1366353 – Dogtag 10.3.3-X: Miscellaneous Enhancements

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1366353 - Dogtag 10.3.3-X: Miscellaneous Enhancements

Summary: Dogtag 10.3.3-X: Miscellaneous Enhancements

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.3
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-11 18:12 UTC by Matthew Harmsen
Modified:	2020-10-04 21:14 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pki-core-10.3.3-9.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 05:27:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2556	None	None	None	2020-10-04 21:13:55 UTC
Github	dogtagpki pki issues 2566	None	None	None	2020-10-04 21:14:15 UTC
Github	dogtagpki pki issues 2567	None	None	None	2020-10-04 21:14:20 UTC
Red Hat Product Errata	RHBA-2016:2396	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2016-11-03 13:55:03 UTC

Description Matthew Harmsen 2016-08-11 18:12:57 UTC

This ticket was created as a holding place for multiple minor bug fixes and enhancements made to the Dogtag 10.3.6 Milestone (and later) which have generally been provided by individuals outside the core development group (e. g. - QE), although it will also be used as the bug of choice for relatively minor bug fixes from core development members as well.

Comment 1 Matthew Harmsen 2016-08-11 18:43:39 UTC

Upstream ticket:
https://fedorahosted.org/pki/ticket/2436

Comment 2 Matthew Harmsen 2016-08-23 21:53:29 UTC

The following were cherry-picked in to DOGTAG_10_3_RHEL_BRANCH:

commit 361eb16c8558f5be6cdb65ab412ab4f703a10bdc
Author: Matthew Harmsen <mharmsen>
Date:   Fri Aug 19 15:58:12 2016 -0600

    pki-tools HEADER/FOOTER changes
    
    * PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
    
    (cherry picked from commit 534633885ae28db230786c25374fba66120ed933)
    (cherry picked from commit 94e009a03036194f4ee09a9a159acd906179ec9d)

commit 15a6f83a651949af7ba7bfe8fc1b3626d064fa87
Author: Endi S. Dewata <edewata>
Date:   Thu Aug 18 05:40:25 2016 +0200

    Added debug messages for ConfigurationUtils.handleCerts().
    
    To help troubleshooting some debug messages have been added into
    ConfigurationUtils.handleCerts().
    
    https://fedorahosted.org/pki/ticket/2436
    (cherry picked from commit 9aa6640e7e94a591343478ee806a6e6d4c9f81e8)
    (cherry picked from commit 4e5c8e53345d500bfa620267a8ae35df0e2973b6)

commit 3bfd5acb075751e429eeb8b46f17c624a5178a41
Author: Endi S. Dewata <edewata>
Date:   Fri Aug 12 04:42:25 2016 +0200

    Added cert validation error message in selftest log.
    
    To help troubleshooting the selftest log has been modified to
    include the cert validation error message returned by JSS.
    
    https://fedorahosted.org/pki/ticket/2436
    (cherry picked from commit 0fd31368d871c513c9833ca02bc08d15a48d6aa5)
    (cherry picked from commit 488303542161103cbbac6814dffd8818fccf455d)

Comment 3 Matthew Harmsen 2016-08-29 21:11:09 UTC

The following was cherry-picked in to DOGTAG_10_3_RHEL_BRANCH:

commit c7aa56ee7df2052deff23190912f86b42042cd59
Author: Abhijeet Kasurde <akasurde>
Date:   Wed Aug 10 11:58:49 2016 +0530

    Added check for pki-server-nuxwdog parameter
    
    Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
    
    Signed-off-by: Abhijeet Kasurde <akasurde>
    (cherry picked from commit c79371fdc667e6acfcae7255f144e63cd60bf0f9)
    (cherry picked from commit b4d5fcc5a30a11ed5e84ca835aea733a5d5bbfb6)

Comment 5 Matthew Harmsen 2016-09-07 21:11:42 UTC

Cherry-picked into DOGTAG_10_3_RHEL_BRANCH:

From d9c0460a85dab6249844f6f8a2fe4d45c11554e5 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata>
Date: Wed, 31 Aug 2016 16:15:19 +0200
Subject: [PATCH 1/9] Fixed debug log in UpdateNumberRange servlet.

