[Pki-users] Looking for a short path to auto signing server certificates.

Steve Neuharth steve at sylvation.com
Wed Apr 1 20:37:58 UTC 2015 

Hello everyone,

I have a requirement to provide a service to our internal linux systems to
allow them to self-register and receive a certificate representing the host
itself and then a cert representing any application on that host. I have
installed DogTag, it's up and running and seems to be working.

I'd like to be able to use REST to request a certificate and have it
auto-signed. I know that DogTag has a REST interface and while the
interface is documented, there are no examples where I can see how it would
actually be used to post a CSR, fetch a cert, etc.

Normally, I'd just sniff a request made with getcert but as I'm using just
dogtag as a standalone install and not as a part of FreeIPA, getcert has no
knowledge of my local DogTag CA:





















*[root at dogtag lib]# getcert list-casCA 'SelfSign':        is-default:
no        ca-type: INTERNAL:SELF        next-serial-number: 01CA
'IPA':        is-default: no        ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-submitCA 'certmaster':
is-default: no        ca-type: EXTERNAL        helper-location:
/usr/libexec/certmonger/certmaster-submitCA
'dogtag-ipa-renew-agent':        is-default: no        ca-type:
EXTERNAL        helper-location:
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submitCA 'local':
is-default: no        ca-type: EXTERNAL        helper-location:
/usr/libexec/certmonger/local-submit*

so... how do I make it aware? I'm using fedora21 so I'm at
certmonger-0.76.8-1.fc21 and don't have access to the add-ca subtask. It
looks like I'd edit files in /var/lib/certmonger/cas but I'm not sure what
to add.

I apologize in advance for the pedestrian questions. I have read the docs
and the getting started guide and while they provide examples for
self-signed certs and for using FreeIPA, I don't see much info on using
getcert with DogTag as a standalone product. I'd also like to explore using
SCEP for requesting certs from our MS PKI. Is there a guide or info setting
up certmonger/getcert to hit a SCEP URL?

Thanks for your continued work on DogTag and certmonger. They ROCK and will
solve big problems for my client if I can just get them to work the way I
need them to.

--steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150401/8c0d86c9/attachment.htm>

More information about the Pki-users mailing list