Hello Brian, I am glad this did finally help. And...I like the book suggestion! as well as the timeframe challenge ;-) But we also have quite a lot of documentation.
Yes, you can change to validity dates per enrollment profile, it is even encouraged to do so to respect the local custom PKI policies / certification practice statement / CPS / certificate policy rules. Those enrollment profiles were designed to be very flexible, and it may take some time to understand how they work (trade-off) Changing the enrollment/renewal/revocation profiles can be done using the pkiconsole, the pki command line, https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/planning_installation_and_deployment_guide/sect-deployment_guide-planning_your_crts-determining_the_requirements_for_subsystem_certificates#planning-profiles 5.4.6. Using and Customizing Certificate Profiles and https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/certificate_profiles CHAPTER 2. MAKING RULES FOR ISSUING CERTIFICATES (CERTIFICATE PROFILES) or manually: you are correct for the upstream doc at https://www.dogtagpki.org/wiki/PKI_CA_Profile_CLI but I prefer to edit manually to keep the order of the lines in the text file of the profile. ( not profiles may also be stored into the LDAP backend) stop the CA, then cd /var/lib/pki/some-string-here/ca/profiles/ca/ If this is about the caadmin, the enrollment profile we want to modify is caAdminCert.cfg cp -p caAdminCert.cfg caAdminCert.cfg.orig then edit the file caAdminCert to tune the parameters policyset.adminCertSet.2.constraint.params.range=365 policyset.adminCertSet.2.default.params.range=365 also review the policyset.adminCertSet.3.constraint.params.keyParameters extra note: In a 2 steps installation ( 7.6. TWO-STEP INSTALLATION https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/planning_installation_and_deployment_guide/two-step-installation ) , it is a good practice to do the same for the CA's internal profiles, set constraints and policies for validity dates, encryption, extensions, SANs, custom OIDs , etc.: caCACert.cfg caOCSPCert.cfg caServerCert.cfg caSubsystemCert.cfg caSignedLogCert.cfg and for example, for end user and server certificates: caUserCert.cfg caServerCert.cfg A lot of those default profiles are provided as working examples to be used for customization (like file signing, smartcards) Thanks, Marc S. On Tue, Feb 18, 2020 at 2:39 PM Wolf, Brian <brian.w...@risd.org> wrote: > That did it! I can now access the agent page. I still get the Java “Error” > pop-ups, but I can click through those and get to where I need. Now I get > to renew the caadmin cert and repeat this exercise, and then document > everything for next time! > > > > Since we’re only using dogtag for a single internal application, it would > be nice to extend these longer than 2 years each time. I found > https://frasertweedale.github.io/blog-redhat/posts/2019-03-04-dogtag-system-cert-lifetime.html > that discusses how to adjust the maximum certificate lifetimes. Also > https://www.dogtagpki.org/wiki/PKI_CA_Profile_CLI . Do you have any > recommendations on that, as in am I better off just leaving well-enough > alone? > > > > Thanks again for all of your help! If you ever decide to write a “Dogtag > for Dummies” book, I’ll buy a copy! Of course I’ll probably be retiring > within the next 5 years, so you’ll need to get it done before that! > > > > > > - Brian > > > > > > > > *From:* Marc Sauton <msau...@redhat.com> > *Sent:* Tuesday, February 18, 2020 3:15 PM > *To:* Wolf, Brian <brian.w...@risd.org> > *Cc:* pki-users@redhat.com > *Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console > > > > I may have forgotten a detail: > > the "decrisption" value that needs to be updated ( the pkiconsole would do > that) > > search for the caadmin entry: > > ldapsearch -xLLL -D "cn=directory manager" -W > -b ou=people,dc=ca,dc=risd,dc=org uid=caadmin description > > > > and verify that description attribute needs a value in the form of > > 2;serial-number;issuer-subject-DN;subject-DN > > > > if the serial is 0x33 / 51 , it needs to be like for example: > > description: 2;51;CN=CA Signing Certificate,OU=suba1,O=Sub CA1 Example > Test; CN=PKI Administrator,E=caad...