To help troubleshooting the debug log in UpdateNumberRange servlet
has been modified to show the exception stack trace.

https://fedorahosted.org/pki/ticket/2436
(cherry picked from commit 1922f77e825c8c0ec742382b752b0a32afbff8a9)
(cherry picked from commit a9db37c53fff88d0f00293df0fd29877bb797091)



From 6cfdd4a6434c8ca08cdbcd659d44a74f6bb6d123 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata>
Date: Wed, 7 Sep 2016 00:35:40 +0200
Subject: [PATCH 9/9] Removed FixSELinuxContexts upgrade script.

The FixSELinuxContexts upgrade script has been removed temporarily
due to a problem importing selinux library during RPM upgrade.

The FixDeploymentDescriptor script number has been changed
accordingly.

https://fedorahosted.org/pki/ticket/2452
(cherry picked from commit 76b3ae5062aef22eece89117a28bd9b86ddef92d)
(cherry picked from commit b3248175d261bc82d3d9c965f047ea9d0fa2bc9e)




Manually copied and merged into DOGTAG_10_3_RHEL_BRANCH: 

commit 91841bfa7bdc9df688bf07fe9cab811251d93740
Author: Matthew Harmsen <mharmsen>
Date:   Tue Sep 6 21:10:57 2016 -0600

    Updated RPM spec.
    
    The code in the RPM spec that moves the upgrade scripts has been
    updated to reflect the FixSELinuxContexts deletion.
    
    The libselinux-python is used by deployment and upgrade scripts
    to set the SELinux contexts, so a direct runtime dependency has
    been added to the RPM spec file.
    
    The duplicate python-ldap and python-lxml dependencies have been
    removed.
    
    https://fedorahosted.org/pki/ticket/2452

Comment 6 Matthew Harmsen 2016-09-07 21:24:52 UTC

Cherry-picked into DOGTAG_10_3_RHEL_BRANCH:

From d0f45bfb653636673300b169dfa8ffe90b63cb58 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu.redhat.com>
Date: Wed, 31 Aug 2016 14:03:02 -0700
Subject: [PATCH 2/9] Ticket #2446 pkispawn: make subject_dn defaults unique
 per instance name (for shared HSM) When installing multiple instances on the
 same host sharing the same HSM, if subject_dn's are not specifically spelled
 out with unique names for each instance, installation will fail with
 complaints that same subject name and serial number already exist. This
 happens in the scenario if you are creating a subordinate CA, for example,
 that's in the same domain name as the root CA. It is very inconvenient that
 you are expected to spell out subject dn's of all system certs in the
 pkispawn config file. This patch changes default.cfg so that the instance
 name is in the default subject dn, e.g. adding it as an "ou" component:
 ou=%(pki_instance_name)s

(cherry picked from commit 1195ee9d6e45783d238edc1799363c21590febce)
(cherry picked from commit 1d1b3a705fdaca26d580566ff3fb1725334ff674)

Comment 7 Matthew Harmsen 2016-09-07 21:27:16 UTC

Cherry-picked into DOGTAG_10_3_RHEL_BRANCH:

From 92d92c6ee2a0a531183a373cc1f3975662fdca40 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee>
Date: Fri, 2 Sep 2016 16:08:02 -0400
Subject: [PATCH 4/9] Fix CertRequestInfo URLs

The URLs were generated by a UriBuilder that referred to the resource's
annotated path.  This top-level path changed though, even if the underlying
paths did not.  Replace this with a reference to the getX methods instead.

Also fixed a few eclipse flagged warnings (unused imports etc).

