Bug 1366353
| Summary: | Dogtag 10.3.3-X: Miscellaneous Enhancements | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
| Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | ftweedal, mharmsen, ssidhaye, tlavigne |
| Target Milestone: | rc | ||
| Target Release: | 7.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.3.3-9.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 05:27:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Matthew Harmsen
2016-08-11 18:12:57 UTC
Upstream ticket: https://fedorahosted.org/pki/ticket/2436 The following were cherry-picked in to DOGTAG_10_3_RHEL_BRANCH:
commit 361eb16c8558f5be6cdb65ab412ab4f703a10bdc
Author: Matthew Harmsen <mharmsen>
Date: Fri Aug 19 15:58:12 2016 -0600
pki-tools HEADER/FOOTER changes
* PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
(cherry picked from commit 534633885ae28db230786c25374fba66120ed933)
(cherry picked from commit 94e009a03036194f4ee09a9a159acd906179ec9d)
commit 15a6f83a651949af7ba7bfe8fc1b3626d064fa87
Author: Endi S. Dewata <edewata>
Date: Thu Aug 18 05:40:25 2016 +0200
Added debug messages for ConfigurationUtils.handleCerts().
To help troubleshooting some debug messages have been added into
ConfigurationUtils.handleCerts().
https://fedorahosted.org/pki/ticket/2436
(cherry picked from commit 9aa6640e7e94a591343478ee806a6e6d4c9f81e8)
(cherry picked from commit 4e5c8e53345d500bfa620267a8ae35df0e2973b6)
commit 3bfd5acb075751e429eeb8b46f17c624a5178a41
Author: Endi S. Dewata <edewata>
Date: Fri Aug 12 04:42:25 2016 +0200
Added cert validation error message in selftest log.
To help troubleshooting the selftest log has been modified to
include the cert validation error message returned by JSS.
https://fedorahosted.org/pki/ticket/2436
(cherry picked from commit 0fd31368d871c513c9833ca02bc08d15a48d6aa5)
(cherry picked from commit 488303542161103cbbac6814dffd8818fccf455d)
The following was cherry-picked in to DOGTAG_10_3_RHEL_BRANCH:
commit c7aa56ee7df2052deff23190912f86b42042cd59
Author: Abhijeet Kasurde <akasurde>
Date: Wed Aug 10 11:58:49 2016 +0530
Added check for pki-server-nuxwdog parameter
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
Signed-off-by: Abhijeet Kasurde <akasurde>
(cherry picked from commit c79371fdc667e6acfcae7255f144e63cd60bf0f9)
(cherry picked from commit b4d5fcc5a30a11ed5e84ca835aea733a5d5bbfb6)
Cherry-picked into DOGTAG_10_3_RHEL_BRANCH: From d9c0460a85dab6249844f6f8a2fe4d45c11554e5 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edewata> Date: Wed, 31 Aug 2016 16:15:19 +0200 Subject: [PATCH 1/9] Fixed debug log in UpdateNumberRange servlet. To help troubleshooting the debug log in UpdateNumberRange servlet has been modified to show the exception stack trace. https://fedorahosted.org/pki/ticket/2436 (cherry picked from commit 1922f77e825c8c0ec742382b752b0a32afbff8a9) (cherry picked from commit a9db37c53fff88d0f00293df0fd29877bb797091) From 6cfdd4a6434c8ca08cdbcd659d44a74f6bb6d123 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edewata> Date: Wed, 7 Sep 2016 00:35:40 +0200 Subject: [PATCH 9/9] Removed FixSELinuxContexts upgrade script. The FixSELinuxContexts upgrade script has been removed temporarily due to a problem importing selinux library during RPM upgrade. The FixDeploymentDescriptor script number has been changed accordingly. https://fedorahosted.org/pki/ticket/2452 (cherry picked from commit 76b3ae5062aef22eece89117a28bd9b86ddef92d) (cherry picked from commit b3248175d261bc82d3d9c965f047ea9d0fa2bc9e) Manually copied and merged into DOGTAG_10_3_RHEL_BRANCH: commit 91841bfa7bdc9df688bf07fe9cab811251d93740 Author: Matthew Harmsen <mharmsen> Date: Tue Sep 6 21:10:57 2016 -0600 Updated RPM spec. The code in the RPM spec that moves the upgrade scripts has been updated to reflect the FixSELinuxContexts deletion. The libselinux-python is used by deployment and upgrade scripts to set the SELinux contexts, so a direct runtime dependency has been added to the RPM spec file. The duplicate python-ldap and python-lxml dependencies have been removed. https://fedorahosted.org/pki/ticket/2452 Cherry-picked into DOGTAG_10_3_RHEL_BRANCH: From d0f45bfb653636673300b169dfa8ffe90b63cb58 Mon Sep 17 00:00:00 2001 From: Christina Fu <cfu.redhat.com> Date: Wed, 31 Aug 2016 14:03:02 -0700 Subject: [PATCH 2/9] Ticket #2446 pkispawn: make subject_dn defaults unique per instance name (for shared HSM) When installing multiple instances on the same host sharing the same HSM, if subject_dn's are not specifically spelled out with unique names for each instance, installation will fail with complaints that same subject name and serial number already exist. This happens in the scenario if you are creating a subordinate CA, for example, that's in the same domain name as the root CA. It is very inconvenient that you are expected to spell out subject dn's of all system certs in the pkispawn config file. This patch changes default.cfg so that the instance name is in the default subject dn, e.g. adding it as an "ou" component: ou=%(pki_instance_name)s (cherry picked from commit 1195ee9d6e45783d238edc1799363c21590febce) (cherry picked from commit 1d1b3a705fdaca26d580566ff3fb1725334ff674) Cherry-picked into DOGTAG_10_3_RHEL_BRANCH: From 92d92c6ee2a0a531183a373cc1f3975662fdca40 Mon Sep 17 00:00:00 2001 From: Ade Lee <alee> Date: Fri, 2 Sep 2016 16:08:02 -0400 Subject: [PATCH 4/9] Fix CertRequestInfo URLs The URLs were generated by a UriBuilder that referred to the resource's annotated path. This top-level path changed though, even if the underlying paths did not. Replace this with a reference to the getX methods instead. Also fixed a few eclipse flagged warnings (unused imports etc). Ticket 2447 (cherry picked from commit 7a93dbeae18407e28437f4affc31ddc24a2c42f2) (cherry picked from commit 7baa7e60b708c5b4c79d6dd963321d34958cc81b) How do I verify these fixes? Need some info on this. Marking it modified. VERIFICATION STEPS for the fix cherry picked from commit c79371fdc667e6acfcae7255f144e63cd60bf0f9: 1. execute `pki-server-nuxwdog' without arguments, and then with a bogus argument. Verify that output and exit code match the following transcript: sh-4.3$ pki-server-nuxwdog ERROR: /sbin/pki-server-nuxwdog requires parameter sh-4.3$ echo $? 1 sh-4.3$ pki-server-nuxwdog BOGUS ERROR: Unable to find /etc/sysconfig/BOGUS file sh-4.3$ echo $? 1 VERIFICATION STEPS for the fix cherry picked from commit
7a93dbeae18407e28437f4affc31ddc24a2c42f2
1. Query cert request information from REST API, per following example:
sh-4.3$ curl --header "Accept: application/json" \
https://$(hostname):8443/ca/rest/certrequests/<N>
(pick some number <N> of the cert request to examine).