@example.test,OU=subca1,O=Sub CA1 > Example Test > > > > So another ldapmodify is needed (could have been done in one). > > Thanks, > > M. > > > > > > On Tue, Feb 18, 2020 at 9:05 AM Wolf, Brian <brian.w...@risd.org> wrote: > > Marc- > > > > I used this > > > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > changetype: modify > > delete: userCertificate > > - > > add: userCertificate > > userCertificate:: MII…. > > - > > > > > > And now ldapsearch gives me: > > > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate:: MII…. > > > > I restarted the pki-tomcat service for the instance. Now when I try to > access it, I am back to the simple “Invalid Credential” error. > > > > /var/log/pki/risd-ise/ca/system says: > > 0.http-bio-8373-exec-1 - [18/Feb/2020:10:25:12 CST] [6] [3] Cannot > authenticate agent with certificate Serial 0x33 Subject DN CN=PKI > Administrator,E=caad...@risdca1.risd.org,OU=risd-ise,O=RISD.ORG. Error: > User not found > > > > Could the problem be that there is no naming context for risd-ise, so it’s > not matching the caadmin user? From your first response yesterday, it > seems like you expected there to be, but I just have dc=ca,dc=risd,dc=org. > I’ve been doing the ldapmodifies on it. > > > > If there ever was an entry for risd-ise, I don’t know what happened to it. > I definitely didn’t intentionally delete it, because I didn’t really even > know about the directory server part beyond the steps in the Installation > Guide. > > > > > > ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base namingcontexts > > Enter LDAP Password: > > dn: > > namingcontexts: dc=ca,dc=risd,dc=org > > namingcontexts: dc=risd,dc=org > > > > ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember > > dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=bwolf,ou=People,dc=ca,dc=risd,dc=org > > > > … > > > > > > > > - Brian > > > > > > > > > > *From:* Marc Sauton <msau...@redhat.com> > *Sent:* Monday, February 17, 2020 7:12 PM > *To:* Wolf, Brian <brian.w...@risd.org> > *Cc:* pki-users@redhat.com > *Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console > > > > Extra note, a ldapmodify "replace" should be used as the userCertificate > can be multi valued, and the first sample may be used from a LDAP search > result set, which can be the older certificate, so it is better to either > del/add or replace it to avoid confusion. > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 5:05 PM Marc Sauton <msau...@redhat.com> wrote: > > For the pkiconsole: > > correct for RHEL, would need the RHCS subscription. > > but it is available from Fedora: > > pki-console-10.7.3-3.fc31.noarch : PKI Console Package > Repo : fedora > > > > I do not think we have the pkiconsole in CentOS ( > http://mirror.centos.org/centos/7.7.1908/ ) > > > > For the ldapmodify, add the colon char twice because the value is already > base-64 encoded, like for example: > > > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > changetype: modify > delete: userCertificate > - > add: userCertificate > userCertificate:: MII... > > > > That should solve the issue! > > > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 3:13 PM Wolf, Brian <brian.w...@risd.org> wrote: > > Marc- > > > > You were correct that the directory manager had the serial #6 version. I > tried to replace it with the #33 version, but now when I try to connect, I > get the error “You did not provide a valid certificate for this operation.” > Instead of “Invalid credential.” > > > > First, you mentioned using pkiconsole. I don’t have pkiconsole installed. > I think we found that that was part of RHCS, and we don’t have a > subscription for RHCS. So I’m just wading through the CLI commands. > > > > Also, I didn’t find any naming contexts specifically referencing the > instance. Caadmin showed up in the Agents and Administrators queries for > dc=ca,dc=risd,dc=org. > > > > And there is no CN=PKI Administrator entry in the list of Administrators. > > > > > > # ldapsearch -xLLL -D "cn=Directory Manager" -W -b "" -s base > namingcontexts > > Enter LDAP Password: > > dn: > > namingcontexts: dc=ca,dc=risd,dc=org > > namingcontexts: dc=risd,dc=org > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=risd,dc=org cn=*Agents dn uniqueMember > > Enter LDAP Password: > > [root@risdca1 tmp]# > > > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Agents dn uniqueMember > > Enter LDAP Password: > > dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=pkidbuser,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Registration Manager Agents,ou=groups,dc=ca,dc=risd,dc=org > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=groups,dc=ca,dc=risd,dc=org cn=*Administrators dn uniqueMember > > Enter LDAP Password: > > dn: cn=Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=org > > uniqueMember: uid=xxxxx,ou=People,dc=ca,dc=risd,dc=org > > > > dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=risd,dc=org > > uniqueMember: uid=caadmin,ou=People,dc=ca,dc=risd,dc=or > > > > > > > > The user certificate appeared to be in X509 format. I copied that to a > file and verified that it was the expired #6 version. > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate > > Enter LDAP Password: > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate:: > MII******************************************************** > > > S*************************************************************************** > > > G*************************************************************************** > > … > > > **********************************************************************M7nQ== > > > > I didn’t find any examples of multi-line values in the ldapmodify file, so > I tried using the same format as the search used, with the second and > subsequent lines beginning with a space and a “-“ on the last line. > > > > > > $ cat ldapmodify.caadmin.txt > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > changetype: modify > > replace: userCertificate > > userCertificate: > MII********************************************************* > > > S**************************************************************************** > > … > > > P***********************************************************************mDw== > > - > > > > # ldapmodify -x -D "cn=directory manager" -W -f /tmp/ldapmodify.caadmin.txt > > Enter LDAP Password: > > modifying entry "uid=caadmin,ou=people,dc=ca,dc=risd,dc=org" > > # > > > > # ldapsearch -xLLL -D "cn=directory manager" -W -b > ou=people,dc=ca,dc=risd,dc=org uid=caadmin userCertificate > > Enter LDAP Password: > > dn: uid=caadmin,ou=people,dc=ca,dc=risd,dc=org > > userCertificate: > MII**************************************************************************** > > > V****************************************************************************************** > > …. > > > K***********************************************************************************mdw== > > > > > > So it took what I gave it. I noticed that for the old cert, ldapsearch > displayed “userCertificate::” (two colons), and now it only has > “userCertificate:” (one colon). Is that significant? I tried changing the > input file to read userCertificate::, and then ldapsearch showed both > colons again, but I still got the “you did not provide a valid credential…” > error when I tried to connect from my laptop. > > > > > > I verified that Firefox on my laptop is using PKI Administrator [33] for > identification. > > > > - Brian > > > > > > *From:* Marc Sauton <msau...@redhat.com> > *Sent:* Monday, February 17, 2020 2:00 PM > *To:* Wolf, Brian <brian.w...@risd.org> > *Cc:* pki-users@redhat.com > *Subject:* Re: [Pki-users] pki 10.5 - Unable to log in to PKI console > > > > The entry > > CN=PKI Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance,O=MyDomain > > likely has the older cert with serial 6, it just needs the newer one with > serial 0x33 / 51 > > It may be easier to use the pkiconsole to add it, under" > > "Configuration | Users and Groups | Users | admin | Certificates | Import" > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 11:50 AM Marc Sauton <msau...