Ticket 2447

(cherry picked from commit 7a93dbeae18407e28437f4affc31ddc24a2c42f2)
(cherry picked from commit 7baa7e60b708c5b4c79d6dd963321d34958cc81b)

Comment 8 Sumedh Sidhaye 2016-09-15 08:42:04 UTC

How do I verify these fixes?

Need some info on this.

Marking it modified.

Comment 9 Fraser Tweedale 2016-09-16 10:24:29 UTC

VERIFICATION STEPS for the fix cherry picked from commit
c79371fdc667e6acfcae7255f144e63cd60bf0f9:

1. execute `pki-server-nuxwdog' without arguments, and then with a bogus
argument.  Verify that output and exit code match the following transcript:

  sh-4.3$ pki-server-nuxwdog
  ERROR: /sbin/pki-server-nuxwdog requires parameter
  sh-4.3$ echo $?
  1
  sh-4.3$ pki-server-nuxwdog BOGUS
  ERROR: Unable to find /etc/sysconfig/BOGUS file
  sh-4.3$ echo $?
  1

Comment 10 Fraser Tweedale 2016-09-16 10:34:24 UTC

VERIFICATION STEPS for the fix cherry picked from commit
7a93dbeae18407e28437f4affc31ddc24a2c42f2

1. Query cert request information from REST API, per following example:

  sh-4.3$ curl --header "Accept: application/json" \
             https://$(hostname):8443/ca/rest/certrequests/<N>

(pick some number <N> of the cert request to examine).


2. Verify that "requestURL" value in response matches:

   "https://$(hostname):8443/ca/rest/certrequests/<N>
                                     ^^^^^^^^^^^^^

3. Verify that "certURL" value in response matches:

   "https://$(hostname):8443/ca/rest/certs/<M>
                                     ^^^^^^

Comment 11 Sumedh Sidhaye 2016-09-16 10:36:50 UTC

Build used of verifying commit c79371fdc667e6acfcae7255f144e63cd60bf0f9:

[root@pki2-ipv6 ~]# pki --version
PKI Command-Line Interface 10.3.3-10.el7

Test Results:

[root@pki2-ipv6 ~]# pki-server-nuxwdog
ERROR: /usr/sbin/pki-server-nuxwdog requires parameter
[root@pki2-ipv6 ~]# echo $?
1
[root@pki2-ipv6 ~]# pki-server-nuxwdog qwerty
ERROR: Unable to find /etc/sysconfig/qwerty file
[root@pki2-ipv6 ~]# 


pki-server-nuxwdog fix is working fine.

Comment 12 Sumedh Sidhaye 2016-09-16 10:44:41 UTC

Verification for 7a93dbeae18407e28437f4affc31ddc24a2c42f2:

[root@pki2-ipv6 ~]# curl --insecure --header "Accept: application/json" https://pki2-ipv6.example.org:20443/ca/rest/certrequests/1

{
	"requestType": "enrollment",
	"requestStatus": "complete",
	"requestURL": "https://pki2-ipv6.example.org:20443/ca/rest/certrequests/1",
	"certId": "0x1",
	"certURL": "https://pki2-ipv6.example.org:20443/ca/rest/certs/1",
	"certRequestType": "pkcs10",
	"operationResult": "success"
}



requestURL and certURL is as expected.

Comment 13 Matthew Harmsen 2016-09-16 21:18:28 UTC

Sumedh,

For:

commit 361eb16c8558f5be6cdb65ab412ab4f703a10bdc
Author: Matthew Harmsen <mharmsen>
Date:   Fri Aug 19 15:58:12 2016 -0600

    pki-tools HEADER/FOOTER changes
    
    * PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
    
    (cherry picked from commit 534633885ae28db230786c25374fba66120ed933)
    (cherry picked from commit 94e009a03036194f4ee09a9a159acd906179ec9d)

Run your tests to make certain that the changes made did not prevent the tool from working, and that the output of the tools (NOT certutil) conforms with the 
RFC 7468 HEADER and FOOTER when appropriate.

