subject:"Re\: \[Freeipa\-users\] ipa\-server\-install \-\-external\-cert\-file and exporting dogtag certificates"

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

2016-08-04 Thread Florence Blanc-Renaud

On 08/03/2016 07:54 PM, Richard Harmonson wrote:

On Wed, Aug 3, 2016 at 12:49 AM, Florence Blanc-Renaud mailto:f...@redhat.com>> wrote:

On 08/02/2016 04:52 AM, Richard Harmonson wrote:

On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik
mailto:pvobo...@redhat.com>
>> wrote:

On 07/31/2016 07:45 AM, Richard Harmonson wrote:
> I having challenges resuming ipa-server-install
--external-ca. I
am reasonably
> confident I am not providing the right certificate and/or
format
from my
> off-line root CA using 389 and Dogtag.
>
> Does anyone have instructions on how to accomplish the task of
exporting the
> correct certificates in the expected format?
>
> Thank you.
>

The IPA procedure with prerequisites is described at

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca

Or are you rather asking for specific PKI instructions?

e.g.
*

http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI#Submitting_a_Certificate_Request

*

http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment
--
Petr Vobornik

I read the suggested document, previously, but its an excellent
shared
reference for this discussion.

I have successfully submitted and approved the csr. Dogtag
provides a
web UI which provides a Base 64 encoded certificate or Base 64
encoded
certificate with CA certificate chain in pkcs7 format.

For the servercert2010601.pem (the signed CSR request signing CA
certificate 0x9) referenced in the article, do I  copy and paste
(-BEGIN .. END-) the base 64 (not pkcs7) to a file using
*.pem
then submit using one of the two --external-cert-file?

For the cacert.pem (the Root CA signing certificate 0x1)
referenced in
the article, do I copy and paste the base 64 with ca in pkcs7
format to
a file using *.pkcs7 (or pem or does it matter?) then submit
using the
second --external-cert-file?

Your guidance is much appreciated.

Hi Richard,

I tested the following steps to install FreeIPA with a certificate
signed by an external Dogtag instance:

1- IPA installation on host ipaserver with:
ipaserver$ ipa-server-install [options] --external-ca

This step produces the Certificate Signing Request /root/ipa.csr
that must be provided to the Dogtag server.

2- On the Dogtag machine, configure Dogtag client authentication (to
be able to use the command-line):

dogtagsrv$ pki -c password client-init

This step creates a NSSDB in ~/.dogtag/nssdb where the certificates
for client->dogtag server authentication will be stored.

dogtagsrv$ pk12util -i /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -d
/root/.dogtag/nssdb/

This step imports the caadmin certificate that was created during
Dogtag installation into the client NSSDB. The client will be able
to authenticate as "caadmin" when using Dogtag CLI. Please note the
certicate nickname that can be found using

dogtagsrv$ certutil -L -d ~/.dogtag/nssdb/
[...]
PKI Administrator for  u,u,u

3- On the Dogtag machine, submit the CSR and approve:
dogtagsrv$ pki ca-cert-request-submit --profile caCACert
--request-type pkcs10 --csr-file  /path/to/ipa.csr

This step submits the csr to Dogtag, using the caCACert profile in
order to produce a Certificate that can be used for a Certificate
Authority. Note the Request ID in the output as it will be used in
the next command to approve the CSR and produce the cert:

dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator
for "  cert-request-review  --action approve

4- On the Dogtag machine, export the certificate and the dogtag CA cert:

dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator
for "  cert-show 7 --encoded --output  ipa.cert
dogtagsrv$ pki ca-cert-show 1 --encoded --output dogtagca.cert

5- Resume ipa server installation with

ipaserver$ ipa-server-install --external-cert-file=ipa.cert
--external-cert-file=dogtagca.cert

With those steps, I was able to install FreeIPA server with a
3rd-party signed Certificate Authority. Please let me known if you
have issues with those instructions,

Flo.

Awesome!

Flo, your instructions were perfect! I exported the certs and during the
ipa-server-install I see the certs being displayed on

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

2016-08-03 Thread Richard Harmonson

On Wed, Aug 3, 2016 at 12:49 AM, Florence Blanc-Renaud 
wrote:

> On 08/02/2016 04:52 AM, Richard Harmonson wrote:
>
>> On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik > > wrote:
>>
>> On 07/31/2016 07:45 AM, Richard Harmonson wrote:
>> > I having challenges resuming ipa-server-install --external-ca. I
>> am reasonably
>> > confident I am not providing the right certificate and/or format
>> from my
>> > off-line root CA using 389 and Dogtag.
>> >
>> > Does anyone have instructions on how to accomplish the task of
>> exporting the
>> > correct certificates in the expected format?
>> >
>> > Thank you.
>> >
>>
>> The IPA procedure with prerequisites is described at
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca
>>
>> Or are you rather asking for specific PKI instructions?
>>
>> e.g.
>> *
>>
>> http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI#Submitting_a_Certificate_Request
>>
>> *
>>
>> http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment
>> --
>> Petr Vobornik
>>
>>
>> I read the suggested document, previously, but its an excellent shared
>> reference for this discussion.
>>
>> I have successfully submitted and approved the csr. Dogtag provides a
>> web UI which provides a Base 64 encoded certificate or Base 64 encoded
>> certificate with CA certificate chain in pkcs7 format.
>>
>> For the servercert2010601.pem (the signed CSR request signing CA
>> certificate 0x9) referenced in the article, do I  copy and paste
>> (-BEGIN .. END-) the base 64 (not pkcs7) to a file using *.pem
>> then submit using one of the two --external-cert-file?
>>
>> For the cacert.pem (the Root CA signing certificate 0x1) referenced in
>> the article, do I copy and paste the base 64 with ca in pkcs7 format to
>> a file using *.pkcs7 (or pem or does it matter?) then submit using the
>> second --external-cert-file?
>>
>> Your guidance is much appreciated.
>>
>>
>> Hi Richard,
>
> I tested the following steps to install FreeIPA with a certificate signed
> by an external Dogtag instance:
>
> 1- IPA installation on host ipaserver with:
> ipaserver$ ipa-server-install [options] --external-ca
>
> This step produces the Certificate Signing Request /root/ipa.csr that must
> be provided to the Dogtag server.
>
> 2- On the Dogtag machine, configure Dogtag client authentication (to be
> able to use the command-line):
>
> dogtagsrv$ pki -c password client-init
>
> This step creates a NSSDB in ~/.dogtag/nssdb where the certificates for
> client->dogtag server authentication will be stored.
>
> dogtagsrv$ pk12util -i /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -d
> /root/.dogtag/nssdb/
>
> This step imports the caadmin certificate that was created during Dogtag
> installation into the client NSSDB. The client will be able to authenticate
> as "caadmin" when using Dogtag CLI. Please note the certicate nickname that
> can be found using
>
> dogtagsrv$ certutil -L -d ~/.dogtag/nssdb/
> [...]
> PKI Administrator for  u,u,u
>
> 3- On the Dogtag machine, submit the CSR and approve:
> dogtagsrv$ pki ca-cert-request-submit --profile caCACert --request-type
> pkcs10 --csr-file  /path/to/ipa.csr
>
> This step submits the csr to Dogtag, using the caCACert profile in order
> to produce a Certificate that can be used for a Certificate Authority. Note
> the Request ID in the output as it will be used in the next command to
> approve the CSR and produce the cert:
>
> dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator for
> "  cert-request-review  --action approve
>
> 4- On the Dogtag machine, export the certificate and the dogtag CA cert:
>
> dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator for
> "  cert-show 7 --encoded --output  ipa.cert
> dogtagsrv$ pki ca-cert-show 1 --encoded --output dogtagca.cert
>
> 5- Resume ipa server installation with
>
> ipaserver$ ipa-server-install --external-cert-file=ipa.cert
> --external-cert-file=dogtagca.cert
>
> With those steps, I was able to install FreeIPA server with a 3rd-party
> signed Certificate Authority. Please let me known if you have issues with
> those instructions,
>
> Flo.
>

Awesome!

Flo, your instructions were perfect! I exported the certs and during the
ipa-server-install I see the certs being displayed on the screen then
"Process finished, return code=0, so they are accepted on resuming the
installation. The install fails with a LDAP error but I believe it to be
unrelated to the exported certs. May be a result of my earlier thrashing?

I will recover from a snapshot and begin again. If problems persist, I will
send another request for help for it is probably unrelated to the
certificates.

You got me one step closer. Thank you!

Debug sho

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

2016-08-03 Thread Florence Blanc-Renaud

On 08/02/2016 04:52 AM, Richard Harmonson wrote:

On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik mailto:pvobo...@redhat.com>> wrote:

On 07/31/2016 07:45 AM, Richard Harmonson wrote:
> I having challenges resuming ipa-server-install --external-ca. I
am reasonably
> confident I am not providing the right certificate and/or format
from my
> off-line root CA using 389 and Dogtag.
>
> Does anyone have instructions on how to accomplish the task of
exporting the
> correct certificates in the expected format?
>
> Thank you.
>

The IPA procedure with prerequisites is described at

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca

Or are you rather asking for specific PKI instructions?

e.g.
*

http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI#Submitting_a_Certificate_Request

*

http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment
--
Petr Vobornik

I read the suggested document, previously, but its an excellent shared
reference for this discussion.

I have successfully submitted and approved the csr. Dogtag provides a
web UI which provides a Base 64 encoded certificate or Base 64 encoded
certificate with CA certificate chain in pkcs7 format.

