added
extensions in the CSR generated, however i am getting the same error as
earlier.
This time again, I tried the supply the certificate chain with and without
the headers. The chain is in a valid pkcs7 format.
Following is how the extensions look in the certificate signed by openssl
for dogtag:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL
Sign
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
The error i get in step 2 of pkispawn is as follows:
pkispawn : INFO ....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
pkispawn : INFO ....... loading external CA signing certificate from
file: '/home/kjhawar/dogtag/dg_ca.cert'
pkispawn : INFO ....... loading external CA signing certificate
chain from file: '/home/kjhawar/dogtag/dg_chain.cert'
pkispawn : INFO ....... configuring PKI configuration data.
pkispawn : INFO ....... AtoB /root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert.der
pkispawn : INFO ....... certutil -A -d
/root/.dogtag/pki-tomcat/ca/alias -n PKI Administrator -t u,u,u -i
/root/.dogtag/pki-tomcat/ca_admin.cert.der -f
/root/.dogtag/pki-tomcat/ca/password.conf
Notice: Trust flag u is set automatically if the private key is present.
pkispawn : INFO ....... pk12util -d
/root/.dogtag/pki-tomcat/ca/alias -o
/root/.dogtag/pki-tomcat/ca_admin_cert.p12 -n PKI Administrator -w
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf -k
/root/.dogtag/pki-tomcat/ca/password.conf
pkispawn : INFO ... finalizing
'pki.server.deployment.scriptlets.finalization'
pkispawn : INFO ....... cp -p
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141101020655
pkispawn : INFO ....... generating manifest file called
'/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest'
pkispawn : INFO ....... cp -p
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141101020655
pkispawn : INFO ....... executing 'systemctl daemon-reload'
pkispawn : INFO ....... executing 'systemctl restart
pki-tomcatd at pki-tomcat.service'
Job for pki-tomcatd at pki-tomcat.service canceled.
pkispawn : ERROR ....... subprocess.CalledProcessError: Command
'['systemctl', 'restart', 'pki-tomcatd at pki-tomcat.service']' returned
non-zero exit status 1!
Installation failed.
Kindly let me know if any specific configuration has to be done in my
openssl CA. Attaching the config file i am using currently
Thanks
Kritee
On Fri, Oct 31, 2014 at 10:36 PM, Christina Fu <cfu at redhat.com> wrote:
> Kritee,
>
> At the minimum, you need the fixes I talked about. They were checked into
> the master but has not been built officially so yum is not going to get you
> the right rpm. However, you can check it out and build it yourself.
> Here is how you check out the master:
>
> git clone git://git.fedorahosted.org/git/pki.git
>
> You can then use the build scripts to build.
>
> Finally, I apologize that we are not supposed to respond to private
> emails. Dogtag is a community where we share our knowledge. In the future
> please send requests to the mailing list.
> I took the exception this time to look at your CSR and certs and I could
> see that you need the fixes I talked about. I don't know if you have other
> issues though, but AFAIK you need those two fixes.
>
> Hope this helps.
> Christina
>
>
> On 10/29/2014 01:16 AM, kritee jhawar wrote:
>
> Hi Christina
>
> I have done the default configuration for 389ds and haven't specifically
> turned on ssl for it.
>
> Initially I tried using Microsoft and OpenSSL CA as external CAs. This
> is about a month back and I pull the Rpms using yum (so I assume they are
> the latest ones with the fix you mentioned).
> With this, my pki spawn went fine. Infect the admin cert got generated
> using the externally provided root cert as well. But dogtag couldn't
> connect to the ds. As mentioned earlier it gave me a PKIException error
> listing the certs with error code 500.
> Looking at the ds logs I found that the error was 'bad search filter'.
> However when I tried the same steps with dogtag as external CA the setup
> went through without a glitch. The chain I imported was directly from the
> GUI of dogtag. In fact I included the header and footer as well.
>
> When I tried to reverse engineer the chain, I took the root cert of
> external dogtag ca and used OpenSSL to convert it into pkcs7. This chain
> was not the same as provided from the GUI. Hence I thought that there is
> some particular format for the chain because of which the other CAs aren't
> working.