For example, here would some simple tests for CMCEnroll using both NSS and OPENSSL:

NSS

    # cd ~/.mozilla/firefox/<browser profile>

    # certutil -d . -R -s "CN=CMCEnroll Test Certificate" -a

    Copy the CSR to a file called 'nss.csr'.

    # cat nss.csr
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
    dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtOSHDtLKXMh/c3TSE
    pz/eixpAjalk51yksWLZtQwyL2RnhYJ9Acece5PLlUoXOpmJ3+5StzmWfZ2RkeU/
    ojXlAStFZjICLpa1Bggd2pDFz8h9TnUxriNPTBHU5J6NGJm8dc4DvCDXruBbzy4Q
    Un8EoYfrqxTNPGGxJmJrz7Wy5SFr2FZO841LJRClVgQXbbrF5AeGEObUi0IlSCRh
    hZObEgmGlF0NJg7cZqB5FkKUT1YbOKl7nZLidq2pR7Ob5xlHRMZNb7GSRfb1QRbp
    Eljli3cXD9YnfHcDcXPnCTnnGdSUsU7gGKAkrZ55KNb8fKqSC39j4ui3KKODAqLd
    s6P5AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA4/zan3pbmI6k1fHMIFQeAxt9
    aFQUtmpzTQwipBZ7x/ML68e7bzzMtvpvKr0ozro0floyexGumUY28sBIiXnHGHO6
    dbdN7Yof2kmmQLsfOLme7xGBWkbDcGh+I8qxwC7kE2UisknhbOLEXMWCEdMjSkte
    pmCN01f+45h/1pHYgpf6s4CeHlJO4QyLIZ9btTlZyegfXr7A9hDEoQfsEcx7GZuC
    pK3qmts4J65qfYmYIHUP1JnJwzrXEPUSGLtJ82W6KO6R3khvSui5uFJpCKCc1k88
    ECVvsdQe9DSnduWRpUVvd3Pambwi7NEgfJpPsS8Yq2VHq7f1vCcKHzdujX5xTg==
    -----END NEW CERTIFICATE REQUEST-----

    # CMCEnroll -d . -n "PKI Administrator for example.com" -r ./nss.csr -p "Secret123"
    cert/key prefix =
    path = .
    -----BEGIN CERTIFICATE REQUEST-----
    MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtOSHDtLKXMh/c3TSEpz/eixpAjalk51yksWLZtQwyL2RnhYJ9Acece5PLlUoXOpmJ3+5StzmWfZ2RkeU/ojXlAStFZjICLpa1Bggd2pDFz8h9TnUxriNPTBHU5J6NGJm8dc4DvCDXruBbzy4QUn8EoYfrqxTNPGGxJmJrz7Wy5SFr2FZO841LJRClVgQXbbrF5AeGEObUi0IlSCRhhZObEgmGlF0NJg7cZqB5FkKUT1YbOKl7nZLidq2pR7Ob5xlHRMZNb7GSRfb1QRbpEljli3cXD9YnfHcDcXPnCTnnGdSUsU7gGKAkrZ55KNb8fKqSC39j4ui3KKODAqLds6P5AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA4/zan3pbmI6k1fHMIFQeAxt9aFQUtmpzTQwipBZ7x/ML68e7bzzMtvpvKr0ozro0floyexGumUY28sBIiXnHGHO6dbdN7Yof2kmmQLsfOLme7xGBWkbDcGh+I8qxwC7kE2UisknhbOLEXMWCEdMjSktepmCN01f+45h/1pHYgpf6s4CeHlJO4QyLIZ9btTlZyegfXr7A9hDEoQfsEcx7GZuCpK3qmts4J65qfYmYIHUP1JnJwzrXEPUSGLtJ82W6KO6R3khvSui5uFJpCKCc1k88ECVvsdQe9DSnduWRpUVvd3Pambwi7NEgfJpPsS8Yq2VHq7f1vCcKHzdujX5xTg==-----END CERTIFICATE REQUEST-----