For the servercert2010601.pem (the signed CSR request signing CA
certificate 0x9) referenced in the article, do I  copy and paste
(-BEGIN .. END-) the base 64 (not pkcs7) to a file using *.pem
then submit using one of the two --external-cert-file?

For the cacert.pem (the Root CA signing certificate 0x1) referenced in
the article, do I copy and paste the base 64 with ca in pkcs7 format to
a file using *.pkcs7 (or pem or does it matter?) then submit using the
second --external-cert-file?

Your guidance is much appreciated.

Hi Richard,

I tested the following steps to install FreeIPA with a certificate 
signed by an external Dogtag instance:

1- IPA installation on host ipaserver with:
ipaserver$ ipa-server-install [options] --external-ca

This step produces the Certificate Signing Request /root/ipa.csr that 
must be provided to the Dogtag server.

2- On the Dogtag machine, configure Dogtag client authentication (to be 
able to use the command-line):

dogtagsrv$ pki -c password client-init

This step creates a NSSDB in ~/.dogtag/nssdb where the certificates for 
client->dogtag server authentication will be stored.

dogtagsrv$ pk12util -i /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -d 
/root/.dogtag/nssdb/

This step imports the caadmin certificate that was created during Dogtag 
installation into the client NSSDB. The client will be able to 
authenticate as "caadmin" when using Dogtag CLI. Please note the 
certicate nickname that can be found using

dogtagsrv$ certutil -L -d ~/.dogtag/nssdb/
[...]
PKI Administrator for  u,u,u

3- On the Dogtag machine, submit the CSR and approve:
dogtagsrv$ pki ca-cert-request-submit --profile caCACert --request-type 
pkcs10 --csr-file  /path/to/ipa.csr

This step submits the csr to Dogtag, using the caCACert profile in order 
to produce a Certificate that can be used for a Certificate Authority. 
Note the Request ID in the output as it will be used in the next command 
to approve the CSR and produce the cert:

dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator for 
"  cert-request-review  --action approve

4- On the Dogtag machine, export the certificate and the dogtag CA cert:

dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator for 
"  cert-show 7 --encoded --output  ipa.cert

dogtagsrv$ pki ca-cert-show 1 --encoded --output dogtagca.cert

5- Resume ipa server installation with

ipaserver$ ipa-server-install --external-cert-file=ipa.cert 
--external-cert-file=dogtagca.cert

With those steps, I was able to install FreeIPA server with a 3rd-party 
signed Certificate Authority. Please let me known if you have issues 
with those instructions,

Flo.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

2016-08-01 Thread Richard Harmonson

On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik  wrote:

> On 07/31/2016 07:45 AM, Richard Harmonson wrote:
> > I having challenges resuming ipa-server-install --external-ca. I am
> reasonably
> > confident I am not providing the right certificate and/or format from my
> > off-line root CA using 389 and Dogtag.
> >
> > Does anyone have instructions on how to accomplish the task of exporting
> the
> > correct certificates in the expected format?
> >
> > Thank you.
> >
>
> The IPA procedure with prerequisites is described at
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca
>
> Or are you rather asking for specific PKI instructions?
>
> e.g.
> *
>
> http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI#Submitting_a_Certificate_Request
>
> *
>
> http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment
> --
> Petr Vobornik
>

I read the suggested document, previously, but its an excellent shared
reference for this discussion.

I have successfully submitted and approved the csr. Dogtag provides a web
UI which provides a Base 64 encoded certificate or Base 64 encoded
certificate with CA certificate chain in pkcs7 format.

For the servercert2010601.pem (the signed CSR request signing CA
certificate 0x9) referenced in the article, do I  copy and paste
(-BEGIN .. END-) the base 64 (not pkcs7) to a file using *.pem then
submit using one of the two --external-cert-file?

For the cacert.pem (the Root CA signing certificate 0x1) referenced in the
article, do I copy and paste the base 64 with ca in pkcs7 format to a file
using *.pkcs7 (or pem or does it matter?) then submit using the second
--external-cert-file?

Your guidance is much appreciated.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

2016-08-01 Thread Petr Vobornik

On 07/31/2016 07:45 AM, Richard Harmonson wrote:
> I having challenges resuming ipa-server-install --external-ca. I am 
> reasonably 
> confident I am not providing the right certificate and/or format from my 
> off-line root CA using 389 and Dogtag.
> 
> Does anyone have instructions on how to accomplish the task of exporting the 
> correct certificates in the expected format?
> 
> Thank you.
> 

The IPA procedure with prerequisites is described at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca

Or are you rather asking for specific PKI instructions?

e.g.
*
http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI#Submitting_a_Certificate_Request

*
http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

5 matches

Site Navigation

Mail list logo

Footer information