Greetings,
I found the following error in the log you've told
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: -
req_seq_num: 0
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: -
profilesetid: caCertSet
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: -
req_authority_id: 80a77871-f53d-4154-ad3f-9b669ca9791f
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: -
req_subject_name.uid:
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: -
auth_token.authmanagerid: certUserDBAuthMgr
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: -
requesttype: enrollment
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: -
req_extensions: owIwAA==
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: -
req_subject_name: MA8xDTALBgNVBAMMBHRlc3Q=
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor:
Submitting certificate request to caCACert profile
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: LDAPSession:
Adding LDAP entry cn=32,ou=ca, ou=requests,o=ipaca
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: KeyConstraint:
Key algorithnm: RSA
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: KeyConstraint:
Key type: -
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] WARNING: Certificate
request rejected: Key Parameters
1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
at
com.netscape.cms.profile.constraint.KeyConstraint.validate(KeyConstraint.java:198)
at
com.netscape.cms.profile.constraint.EnrollConstraint.validate(EnrollConstraint.java:172)
at
com.netscape.cms.profile.common.Profile.validate(Profile.java:1309)
at
com.netscape.cms.profile.common.EnrollProfile.validate(EnrollProfile.java:2767)
at
com.netscape.cms.profile.common.EnrollProfile.submit(EnrollProfile.java:731)
at
com.netscape.cms.servlet.cert.CertProcessor.submitRequests(CertProcessor.java:253)
at
com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:207)
at
com.netscape.ca.CertificateAuthority.generateSigningCert(CertificateAuthority.java:1941)
at org.dogtagpki.server.ca.CAEngine.createCA(CAEngine.java:1064)
at org.dogtagpki.server.ca.CAEngine.createCA(CAEngine.java:1118)
at
org.dogtagpki.server.ca.rest.AuthorityService.createCA(AuthorityService.java:268)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at
java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221)
at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at
java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660)
at
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)
[root@mdc-ipa-2 ca]# ipa certprofile-find caCertSet
------------------
0 profiles matched
------------------
----------------------------
Number of entries returned 0
----------------------------
[root@mdc-ipa-2 ca]# find / -name *caCertSet*
find: ‘/proc/28227/task/28227/net’: Invalid argument
find: ‘/proc/28227/net’: Invalid argument
find: ‘/proc/28231/task/28231/net’: Invalid argument
find: ‘/proc/28231/net’: Invalid argument
find: ‘/proc/32516/task/32516/net’: Invalid argument
find: ‘/proc/32516/net’: Invalid argument
find: ‘/proc/32520/task/32520/net’: Invalid argument
find: ‘/proc/32520/net’: Invalid argument
find: ‘/proc/33513/task/33513/net’: Invalid argument
find: ‘/proc/33513/net’: Invalid argument
[root@mdc-ipa-2 ca]# ipa certprofile-find
------------------
5 profiles matched
------------------
Profile ID: acmeIPAServerCert
Profile description: ACME IPA service certificate profile
Store issued certificates: False
Profile ID: caIPAserviceCert
Profile description: Standard profile for network services
Store issued certificates: True
Profile ID: IECUserRoles
Profile description: User profile that includes IECUserRoles extension
from request
Store issued certificates: True
Profile ID: KDCs_PKINIT_Certs
Profile description: Profile for PKINIT support by KDCs
Store issued certificates: False
Profile ID: server
Profile description: Default server certificate
Store issued certificates: True
----------------------------
Number of entries returned 5
----------------------------
[root@mdc-ipa-2 ca]#
Any idea where to find caCertSet profile?
Regards,
Alex Ivanov.
On Fri, Mar 3, 2023 at 4:16 PM Rob Crittenden <[email protected]> wrote:
> Алексей Иванов via FreeIPA-users wrote:
> > Greetings,
> >
> > During installation process I used following pki_override.cfg file
> >
> > [DEFAULT]
> > pki_admin_key_algorithm=SHA512withRSA
> > pki_admin_key_size=8192
> > pki_audit_signing_key_algorithm=SHA512withRSA
> > pki_audit_signing_key_size=8192
> > pki_audit_signing_key_type=rsa
> > pki_audit_signing_signing_algorithm=SHA512withRSA
> > pki_ssl_server_key_algorithm=SHA512withRSA
> > pki_ssl_server_key_size=8192
> > pki_sslserver_signing_algorithm=SHA512withRSA
> > pki_subsystem_key_algorithm=SHA512withRSA
> > pki_subsystem_signing_algorithm=SHA512withRSA
> > pki_subsystem_key_size=8192
> > [CA]
> > pki_ca_signing_key_size=8192
> > pki_ca_signing_key_algorithm=SHA512withRSA
> > pki_ca_signing_signing_algorithm=SHA512withRSA
> > pki_ocsp_signing_key_algorithm=SHA512withRSA
> > pki_ocsp_signing_key_size=8192
> > pki_ocsp_signing_signing_algorithm=SHA512withRSA
> > [KRA]
> > pki_storage_key_algorithm=SHA512withRSA
> > pki_storage_key_size=8192
> > pki_storage_signing_algorithm=SHA512withRSA
> > pki_transport_key_algorithm=SHA512withRSA
> > pki_transport_key_size=8192
> > pki_transport_signing_algorithm=SHA512withRSA
> > [OCSP]
> > pki_ocsp_signing_key_algorithm=SHA512withRSA
> > pki_ocsp_signing_key_size=8192
> > pki_ocsp_signing_signing_algorithm=SHA512hRSA
> >
> > This lead to the following error when I'm trying to add subCA
> >
> > Request failed with status 400: Non-2xx response from CA REST API: 400.
> > Failed to issue CA certificate. Final status: rejected. Additional info:
> > Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
> >
> > By default we have three certificate profiles caIPAserviceCert,
> > KDCs_PKINIT_Certs, IECUserRoles but changing them does not fix this
> > error. Could you please tell me where I can find a subCA certificate
> > template?
>
> Look in /var/log/pki/pki-tomcat/ca/debug-<date> and it should tell you
> the profile it used.
>
> At one point subCA keys were hardcoded at 2048. I don't know if that is
> still the case.
>
> 8k keys everywhere are going to tank performance, particularly the 8k
> server-cert key.
>
> rob
>
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