    # cat nss.csr.out
    -----BEGIN CERTIFICATE REQUEST-----
    MIIM4gYJKoZIhvcNAQcCoIIM0zCCDM8CAQMxCzAJBgUrDgMCGgUAMIIC6gYIKwYB
    BQUHDAKgggLcBIIC2DCCAtQwVTAvAgECBggrBgEFBQcHBjEgBB5CeFRXNUtwRXBO
    NHNhYmNDMFhZajRNcVM1d0E9DQowIgIBAwYIKwYBBQUHBwUxEwIRALALe5Uc1T3T
    GJugnNjT7FMwggJ1oIICcQIBATCCAmowggFSAgEAMCUxIzAhBgNVBAMTGkNNQ0Vu
    cm9sbCBUZXN0IENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEA7Tkhw7SylzIf3N00hKc/3osaQI2pZOdcpLFi2bUMMi9kZ4WCfQHHnHuT
    y5VKFzqZid/uUrc5ln2dkZHlP6I15QErRWYyAi6WtQYIHdqQxc/IfU51Ma4jT0wR
    1OSejRiZvHXOA7wg167gW88uEFJ/BKGH66sUzTxhsSZia8+1suUha9hWTvONSyUQ
    pVYEF226xeQHhhDm1ItCJUgkYYWTmxIJhpRdDSYO3GageRZClE9WGzipe52S4nat
    qUezm+cZR0TGTW+xkkX29UEW6RJY5Yt3Fw/WJ3x3A3Fz5wk55xnUlLFO4BigJK2e
    eSjW/Hyqkgt/Y+LotyijgwKi3bOj+QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB
    AOP82p96W5iOpNXxzCBUHgMbfWhUFLZqc00MIqQWe8fzC+vHu288zLb6byq9KM66
    NH5aMnsRrplGNvLASIl5xxhzunW3Te2KH9pJpkC7Hzi5nu8RgVpGw3BofiPKscAu
    5BNlIrJJ4WzixFzFghHTI0pLXqZgjdNX/uOYf9aR2IKX+rOAnh5STuEMiyGfW7U5
    WcnoH16+wPYQxKEH7BHMexmbgqSt6prbOCeuan2JmCB1D9SZycM61xD1Ehi7SfNl
    uijukd5Ib0roubhSaQignNZPPBAlb7HUHvQ0p3blkaVFb3dz2pm8IuzRIHyaT7Ev
    GKtlR6u39bwnCh83bo1+cU4wADAAoIIH+jCCA+4wggLWoAMCAQICAQEwDQYJKoZI
    hvcNAQELBQAwYzErMCkGA1UECgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5
    IERvbWFpbjETMBEGA1UECwwKcGtpLXRvbWNhdDEfMB0GA1UEAwwWQ0EgU2lnbmlu
    ZyBDZXJ0aWZpY2F0ZTAeFw0xNjA5MTYxNzQxMThaFw0zNjA5MTYxNzQxMThaMGMx
    KzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xEzAR
    BgNVBAsMCnBraS10b21jYXQxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNh
    dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnujrbxU2ebx9H3mfQ
    OTK6PjOOWC8hAXZ5QNndfcviAkHAy50+L7XtQCCSGClAENHE4xVQBfXct+RpAiqI
    L6aDUDgLyplRMLA5D7VJPaWQEckrjYxTdBWO488ad+p0GIFRx1gQKZ/MkxwceXmT
    gnyxh45zOnzikhOE545vnBMeirpx6HM+W/aZZk09NfBqQ5jTdMyAxIlsCIB1r7XH
    lS0s+Z3xR/jWJDjgAEO7iPTF3fYQV5JwiKeqshO+F0/Y4WN5EzrFOReYwui8vxwk
    QA29B5oIH44anhKLWh09mKIUAUDw05W2SmKNq9wKmHfmZFUvyBH+uNOfGAcGpuXf
    t2cVAgMBAAGjgawwgakwHwYDVR0jBBgwFoAUCMWd9WveEXsIjwTQYPMYI3ufZJgw
    DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFAjFnfVr
    3hF7CI8E0GDzGCN7n2SYMEYGCCsGAQUFBwEBBDowODA2BggrBgEFBQcwAYYqaHR0
    cDovL3BraS51c2Vyc3lzLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA0GCSqGSIb3
    DQEBCwUAA4IBAQA33AJWui+mXLNshR0i2/y4eJHRarIdowesJZKyjBNXdL1drMK4
    aMCHP/jEaFHFipmDYBkwbtSHcCda09e8SEi3XYOnBdex/1BH0Ltb2hMyZLRVQBF+