@redhat.com> wrote: > > Hello, > > Probably either there is no caadmin (uid=admin may set from the older > environment), or the SSL client certificate is simply missing from the > administrator or agent groups. > > Try for example: > > > > locate the LDAP base DN of the PKI repository: > > ldapsearch -xLLL -D "cn=directory manager" -W -b "" -s base namingcontexts > > > > > output example: > > dn: > namingcontexts: dc=example,dc=test > namingcontexts: o=rootca1-CA > > namingcontexts: o=subca1-CA > > > > note it could be also in the form of namingcontexts: > dc=ca1.example.test-pki-ca1 > > and in your case it may be similar to o=risd-ise-CA > > > > then search into that LDAP backend to verify the values of the attribute > uniquemember of the entries, like as this example but by replacing the > string o=subca1-CA to match your environment: > > either for the agent users: > > ldapsearch -xLLL -D "cn=directory manager" -w password -b > ou=groups,o=subca1-CA cn=*Agents dn uniqueMember > > or the administrators (admin or caadmin is the default one, like a "root" > user): > > ldapsearch -xLLL -D "cn=directory manager" -w password -b > ou=groups,o=subca1-CA cn=*Administrators dn uniqueMember > > > > then verify the uniqueMember value correspond to a valid existing LDAP > entry, like for example: > > dn: uid=caadmin,ou=people,o=subca1-CA > > > > and then verify that admin or agent user entry has a corresponding user > certificate, like for example: > > ldapsearch -LLLx -D "cn=directory manager" -W -b > ou=people,o=subca1-CA uid=caadmin userCertificate > > > > you may have to update the value of the userCertificate with ldapmodify to > match the certificate with serial number 0x33 and subject DN > > CN=PKI Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance,O=MyDomain > > from the NSS db at ~/.dogtag/risd-ise/ca/alias/ > > > > Note this can be done using the pkiconsole. > > > > Thanks, > > M. > > > > On Mon, Feb 17, 2020 at 9:41 AM Wolf, Brian <brian.w...@risd.org> wrote: > > I installed PKI-CA several years ago on a Redhat 7 (actually Oracle > Unbreakable Linux) server. I used it to create certificates for an > application and have not really used it since. I had to renew the base > certificates last year. That took some effort, but I got it to work. Now I > am unable to connect to the web-based agent page. I copied the PKI > Administrator .p12 certificate from ~/.dogtag/MyInstance/ to my laptop and > installed it under “Your Certificates and the signing certificate under > Authorities in Firefox. When I try to connect to the agent page ( > https://.../ca/agent/ca), the padlock goes green, but I get an “Invalid > Credential” error. /var/log/pki/risd-ise/ca/system contains > > > > Cannot authenticate agent with certificate Serial 0x33 Subject DN CN=PKI > Administrator,E=caadmin@MyServer.MyDomain,OU=MyInstance,O=MyDomain. > Error: User not found > > > > The caadmin cert is in ~/.dogtag/risd-ise/ca/alias/cer8.db. There are > actually two entries- the current one and the previous expired one. It is > also in /etc/pki/ca-trust/source/anchors > > > > > > What it is looking for and where? > > > > > > - Brian > > > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > CA Signing Certificate - MyDomain CT,c, > > caadmin u,u,u > > caadmin u,u,u > > > > > > # certutil -L -d ~/.dogtag/MyInstance/ca/alias -n caadmin > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > > > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 6 (0x6) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Fri Mar 10 22:38:25 2017 > > Not After : Thu Feb 28 22:38:25 2019 > > Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomainr > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > > > > > > > > > # certutil -L -d /etc/pki/ca-trust/source/anchors -n "PKI Administrator - > MyDomain" > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 51 (0x33) > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=CA Signing Certificate,OU=MyInstance,O=MyDomain" > > Validity: > > Not Before: Tue Feb 26 04:20:43 2019 > > Not After : Wed Feb 26 04:20:43 2020 > > Subject: "CN=PKI Administrator,E=caadmin@MyServer.MyDomain > ,OU=MyInstance > > ,O=MyDomain" > > Subject Public Key Info: > > Public Key Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > Modulus: > > > > Current versions: > > > > Current versions: > > > > Linux 4.14.35-1902.10.7.el7uek.x86_64 #2 SM > > > > pki-base-10.5.16-6 > > pki-base-java-10.5.16-6.el7_7.noarch > > java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users@redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > >
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