2. Verify that "requestURL" value in response matches:
"https://$(hostname):8443/ca/rest/certrequests/<N>
^^^^^^^^^^^^^
3. Verify that "certURL" value in response matches:
"https://$(hostname):8443/ca/rest/certs/<M>
^^^^^^
Build used of verifying commit c79371fdc667e6acfcae7255f144e63cd60bf0f9: [root@pki2-ipv6 ~]# pki --version PKI Command-Line Interface 10.3.3-10.el7 Test Results: [root@pki2-ipv6 ~]# pki-server-nuxwdog ERROR: /usr/sbin/pki-server-nuxwdog requires parameter [root@pki2-ipv6 ~]# echo $? 1 [root@pki2-ipv6 ~]# pki-server-nuxwdog qwerty ERROR: Unable to find /etc/sysconfig/qwerty file [root@pki2-ipv6 ~]# pki-server-nuxwdog fix is working fine. Verification for 7a93dbeae18407e28437f4affc31ddc24a2c42f2: [root@pki2-ipv6 ~]# curl --insecure --header "Accept: application/json" https://pki2-ipv6.example.org:20443/ca/rest/certrequests/1 { "requestType": "enrollment", "requestStatus": "complete", "requestURL": "https://pki2-ipv6.example.org:20443/ca/rest/certrequests/1", "certId": "0x1", "certURL": "https://pki2-ipv6.example.org:20443/ca/rest/certs/1", "certRequestType": "pkcs10", "operationResult": "success" } requestURL and certURL is as expected. Sumedh,
For:
commit 361eb16c8558f5be6cdb65ab412ab4f703a10bdc
Author: Matthew Harmsen <mharmsen>
Date: Fri Aug 19 15:58:12 2016 -0600
pki-tools HEADER/FOOTER changes
* PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
(cherry picked from commit 534633885ae28db230786c25374fba66120ed933)
(cherry picked from commit 94e009a03036194f4ee09a9a159acd906179ec9d)
Run your tests to make certain that the changes made did not prevent the tool from working, and that the output of the tools (NOT certutil) conforms with the
RFC 7468 HEADER and FOOTER when appropriate.
For example, here would some simple tests for CMCEnroll using both NSS and OPENSSL:
NSS
# cd ~/.mozilla/firefox/<browser profile>
# certutil -d . -R -s "CN=CMCEnroll Test Certificate" -a
Copy the CSR to a file called 'nss.csr'.
# cat nss.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtOSHDtLKXMh/c3TSE
pz/eixpAjalk51yksWLZtQwyL2RnhYJ9Acece5PLlUoXOpmJ3+5StzmWfZ2RkeU/
ojXlAStFZjICLpa1Bggd2pDFz8h9TnUxriNPTBHU5J6NGJm8dc4DvCDXruBbzy4Q
Un8EoYfrqxTNPGGxJmJrz7Wy5SFr2FZO841LJRClVgQXbbrF5AeGEObUi0IlSCRh
hZObEgmGlF0NJg7cZqB5FkKUT1YbOKl7nZLidq2pR7Ob5xlHRMZNb7GSRfb1QRbp
Eljli3cXD9YnfHcDcXPnCTnnGdSUsU7gGKAkrZ55KNb8fKqSC39j4ui3KKODAqLd
s6P5AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA4/zan3pbmI6k1fHMIFQeAxt9
aFQUtmpzTQwipBZ7x/ML68e7bzzMtvpvKr0ozro0floyexGumUY28sBIiXnHGHO6
dbdN7Yof2kmmQLsfOLme7xGBWkbDcGh+I8qxwC7kE2UisknhbOLEXMWCEdMjSkte
pmCN01f+45h/1pHYgpf6s4CeHlJO4QyLIZ9btTlZyegfXr7A9hDEoQfsEcx7GZuC
pK3qmts4J65qfYmYIHUP1JnJwzrXEPUSGLtJ82W6KO6R3khvSui5uFJpCKCc1k88
ECVvsdQe9DSnduWRpUVvd3Pambwi7NEgfJpPsS8Yq2VHq7f1vCcKHzdujX5xTg==
-----END NEW CERTIFICATE REQUEST-----
# CMCEnroll -d . -n "PKI Administrator for example.com" -r ./nss.csr -p "Secret123"
cert/key prefix =
path = .