    oDAJUqaEG7GK79mF8XfNOted0VWCNvi7jjUrLKGX6bds2/s2lu0UzyOzyeuArc9e
    UHU7x1+WqbYymmGc9S87VL1YuL99rREa9YKB0PkvrHzeprdiKN38g1ZMT4AQ6Fzi
    D+qzKViHzDCOG+OJvGNsbPdZ4r7WInv1NBKKGgGDLSpBYOI/hN1z8VOMGnENqs2G
    Nto1QV1uYQDsVukAJ+o5U4eaqZNclnVmgUF7MIIEBDCCAuygAwIBAgIBBjANBgkq
    hkiG9w0BAQsFADBjMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20gU2VjdXJp
    dHkgRG9tYWluMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWdu
    aW5nIENlcnRpZmljYXRlMB4XDTE2MDkxNjE3NDEyMVoXDTE4MDkwNjE3NDEyMVow
    gYkxKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4x
    EzARBgNVBAsMCnBraS10b21jYXQxKTAnBgkqhkiG9w0BCQEWGmNhYWRtaW5AdXNl
    cnN5cy5yZWRoYXQuY29tMRowGAYDVQQDDBFQS0kgQWRtaW5pc3RyYXRvcjCCASIw
    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMicK43enuykjo0vxxlq0o9FwnGf
    2aQRX74rHrJc8wQ0g1+8nqb9AkwX84I0Q/NOI5sTqdQBCWIrXbkD7mg8f8ej/upn
    T5z16l6xKnHZbo8XGomjBANVLmKSL14AAFgaLxmHv2C5UJQclKFacZNRIb+kMVSz
    mwIu0G7gkuG2KQ/kbsxwvgMDZDOg4Rt7kw69BgDgq+Og+W0Tj60w178FWCGlH8sy
    THXVFZapyVEFsqQcfbBQEK4Xq9G9ZeVCKCPh0SLq5ZwxObT0CzGqLDu2afuWOZ+F
    hhkLMwS7bqWLEgDa4oCPirFiXItbvgnIYrSgYLMaOR7L/cdfHZV7VhDq4KECAwEA
    AaOBmzCBmDAfBgNVHSMEGDAWgBQIxZ31a94RewiPBNBg8xgje59kmDBGBggrBgEF
    BQcBAQQ6MDgwNgYIKwYBBQUHMAGGKmh0dHA6Ly9wa2kudXNlcnN5cy5yZWRoYXQu
    Y29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYB
    BQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQCI142VRVy6rzWTbw6F
    Ni0uEI237jTcyCQNEHs6HzocUIHRy80qeLzHAx0pNr/EnWkW7m/5WGMyX7RfqiKB
    yWiZb7o9chHzyqeROjH4zNWEL6/6o/5SYs6UrUBacFbJULV7JwANy7AsuBBiZkvu
    akm+XLPZpl+ki8VoGdz7UycMuz5a5Qp3WcmK70Lq4uNvcuN7xOQDgWjnZoFxK+SH
    1vDOsgF3kmb+eN5GC2tqb+xokEOBNvyx0r4HxkAfXqSN49Wrlo9zQHwpGzYCdcGG
    GUBT2gsUJgtu8Jb1Ap2c+7VMZkLLwHuJkcswckvp7JbCbCV+ywg3B6UruFgVllPu
    gDpmMYIBzzCCAcsCAQMwaDBjMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20g
    U2VjdXJpdHkgRG9tYWluMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZD
    QSBTaWduaW5nIENlcnRpZmljYXRlAgEGMAkGBSsOAwIaBQCgPjAXBgkqhkiG9w0B
    CQMxCgYIKwYBBQUHDAIwIwYJKoZIhvcNAQkEMRYEFFuO61kCrScjokREHofcm8JC
    mw9nMA0GCSqGSIb3DQEBAQUABIIBADxLqfWn85dyF3u7wg3gjxot0FreUmpReU1o
    fMy5RgrogvHt7gnWh1SJOBW+iEqaX2nc0eqT/GYFzR8jKR/q3ONEi1ocxhAtnpsa
    qxow9pBvoOaNcGaAWdwnS+sRToRspyivZvhTt/EUb3LXf/WAMv6ql3HXrxDPbyI4
    SIBAfcMPEEvig+IkBd+InQ77znP2k5ZUwXUWcJf5tmo0QGSu51JcWyfAgmJw0nei
    uoCbki5Z1h4IxoARJBxkNyqA7vDnzaJTGHZuBpFMvBIzB7yYo1HX++kDwlGSL4Nu
    NnY0y+9Cjy0xDERyLRZfI1vGppEqS5EWuXn9R+d9BrO6u16WetI=
    -----END CERTIFICATE REQUEST-----