>
> Also, I updated the Rpms using yum and tried to generate the CSR with
> the extra attributes. My csr still doesn't reflect those added attributes.
>
> Is yum not the correct way to get the latest code ?
>
> I am very new to this, really appreciate your assistance and time.
>
> Regards
> Kritee
>
> On Wednesday, 29 October 2014, Christina Fu <cfu at redhat.com> wrote:
>
>> the cert chain you provide in the file specified under
>> pki_external_ca_cert_chain_path
>> should be just pkcs7 without header/footer.
>>
>> I don't know why it would not talk to the DS (did you turn on ssl for the
>> ds?).
>> Not sure if you build your Dogtag from the master, if you do, I'd suggest
>> you get the most updated so you get fixes from the tickets I provided
>> previously which would address at least two issues relating to external CA.
>>
>> Christina
>>
>> On 10/27/2014 07:55 PM, kritee jhawar wrote:
>>
>> Hi Christina
>>
>> I was undertaking this activity last month where Microsoft CA didn't
>> work out but Dogtag as external CA did.
>>
>> While using Microsoft CA or OpenSSL CA, pki spawn goes through
>> without any error but dogtag stops communications to 389ds. Upon calling
>> the rest Api /ca/rest/certs I get a "PKIException error listing the certs".
>>
>> Is there a particular format for the ca cert chain that we need to
>> provide ? I was trying to reverse engineer the chain provided by dogtag.
>>
>> Thanks
>> Kritee
>>
>>
>>
>> On Monday, 27 October 2014, Christina Fu <cfu at redhat.com> wrote:
>>
>>> If you meant the following two:
>>> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not
>>> preserved at issuance with signing cert signed by an external CA
>>> https://fedorahosted.org/pki/ticket/1110 - pkispawn (configuration)
>>> does not provide CA extensions in subordinate certificate signing requests
>>> (CSR)
>>>
>>> They have just recently been fixed upstream so I imagine you could use
>>> Microsoft CA now. Theoretically any other CA can be used as an external
>>> CA, but if you run into issues, please feel free to report.
>>>
>>> Christina
>>>
>>>
>>> On 10/27/2014 12:15 AM, kritee jhawar wrote:
>>>
>>> Hi
>>>
>>> In my recent thread i read that there is a bug due to which Microsoft
>>> CA can't work as external CA for dogtag.
>>> Can OpenSSL be used ?
>>>
>>> Thanks
>>> Kritee
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>>
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141101/3a843976/attachment.htm>
-------------- next part --------------
# My sample caconfig.cnf file.
## Default configuration to use when one is not provided on the command line.
#
[ ca ]
default_ca = local_ca
# Default location of directories and files needed to generate certificates.
#
[ local_ca ]
dir = /root/myCA
certificate = $dir/root-ca.crt
database = $dir/index.txt
new_certs_dir = $dir/signedcerts
private_key = $dir/private/cakey.pem
serial = $dir/serial
# Default expiration and encryption policies for certificates.
#
default_crl_days = 365
default_days = 1825
default_md = sha1
#
policy = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Copy extensions specified in the certificate request
#
copy_extensions = copy
# #
# Default policy to use when generating server certificates. The following
# fields must be defined in the server certificate.
#
[ local_ca_policy ]
commonName = optional
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
#
#
# x509 extensions to use when generating server certificates.
#
[ local_ca_extensions ]
#authorityKeyIdentifier = keyid,issuer
#basicConstraints = critical,CA:true
#keyUsage = critical, Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
#subjectKeyIdentifier = hash
#
#
# The default root certificate generation policy.
#
[ req ]
default_bits = 2048
default_keyfile = /root/myCA/private/cakey.pem
default_md = sha1
#
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
#
#
# Root Certificate Authority distinguished name. Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName = Kritee Root Certificate Authority
stateOrProvinceName = KA
countryName = IN
emailAddress = kjhawar at example.com
organizationName = abc
organizationalUnitName = zyx
#
[ root_ca_extensions ]
authorityKeyIdentifier = keyid,issuer
basicConstraints = critical, CA:true
keyUsage = critical, Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
subjectKeyIdentifier = hash
#
More information about the Pki-users
mailing list