-----BEGIN CERTIFICATE REQUEST-----
MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtOSHDtLKXMh/c3TSEpz/eixpAjalk51yksWLZtQwyL2RnhYJ9Acece5PLlUoXOpmJ3+5StzmWfZ2RkeU/ojXlAStFZjICLpa1Bggd2pDFz8h9TnUxriNPTBHU5J6NGJm8dc4DvCDXruBbzy4QUn8EoYfrqxTNPGGxJmJrz7Wy5SFr2FZO841LJRClVgQXbbrF5AeGEObUi0IlSCRhhZObEgmGlF0NJg7cZqB5FkKUT1YbOKl7nZLidq2pR7Ob5xlHRMZNb7GSRfb1QRbpEljli3cXD9YnfHcDcXPnCTnnGdSUsU7gGKAkrZ55KNb8fKqSC39j4ui3KKODAqLds6P5AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA4/zan3pbmI6k1fHMIFQeAxt9aFQUtmpzTQwipBZ7x/ML68e7bzzMtvpvKr0ozro0floyexGumUY28sBIiXnHGHO6dbdN7Yof2kmmQLsfOLme7xGBWkbDcGh+I8qxwC7kE2UisknhbOLEXMWCEdMjSktepmCN01f+45h/1pHYgpf6s4CeHlJO4QyLIZ9btTlZyegfXr7A9hDEoQfsEcx7GZuCpK3qmts4J65qfYmYIHUP1JnJwzrXEPUSGLtJ82W6KO6R3khvSui5uFJpCKCc1k88ECVvsdQe9DSnduWRpUVvd3Pambwi7NEgfJpPsS8Yq2VHq7f1vCcKHzdujX5xTg==-----END CERTIFICATE REQUEST-----
# cat nss.csr.out
-----BEGIN CERTIFICATE REQUEST-----
MIIM4gYJKoZIhvcNAQcCoIIM0zCCDM8CAQMxCzAJBgUrDgMCGgUAMIIC6gYIKwYB
BQUHDAKgggLcBIIC2DCCAtQwVTAvAgECBggrBgEFBQcHBjEgBB5CeFRXNUtwRXBO
NHNhYmNDMFhZajRNcVM1d0E9DQowIgIBAwYIKwYBBQUHBwUxEwIRALALe5Uc1T3T
GJugnNjT7FMwggJ1oIICcQIBATCCAmowggFSAgEAMCUxIzAhBgNVBAMTGkNNQ0Vu
cm9sbCBUZXN0IENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA7Tkhw7SylzIf3N00hKc/3osaQI2pZOdcpLFi2bUMMi9kZ4WCfQHHnHuT
y5VKFzqZid/uUrc5ln2dkZHlP6I15QErRWYyAi6WtQYIHdqQxc/IfU51Ma4jT0wR
1OSejRiZvHXOA7wg167gW88uEFJ/BKGH66sUzTxhsSZia8+1suUha9hWTvONSyUQ
pVYEF226xeQHhhDm1ItCJUgkYYWTmxIJhpRdDSYO3GageRZClE9WGzipe52S4nat
qUezm+cZR0TGTW+xkkX29UEW6RJY5Yt3Fw/WJ3x3A3Fz5wk55xnUlLFO4BigJK2e
eSjW/Hyqkgt/Y+LotyijgwKi3bOj+QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB
AOP82p96W5iOpNXxzCBUHgMbfWhUFLZqc00MIqQWe8fzC+vHu288zLb6byq9KM66
NH5aMnsRrplGNvLASIl5xxhzunW3Te2KH9pJpkC7Hzi5nu8RgVpGw3BofiPKscAu
5BNlIrJJ4WzixFzFghHTI0pLXqZgjdNX/uOYf9aR2IKX+rOAnh5STuEMiyGfW7U5
WcnoH16+wPYQxKEH7BHMexmbgqSt6prbOCeuan2JmCB1D9SZycM61xD1Ehi7SfNl
uijukd5Ib0roubhSaQignNZPPBAlb7HUHvQ0p3blkaVFb3dz2pm8IuzRIHyaT7Ev
GKtlR6u39bwnCh83bo1+cU4wADAAoIIH+jCCA+4wggLWoAMCAQICAQEwDQYJKoZI
hvcNAQELBQAwYzErMCkGA1UECgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5
IERvbWFpbjETMBEGA1UECwwKcGtpLXRvbWNhdDEfMB0GA1UEAwwWQ0EgU2lnbmlu
ZyBDZXJ0aWZpY2F0ZTAeFw0xNjA5MTYxNzQxMThaFw0zNjA5MTYxNzQxMThaMGMx
KzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xEzAR
BgNVBAsMCnBraS10b21jYXQxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNh
dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnujrbxU2ebx9H3mfQ
OTK6PjOOWC8hAXZ5QNndfcviAkHAy50+L7XtQCCSGClAENHE4xVQBfXct+RpAiqI
L6aDUDgLyplRMLA5D7VJPaWQEckrjYxTdBWO488ad+p0GIFRx1gQKZ/MkxwceXmT
gnyxh45zOnzikhOE545vnBMeirpx6HM+W/aZZk09NfBqQ5jTdMyAxIlsCIB1r7XH
lS0s+Z3xR/jWJDjgAEO7iPTF3fYQV5JwiKeqshO+F0/Y4WN5EzrFOReYwui8vxwk
QA29B5oIH44anhKLWh09mKIUAUDw05W2SmKNq9wKmHfmZFUvyBH+uNOfGAcGpuXf
t2cVAgMBAAGjgawwgakwHwYDVR0jBBgwFoAUCMWd9WveEXsIjwTQYPMYI3ufZJgw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFAjFnfVr
3hF7CI8E0GDzGCN7n2SYMEYGCCsGAQUFBwEBBDowODA2BggrBgEFBQcwAYYqaHR0
cDovL3BraS51c2Vyc3lzLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA0GCSqGSIb3
DQEBCwUAA4IBAQA33AJWui+mXLNshR0i2/y4eJHRarIdowesJZKyjBNXdL1drMK4
aMCHP/jEaFHFipmDYBkwbtSHcCda09e8SEi3XYOnBdex/1BH0Ltb2hMyZLRVQBF+
oDAJUqaEG7GK79mF8XfNOted0VWCNvi7jjUrLKGX6bds2/s2lu0UzyOzyeuArc9e
UHU7x1+WqbYymmGc9S87VL1YuL99rREa9YKB0PkvrHzeprdiKN38g1ZMT4AQ6Fzi
D+qzKViHzDCOG+OJvGNsbPdZ4r7WInv1NBKKGgGDLSpBYOI/hN1z8VOMGnENqs2G
Nto1QV1uYQDsVukAJ+o5U4eaqZNclnVmgUF7MIIEBDCCAuygAwIBAgIBBjANBgkq
hkiG9w0BAQsFADBjMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20gU2VjdXJp
dHkgRG9tYWluMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWdu
aW5nIENlcnRpZmljYXRlMB4XDTE2MDkxNjE3NDEyMVoXDTE4MDkwNjE3NDEyMVow
gYkxKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4x
EzARBgNVBAsMCnBraS10b21jYXQxKTAnBgkqhkiG9w0BCQEWGmNhYWRtaW5AdXNl