       Submit the signed certificate request through the CA end-entities page:

              (a) Open the end-entities page.

              (b) Select the "Signed CMC-Authenticated User Certificate Enrollment" profile.

              (c) Paste the content of the output file into the first text area of this form.

              (d) Remove the "-----BEGIN CERTIFICATE REQUEST-----" header and the "-----END CERTIFICATE REQUEST-----" footer from the pasted content.

              (e) Fill in the contact information, and submit the form.

       The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled



OPENSSL:

    # cd ~/.mozilla/firefox/<browser profile>

    # openssl genrsa -out ./openssl.key 2048

    #  openssl req -new -sha256 -key ./openssl.key -out ./openssl.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:.
    State or Province Name (full name) []:.
    Locality Name (eg, city) [Default City]:.
    Organization Name (eg, company) [Default Company Ltd]:.
    Organizational Unit Name (eg, section) []:.
    Common Name (eg, your name or your server's hostname) []:CMCEnroll Test Certificate
    Email Address []:.

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:.
    An optional company name []:.

    # cat openssl.csr
    -----BEGIN CERTIFICATE REQUEST-----
    MIICajCCAVICAQAwJTEjMCEGA1UEAwwaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
    dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd1KeUe5eTc6j/oBZv
    Z/jEv9XFYGqomCPH3sGsBp3bvZ5W5UKjZ/6K9yJ0s8YGClgbtoHESs9tBhz4zd3L
    B7PxDHHT8LyX64eh4ioucyqOVnL+ND558kVE09RTTaNQmhlWlyfcqoGEUVwp0Ejf
    /VKvVi/kMuLcfQhdx8rFVWiJUN6jFZWeM8vtw7ME6U8T9MrDtdXrkzHdTpBpPljt
    ooRelmNqzBP2GxsALJrw8aXL3R4D8eAdm68Gp49bORg+/TkEqKt9khQIKHnIoHrn
    fs+oBwEc9JP3ko0Ru/dm6KSjd66CNQ1W/Je6qm5HOUSkXYLrQH29IRWl40LQCAuV
    M6xpAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAUxarjKmxkdNH/HrK9hGN8kIj
    rtG7qak4C287nLvRroYwlWDOMjc45N6TWJlSvfQ7aCnYd0+MsabaLay6l5oeWGx+
    l6wmiu5gxLnWIKUBiuBawlHgv7RMUOVGmY+LiKZoOTwALz5DlSEK+PtyMNTLDYh9
    fx8FZeyKzITvm1yi5NF4MKEzT+2Dw73B1I8tkXzr2lqTXlTBpOWnRFw4ktOIEIFJ
    YkDYC1GG1GlxK20tmLUj07f3NXy7Nch9z2+pp7SJY4m44Li6wi4yXfkKIxYH44cQ
    8+AOgrHV/caHgQpHStSXVhNWJ+PBkkOscpQPF1L1x32Ak6lQZn95i3V4sbFGQw==
    -----END CERTIFICATE REQUEST-----