cnN5cy5yZWRoYXQuY29tMRowGAYDVQQDDBFQS0kgQWRtaW5pc3RyYXRvcjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMicK43enuykjo0vxxlq0o9FwnGf
2aQRX74rHrJc8wQ0g1+8nqb9AkwX84I0Q/NOI5sTqdQBCWIrXbkD7mg8f8ej/upn
T5z16l6xKnHZbo8XGomjBANVLmKSL14AAFgaLxmHv2C5UJQclKFacZNRIb+kMVSz
mwIu0G7gkuG2KQ/kbsxwvgMDZDOg4Rt7kw69BgDgq+Og+W0Tj60w178FWCGlH8sy
THXVFZapyVEFsqQcfbBQEK4Xq9G9ZeVCKCPh0SLq5ZwxObT0CzGqLDu2afuWOZ+F
hhkLMwS7bqWLEgDa4oCPirFiXItbvgnIYrSgYLMaOR7L/cdfHZV7VhDq4KECAwEA
AaOBmzCBmDAfBgNVHSMEGDAWgBQIxZ31a94RewiPBNBg8xgje59kmDBGBggrBgEF
BQcBAQQ6MDgwNgYIKwYBBQUHMAGGKmh0dHA6Ly9wa2kudXNlcnN5cy5yZWRoYXQu
Y29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYB
BQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQCI142VRVy6rzWTbw6F
Ni0uEI237jTcyCQNEHs6HzocUIHRy80qeLzHAx0pNr/EnWkW7m/5WGMyX7RfqiKB
yWiZb7o9chHzyqeROjH4zNWEL6/6o/5SYs6UrUBacFbJULV7JwANy7AsuBBiZkvu
akm+XLPZpl+ki8VoGdz7UycMuz5a5Qp3WcmK70Lq4uNvcuN7xOQDgWjnZoFxK+SH
1vDOsgF3kmb+eN5GC2tqb+xokEOBNvyx0r4HxkAfXqSN49Wrlo9zQHwpGzYCdcGG
GUBT2gsUJgtu8Jb1Ap2c+7VMZkLLwHuJkcswckvp7JbCbCV+ywg3B6UruFgVllPu
gDpmMYIBzzCCAcsCAQMwaDBjMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20g
U2VjdXJpdHkgRG9tYWluMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZD
QSBTaWduaW5nIENlcnRpZmljYXRlAgEGMAkGBSsOAwIaBQCgPjAXBgkqhkiG9w0B
CQMxCgYIKwYBBQUHDAIwIwYJKoZIhvcNAQkEMRYEFFuO61kCrScjokREHofcm8JC
mw9nMA0GCSqGSIb3DQEBAQUABIIBADxLqfWn85dyF3u7wg3gjxot0FreUmpReU1o
fMy5RgrogvHt7gnWh1SJOBW+iEqaX2nc0eqT/GYFzR8jKR/q3ONEi1ocxhAtnpsa
qxow9pBvoOaNcGaAWdwnS+sRToRspyivZvhTt/EUb3LXf/WAMv6ql3HXrxDPbyI4
SIBAfcMPEEvig+IkBd+InQ77znP2k5ZUwXUWcJf5tmo0QGSu51JcWyfAgmJw0nei
uoCbki5Z1h4IxoARJBxkNyqA7vDnzaJTGHZuBpFMvBIzB7yYo1HX++kDwlGSL4Nu
NnY0y+9Cjy0xDERyLRZfI1vGppEqS5EWuXn9R+d9BrO6u16WetI=
-----END CERTIFICATE REQUEST-----
Submit the signed certificate request through the CA end-entities page:
(a) Open the end-entities page.
(b) Select the "Signed CMC-Authenticated User Certificate Enrollment" profile.
(c) Paste the content of the output file into the first text area of this form.
(d) Remove the "-----BEGIN CERTIFICATE REQUEST-----" header and the "-----END CERTIFICATE REQUEST-----" footer from the pasted content.
(e) Fill in the contact information, and submit the form.
The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled
OPENSSL:
# cd ~/.mozilla/firefox/<browser profile>
# openssl genrsa -out ./openssl.key 2048
# openssl req -new -sha256 -key ./openssl.key -out ./openssl.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:.
State or Province Name (full name) []:.
Locality Name (eg, city) [Default City]:.
Organization Name (eg, company) [Default Company Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:CMCEnroll Test Certificate
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
# cat openssl.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICajCCAVICAQAwJTEjMCEGA1UEAwwaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd1KeUe5eTc6j/oBZv
Z/jEv9XFYGqomCPH3sGsBp3bvZ5W5UKjZ/6K9yJ0s8YGClgbtoHESs9tBhz4zd3L
B7PxDHHT8LyX64eh4ioucyqOVnL+ND558kVE09RTTaNQmhlWlyfcqoGEUVwp0Ejf
/VKvVi/kMuLcfQhdx8rFVWiJUN6jFZWeM8vtw7ME6U8T9MrDtdXrkzHdTpBpPljt
ooRelmNqzBP2GxsALJrw8aXL3R4D8eAdm68Gp49bORg+/TkEqKt9khQIKHnIoHrn
fs+oBwEc9JP3ko0Ru/dm6KSjd66CNQ1W/Je6qm5HOUSkXYLrQH29IRWl40LQCAuV
M6xpAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAUxarjKmxkdNH/HrK9hGN8kIj
rtG7qak4C287nLvRroYwlWDOMjc45N6TWJlSvfQ7aCnYd0+MsabaLay6l5oeWGx+
l6wmiu5gxLnWIKUBiuBawlHgv7RMUOVGmY+LiKZoOTwALz5DlSEK+PtyMNTLDYh9
fx8FZeyKzITvm1yi5NF4MKEzT+2Dw73B1I8tkXzr2lqTXlTBpOWnRFw4ktOIEIFJ
YkDYC1GG1GlxK20tmLUj07f3NXy7Nch9z2+pp7SJY4m44Li6wi4yXfkKIxYH44cQ
8+AOgrHV/caHgQpHStSXVhNWJ+PBkkOscpQPF1L1x32Ak6lQZn95i3V4sbFGQw==
-----END CERTIFICATE REQUEST-----
# CMCEnroll -d . -n "PKI Administrator for example.com" -r ./openssl.csr -p "Secret123"
cert/key prefix =
path = .
-----BEGIN CERTIFICATE REQUEST-----
MIICajCCAVICAQAwJTEjMCEGA1UEAwwaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd1KeUe5eTc6j/oBZvZ/jEv9XFYGqomCPH3sGsBp3bvZ5W5UKjZ/6K9yJ0s8YGClgbtoHESs9tBhz4zd3LB7PxDHHT8LyX64eh4ioucyqOVnL+ND558kVE09RTTaNQmhlWlyfcqoGEUVwp0Ejf/VKvVi/kMuLcfQhdx8rFVWiJUN6jFZWeM8vtw7ME6U8T9MrDtdXrkzHdTpBpPljtooRelmNqzBP2GxsALJrw8aXL3R4D8eAdm68Gp49bORg+/TkEqKt9khQIKHnIoHrnfs+oBwEc9JP3ko0Ru/dm6KSjd66CNQ1W/Je6qm5HOUSkXYLrQH29IRWl40LQCAuVM6xpAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAUxarjKmxkdNH/HrK9hGN8kIjrtG7qak4C287nLvRroYwlWDOMjc45N6TWJlSvfQ7aCnYd0+MsabaLay6l5oeWGx+l6wmiu5gxLnWIKUBiuBawlHgv7RMUOVGmY+LiKZoOTwALz5DlSEK+PtyMNTLDYh9fx8FZeyKzITvm1yi5NF4MKEzT+2Dw73B1I8tkXzr2lqTXlTBpOWnRFw4ktOIEIFJYkDYC1GG1GlxK20tmLUj07f3NXy7Nch9z2+pp7SJY4m44Li6wi4yXfkKIxYH44cQ8+AOgrHV/caHgQpHStSXVhNWJ+PBkkOscpQPF1L1x32Ak6lQZn95i3V4sbFGQw==-----END CERTIFICATE REQUEST-----
# cat openssl.csr.out
-----BEGIN CERTIFICATE REQUEST-----
MIIM4QYJKoZIhvcNAQcCoIIM0jCCDM4CAQMxCzAJBgUrDgMCGgUAMIIC6QYIKwYB
BQUHDAKgggLbBIIC1zCCAtMwVDAvAgECBggrBgEFBQcHBjEgBB4rb1UyeVRIb3Jk
YXdlUlErcmlkN2hmNS82WTQ9DQowIQIBAwYIKwYBBQUHBwUxEgIQCJXu+lFiZ+1Q
n5ldQLopfzCCAnWgggJxAgEBMIICajCCAVICAQAwJTEjMCEGA1UEAwwaQ01DRW5y
b2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCd1KeUe5eTc6j/oBZvZ/jEv9XFYGqomCPH3sGsBp3bvZ5W5UKjZ/6K9yJ0
s8YGClgbtoHESs9tBhz4zd3LB7PxDHHT8LyX64eh4ioucyqOVnL+ND558kVE09RT
TaNQmhlWlyfcqoGEUVwp0Ejf/VKvVi/kMuLcfQhdx8rFVWiJUN6jFZWeM8vtw7ME
6U8T9MrDtdXrkzHdTpBpPljtooRelmNqzBP2GxsALJrw8aXL3R4D8eAdm68Gp49b
ORg+/TkEqKt9khQIKHnIoHrnfs+oBwEc9JP3ko0Ru/dm6KSjd66CNQ1W/Je6qm5H
OUSkXYLrQH29IRWl40LQCAuVM6xpAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA
UxarjKmxkdNH/HrK9hGN8kIjrtG7qak4C287nLvRroYwlWDOMjc45N6TWJlSvfQ7
aCnYd0+MsabaLay6l5oeWGx+l6wmiu5gxLnWIKUBiuBawlHgv7RMUOVGmY+LiKZo
OTwALz5DlSEK+PtyMNTLDYh9fx8FZeyKzITvm1yi5NF4MKEzT+2Dw73B1I8tkXzr
2lqTXlTBpOWnRFw4ktOIEIFJYkDYC1GG1GlxK20tmLUj07f3NXy7Nch9z2+pp7SJ
Y4m44Li6wi4yXfkKIxYH44cQ8+AOgrHV/caHgQpHStSXVhNWJ+PBkkOscpQPF1L1
x32Ak6lQZn95i3V4sbFGQzAAMACgggf6MIID7jCCAtagAwIBAgIBATANBgkqhkiG
9w0BAQsFADBjMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20gU2VjdXJpdHkg
RG9tYWluMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWduaW5n
IENlcnRpZmljYXRlMB4XDTE2MDkxNjE3NDExOFoXDTM2MDkxNjE3NDExOFowYzEr
MCkGA1UECgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjETMBEG
A1UECwwKcGtpLXRvbWNhdDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKe6OtvFTZ5vH0feZ9A5
Mro+M45YLyEBdnlA2d19y+ICQcDLnT4vte1AIJIYKUAQ0cTjFVAF9dy35GkCKogv
poNQOAvKmVEwsDkPtUk9pZARySuNjFN0FY7jzxp36nQYgVHHWBApn8yTHBx5eZOC
fLGHjnM6fOKSE4Tnjm+cEx6KunHocz5b9plmTT018GpDmNN0zIDEiWwIgHWvtceV
LSz5nfFH+NYkOOAAQ7uI9MXd9hBXknCIp6qyE74XT9jhY3kTOsU5F5jC6Ly/HCRA
Db0HmggfjhqeEotaHT2YohQBQPDTlbZKYo2r3AqYd+ZkVS/IEf64058YBwam5d+3
ZxUCAwEAAaOBrDCBqTAfBgNVHSMEGDAWgBQIxZ31a94RewiPBNBg8xgje59kmDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUCMWd9Wve
EXsIjwTQYPMYI3ufZJgwRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRw
Oi8vcGtpLnVzZXJzeXMucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcN
AQELBQADggEBADfcAla6L6Zcs2yFHSLb/Lh4kdFqsh2jB6wlkrKME1d0vV2swrho
wIc/+MRoUcWKmYNgGTBu1IdwJ1rT17xISLddg6cF17H/UEfQu1vaEzJktFVAEX6g
MAlSpoQbsYrv2YXxd806153RVYI2+LuONSssoZfpt2zb+zaW7RTPI7PJ64Ctz15Q
dTvHX5aptjKaYZz1LztUvVi4v32tERr1goHQ+S+sfN6mt2Io3fyDVkxPgBDoXOIP
6rMpWIfMMI4b44m8Y2xs91nivtYie/U0EooaAYMtKkFg4j+E3XPxU4wacQ2qzYY2
2jVBXW5hAOxW6QAn6jlTh5qpk1yWdWaBQXswggQEMIIC7KADAgECAgEGMA0GCSqG
SIb3DQEBCwUAMGMxKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0
eSBEb21haW4xEzARBgNVBAsMCnBraS10b21jYXQxHzAdBgNVBAMMFkNBIFNpZ25p
bmcgQ2VydGlmaWNhdGUwHhcNMTYwOTE2MTc0MTIxWhcNMTgwOTA2MTc0MTIxWjCB
iTErMCkGA1UECgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjET
MBEGA1UECwwKcGtpLXRvbWNhdDEpMCcGCSqGSIb3DQEJARYaY2FhZG1pbkB1c2Vy
c3lzLnJlZGhhdC5jb20xGjAYBgNVBAMMEVBLSSBBZG1pbmlzdHJhdG9yMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyJwrjd6e7KSOjS/HGWrSj0XCcZ/Z
pBFfviseslzzBDSDX7yepv0CTBfzgjRD804jmxOp1AEJYitduQPuaDx/x6P+6mdP
nPXqXrEqcdlujxcaiaMEA1UuYpIvXgAAWBovGYe/YLlQlByUoVpxk1Ehv6QxVLOb
Ai7QbuCS4bYpD+RuzHC+AwNkM6DhG3uTDr0GAOCr46D5bROPrTDXvwVYIaUfyzJM
ddUVlqnJUQWypBx9sFAQrher0b1l5UIoI+HRIurlnDE5tPQLMaosO7Zp+5Y5n4WG
GQszBLtupYsSANrigI+KsWJci1u+CchitKBgsxo5Hsv9x18dlXtWEOrgoQIDAQAB
o4GbMIGYMB8GA1UdIwQYMBaAFAjFnfVr3hF7CI8E0GDzGCN7n2SYMEYGCCsGAQUF
BwEBBDowODA2BggrBgEFBQcwAYYqaHR0cDovL3BraS51c2Vyc3lzLnJlZGhhdC5j
b206ODA4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF
BQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggEBAIjXjZVFXLqvNZNvDoU2
LS4QjbfuNNzIJA0QezofOhxQgdHLzSp4vMcDHSk2v8SdaRbub/lYYzJftF+qIoHJ
aJlvuj1yEfPKp5E6MfjM1YQvr/qj/lJizpStQFpwVslQtXsnAA3LsCy4EGJmS+5q
Sb5cs9mmX6SLxWgZ3PtTJwy7PlrlCndZyYrvQuri429y43vE5AOBaOdmgXEr5IfW
8M6yAXeSZv543kYLa2pv7GiQQ4E2/LHSvgfGQB9epI3j1auWj3NAfCkbNgJ1wYYZ
QFPaCxQmC27wlvUCnZz7tUxmQsvAe4mRyzByS+nslsJsJX7LCDcHpSu4WBWWU+6A
OmYxggHPMIIBywIBAzBoMGMxKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBT
ZWN1cml0eSBEb21haW4xEzARBgNVBAsMCnBraS10b21jYXQxHzAdBgNVBAMMFkNB
IFNpZ25pbmcgQ2VydGlmaWNhdGUCAQYwCQYFKw4DAhoFAKA+MBcGCSqGSIb3DQEJ
AzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUJ6B6Em9Hx08oSpLm7mz/QUmJ
7x0wDQYJKoZIhvcNAQEBBQAEggEAkdUpf25CNr2xr8vZ7d+8FGOsg97g1l0peMxL
GmjLrQLtDOcEtbezmbDXvGasOSnt8tTa0U9NjcEfXT62QZgRrxCFzv+Fk8YPs7JO
05FyEDM4id5uMNG0Z32p9f/WaZMn1sFZZQNasuzYjyIjPRFH9R1LP0JQarR+xBYq
ubLa7RZyTihBmE12C4DhOtzNqhgcHJG3Zav/T/+ebkhXyW66j9wrlEmL4U+kiKG3
nAOkr/eKS2WA3Vp0WGNJK7K7kCGm3EjYj9r4K3PVVF6tQUg8v7/Qid29dXVU7kYM
BHpFrBRLPTcAPLTkbUojgEaFTWqx/F19+xaxwZpbbndjSbmvbQ==
-----END CERTIFICATE REQUEST-----
Submit the signed certificate request through the CA end-entities page:
(a) Open the end-entities page.
(b) Select the "Signed CMC-Authenticated User Certificate Enrollment" profile.
(c) Paste the content of the output file into the first text area of this form.
(d) Remove the "-----BEGIN CERTIFICATE REQUEST-----" header and the "-----END CERTIFICATE REQUEST-----" footer from the pasted content.
(e) Fill in the contact information, and submit the form.
The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled
Tests similar to the one provided above should be run against the following tools:
* CMCEnroll
* CMCRequest
* CMCRevoke
* CRMFPopClient, and
* PKCS10Client
-- Matt
Matt, CMCEnroll using both NSS and OPENSSL works fine. But for CMCRevoke I'm getting the following error: [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CMCRevoke -d. -n"PKI Administrator for idmqe.lab.eng.bos.redhat.com" -i"CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain" -s19 -m6 -pSecret123 -h"NSS Certificate DB" -c"test" cert/key prefix = path = . org.mozilla.jss.NoSuchTokenException at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622) at com.netscape.cmstools.CMCRevoke.main(CMCRevoke.java:190) [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# I also tried specifying tokenname value as internal, even that did not work. Using PKCS10Client as well it's working fine: [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# PKCS10Client -d /opt/rhqa_pki/certdb/ -p "Secret123" -a rsa -l 2048 -o test.csr -n "uid=test" PKCS10Client: Debug: got token. PKCS10Client: Debug: thread token set. PKCS10Client: token Internal Key Storage Token logged in... PKCS10Client: key pair generated. PKCS10Client: pair.getPublic() called. PKCS10Client: CertificationRequestInfo() created. PKCS10Client: CertificationRequest created. PKCS10Client: calling Utils.b64encode. PKCS10Client: b64encode completes. -----BEGIN CERTIFICATE REQUEST----- MIICfzCCAWcCAQAwFjEUMBIGCgmSJomT8ixkAQETBHRlc3QwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC1+2CW1l6opxJ8RNTtOZfxsDKYVeh0vebs/iR9 9Q6iMOdIM9KQoMFF+mkMFGqph0u5voMUrJlREYR9UbQxM9i/TyK8kgR86CPp6IjJ zvDfelJDnQahrWylt/m1qesZQZ/jqka+/0t8IyuRbVIzcROxzUd+kkRA7x6Scovo PusDUUyoqVa7e1QV6mBzwpwIfGnQ9U6MFg1L1QSWgERNptB0vUAGgylNt966XI3L ike1bx+n0rXxLWF+8al2cYJ/Wa3iwhuOMPMA/jcK6PIzL6vyRQnhF0cmWqMaAm+D iZb6FC4ZrMb6BfTXaCC968yfUwEs8MkmOJMBGs3B7fyorNdHAgMBAAGgJDAiBggr BgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDANBgkqhkiG9w0BAQQFAAOC AQEAdK1vNJ6j1/rtfu3ui31cV0UEWaemQIhSTdF7R4zhCP9aOuvhsWVqf44uRG3V PNbBKhNXVSV1BBoUYldL01Oyud741heI9B/oqMeARztglRqMKGugHoBP6XSTgLbU VuGblBm6AUfx8S9UmFis9pqj+vuai1YQpyGLxC4yx2Ffcs253CShttY2Ll9vcFDE DXixEFD0rkTZ6xDbIye80fC6S259/21hKj6wgNaALXxg0KF1s6Ilm+pfD7bK6mj2 kAiGZDBh7hpRlE1IQuTY3TZ/QeRAtGF6oZup8AULfIUMhqd63HYVB/KUjOyO+UhE pS+sU3PYOBQmFEvVaKSLJCGNLQ== -----END CERTIFICATE REQUEST----- [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# pki ca-cert-request-profile-show caUserCert --output test.xml -------------------------------------------- Enrollment Template for Profile "caUserCert" -------------------------------------------- ---------------------------------------------------- Saved enrollment template for caUserCert to test.xml ---------------------------------------------------- [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# vim test.xml [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# pki ca-cert-request-submit test.xml ----------------------------- Submitted certificate request ----------------------------- Request ID: 22 Type: enrollment Request Status: pending Operation Result: success [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# pki -d /opt/rhqa_pki/certdb/ -c Secret123 -n "PKI Administrator for idmqe.lab.eng.bos.redhat.com" ca-cert-request-review 22 --action approve ------------------------------- Approved certificate request 22 ------------------------------- Request ID: 22 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x14 [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# For CRMFPopClient I am seeing the following error: [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# modutil -dbdir /var/lib/pki/pki-tomcat/ca/alias/ -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB ----------------------------------------------------------- [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CRMFPopClient -v -d . -h "NSS Certificate DB" -p Secret123 -n "uid=foobar2" -a rsa -l 2048 -f caEncUserCert Initializing security database: . org.mozilla.jss.NoSuchTokenException at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622) at com.netscape.cmstools.CRMFPopClient.main(CRMFPopClient.java:401) ERROR: null Try 'CRMFPopClient --help' for more information. For CMCRequest as well I am getting a similar error: [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CMCRequest CMCRequest.cfg cert/key prefix = path = . CryptoManger initialized org.mozilla.jss.NoSuchTokenException at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622) at com.netscape.cmstools.CMCRequest.main(CMCRequest.java:1027) (In reply to Sumedh Sidhaye from comment #17) > For CRMFPopClient I am seeing the following error: > > > [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# modutil -dbdir > /var/lib/pki/pki-tomcat/ca/alias/ -list > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > ----------------------------------------------------------- > > [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CRMFPopClient -v -d . -h > "NSS Certificate DB" -p Secret123 -n "uid=foobar2" -a rsa -l 2048 -f > caEncUserCert > Initializing security database: . > org.mozilla.jss.NoSuchTokenException > at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622) > at com.netscape.cmstools.CRMFPopClient.main(CRMFPopClient.java:401) > ERROR: null > Try 'CRMFPopClient --help' for more information. This error is probably produced by the fact that you are using an incorrect value for the token (the default is -h "internal, and can simply be left off of the invocation since you are using the "internal" token instead of an HSM). Although a man page has not yet been constructed for this command, an example is explained in https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Command-Line_Tools_Guide/CRMF_Pop_Request.html. Please retry this command and see if this info resolves your issue. (In reply to Sumedh Sidhaye from comment #15) > Matt, > > CMCEnroll using both NSS and OPENSSL works fine. > > But for CMCRevoke I'm getting the following error: > > [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CMCRevoke -d. -n"PKI > Administrator for idmqe.lab.eng.bos.redhat.com" -i"CN=CA Signing > Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain" > -s19 -m6 -pSecret123 -h"NSS Certificate DB" -c"test" > cert/key prefix = > path = . > org.mozilla.jss.NoSuchTokenException > at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622) > at com.netscape.cmstools.CMCRevoke.main(CMCRevoke.java:190) > [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# > > I also tried specifying tokenname value as internal, even that did not work. Again, try leaving the "-h"NSS Certificate DB" parameter off of this command, and retry it; the name of the internal token is "-hinternal", but should not be needed as it is the default value. (In reply to Sumedh Sidhaye from comment #15) > Matt, > > CMCEnroll using both NSS and OPENSSL works fine. > > But for CMCRevoke I'm getting the following error: > > [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CMCRevoke -d. -n"PKI > Administrator for idmqe.lab.eng.bos.redhat.com" -i"CN=CA Signing > Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain" > -s19 -m6 -pSecret123 -h"NSS Certificate DB" -c"test" > cert/key prefix = > path = . > org.mozilla.jss.NoSuchTokenException > at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622) > at com.netscape.cmstools.CMCRevoke.main(CMCRevoke.java:190) > [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# > > I also tried specifying tokenname value as internal, even that did not work. Again, try leaving the "-h"NSS Certificate DB" parameter off of this command, and retry it; the name of the internal token is "-hinternal", but should not be needed as it is the default value. Expanding on Comment #20 above: Although the man page has not yet been constructed, for this command, an example is explained in https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Command-Line_Tools_Guide/CMC_Revocation.html. (In reply to Sumedh Sidhaye from comment #18) > For CMCRequest as well I am getting a similar error: > > [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CMCRequest CMCRequest.cfg > > cert/key prefix = > path = . > CryptoManger initialized > org.mozilla.jss.NoSuchTokenException > at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622) > at com.netscape.cmstools.CMCRequest.main(CMCRequest.java:1027) Finally, I am only guessing here, but I am wondering if you changed the name of "tokenname=internal" to "tokenname="NSS Certificate DB" in your configuration file entitled "CMCRequest.cfg". Again, the man page has not yet been constructed for this command, but an example is explained in https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Command-Line_Tools_Guide/CMC_Request.html. Please try out my change suggestions in Comments 19, 21, and 22, and let me know if you get any farther. Re-assigning bug to ON_QA. CMCRevoke works if I remove the -h option. I tested with the following command and it worked: [root@pki1 nxiiz1ap.default]# CMCRevoke -v -d. -n"PKI CA Administrator for Example.Org" -i"CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org" -s27 -m6 -pSecret123 -c"test" cert/key prefix = path = . CMCRevoke: searching for certificate nickname:PKI CA Administrator for Example.Org -----BEGIN CERTIFICATE REQUEST----- MIIGzgYJKoZIhvcNAQcCoIIGvzCCBrsCAQMxCzAJBgUrDgMCGgUAMIHbBggrBgEF BQcMAqCBzgSByzCByDCBvzAvAgEBBggrBgEFBQcHBjEgBB5FUm84cTEzOXZOVVZW WVZ5bGd1R3ZKTmpuOEU9DQowgYsCAQIGCCsGAQUFBwcRMXwwejBhMSUwIwYDVQQK DBx0b3BvbG9neS0wMl9Gb29iYXJtYXN0ZXIub3JnMRcwFQYDVQQLDA50b3BvbG9n eS0wMi1DQTEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZQIBGwoBBgQJ U2VjcmV0MTIzDAR0ZXN0MAAwADAAoIID+DCCA/QwggLcoAMCAQICAQYwDQYJKoZI hvcNAQELBQAwYTElMCMGA1UECgwcdG9wb2xvZ3ktMDJfRm9vYmFybWFzdGVyLm9y ZzEXMBUGA1UECwwOdG9wb2xvZ3ktMDItQ0ExHzAdBgNVBAMMFkNBIFNpZ25pbmcg Q2VydGlmaWNhdGUwHhcNMTYwOTIzMDQzODUzWhcNMTgwOTEzMDQzODUzWjCBgDEl MCMGA1UECgwcdG9wb2xvZ3ktMDJfRm9vYmFybWFzdGVyLm9yZzEXMBUGA1UECwwO dG9wb2xvZ3ktMDItQ0ExIjAgBgkqhkiG9w0BCQEWE2NhYWRtaW5AZXhhbXBsZS5j b20xGjAYBgNVBAMMEVBLSSBBZG1pbmlzdHJhdG9yMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAuA7WYxq9gWTDtq6+7wfzup7mS94mmMu7XeGKfZoBHcHI ChVm6elyXa9So96dz7edCvAJ83kEVTJJXYnH3ytEnkHxlClVTerhhdqPoHCyk+/x A1VCnc0C9DDyOTMW4X/A7mxL2GEqOzH1NlZdbgseTRt5F57BHGUOjY2ngO1Zjyo2 W+K8eJCwOM3iSDyOsdfMFHJPTjb1KnN4XjL9tTiqxfQVci7JAXu7U2AZhM37uxo/ w1WInb9Y5zzD7n2OxVEcEbkfhwjtO1Ktpyb0us136V9JePouPKAvRmcupYmcPX/D 3eOjO9AW46vm8zG/I2dvHp92ei3zOTbPSXCRtUAUZQIDAQABo4GWMIGTMB8GA1Ud IwQYMBaAFK2t7KQGcanGlsGVXexAN7Eu1pj6MEEGCCsGAQUFBwEBBDUwMzAxBggr BgEFBQcwAYYlaHR0cDovL3BraTEuZXhhbXBsZS5jb206MjAwODAvY2Evb2NzcDAO BgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0G CSqGSIb3DQEBCwUAA4IBAQBv52Y98W+ldkoZokvaMOrndvbgpMgFMnApUvLWoU2e ja+ooJZNQ2w0wxRtfO1iIjN5SMGDKaSn0DkbCishtnr8A9CG3dbTu0bdufAwZa2r awE+w+jlS8vDw/mfQOR6EIhXCn8gaPsGEhkRrN+FD74x0jmPOGlvImMnKX2dDpTA WRhn5tPxMqr2EGF2xvVvhwPmHR5BRkWEChKy1fKvWfwZt+mlW2dz7d2Frd7f+MQC c8RL3mhne/0vCR0zRn0nLt5ujUCNzncFespM5OjqxPtjIoyvVoxaiHUwdMnM18dV diCheEJJK7lHh8SEXj4RUqshZu6KoobZzD3DQXZErE1FMYIBzTCCAckCAQMwZjBh MSUwIwYDVQQKDBx0b3BvbG9neS0wMl9Gb29iYXJtYXN0ZXIub3JnMRcwFQYDVQQL DA50b3BvbG9neS0wMi1DQTEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0 ZQIBBjAJBgUrDgMCGgUAoD4wFwYJKoZIhvcNAQkDMQoGCCsGAQUFBwwCMCMGCSqG SIb3DQEJBDEWBBQrA3kiAOabFkkoz3V8XqJQ80rqNjANBgkqhkiG9w0BAQEFAASC AQBM0UcQeDAFupgomKxNvyS8mpgS4A91Buo6RmtncbDYV4akobPXpU7vCCkoUu99 wLWJzigChqKfr3WXm2FjY4u7jODLB5T0FodCogPiBhW6TIZf9psn7gW/W4HlM2ga LLXItmt34cpC59SMwUk8T4JRkZoeHbqDKRg7UvG6CMnUiKsVT8DfAaDrWHzMufIq sMTQTu7BdWUvRbxTx6Rnm6jTVtBS3gEcx5lb4VUgmBaEJdK65IscXOMUS/CDWjNU lRfITrXB8ZEeTfzs54jz+OH+Q68tx/+7CbVvZz7aZ2H6dkQhCwoqkuG/PuKVK9Vm x3q/MWfO8mgwBQj+EG0tHmPt -----END CERTIFICATE REQUEST----- Pasting the above CMCRevoke output in the CMC Revoke menu in CA's EE page revoked the cert as well. 0x1b revoked UID=foobar3,E=foobar3 Hi Matt, CMCRequest is working fine now after modifying the cfg file with correct params. Also CRMFPopClient and PKCS10Client asre working as expected. Hence marking this verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html |