    # CMCEnroll -d . -n "PKI Administrator for example.com" -r ./openssl.csr -p "Secret123"
    cert/key prefix =
    path = .
    -----BEGIN CERTIFICATE REQUEST-----
    MIICajCCAVICAQAwJTEjMCEGA1UEAwwaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd1KeUe5eTc6j/oBZvZ/jEv9XFYGqomCPH3sGsBp3bvZ5W5UKjZ/6K9yJ0s8YGClgbtoHESs9tBhz4zd3LB7PxDHHT8LyX64eh4ioucyqOVnL+ND558kVE09RTTaNQmhlWlyfcqoGEUVwp0Ejf/VKvVi/kMuLcfQhdx8rFVWiJUN6jFZWeM8vtw7ME6U8T9MrDtdXrkzHdTpBpPljtooRelmNqzBP2GxsALJrw8aXL3R4D8eAdm68Gp49bORg+/TkEqKt9khQIKHnIoHrnfs+oBwEc9JP3ko0Ru/dm6KSjd66CNQ1W/Je6qm5HOUSkXYLrQH29IRWl40LQCAuVM6xpAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAUxarjKmxkdNH/HrK9hGN8kIjrtG7qak4C287nLvRroYwlWDOMjc45N6TWJlSvfQ7aCnYd0+MsabaLay6l5oeWGx+l6wmiu5gxLnWIKUBiuBawlHgv7RMUOVGmY+LiKZoOTwALz5DlSEK+PtyMNTLDYh9fx8FZeyKzITvm1yi5NF4MKEzT+2Dw73B1I8tkXzr2lqTXlTBpOWnRFw4ktOIEIFJYkDYC1GG1GlxK20tmLUj07f3NXy7Nch9z2+pp7SJY4m44Li6wi4yXfkKIxYH44cQ8+AOgrHV/caHgQpHStSXVhNWJ+PBkkOscpQPF1L1x32Ak6lQZn95i3V4sbFGQw==-----END CERTIFICATE REQUEST-----

    # cat openssl.csr.out
    -----BEGIN CERTIFICATE REQUEST-----
    MIIM4QYJKoZIhvcNAQcCoIIM0jCCDM4CAQMxCzAJBgUrDgMCGgUAMIIC6QYIKwYB
    BQUHDAKgggLbBIIC1zCCAtMwVDAvAgECBggrBgEFBQcHBjEgBB4rb1UyeVRIb3Jk
    YXdlUlErcmlkN2hmNS82WTQ9DQowIQIBAwYIKwYBBQUHBwUxEgIQCJXu+lFiZ+1Q
    n5ldQLopfzCCAnWgggJxAgEBMIICajCCAVICAQAwJTEjMCEGA1UEAwwaQ01DRW5y
    b2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
    AoIBAQCd1KeUe5eTc6j/oBZvZ/jEv9XFYGqomCPH3sGsBp3bvZ5W5UKjZ/6K9yJ0
    s8YGClgbtoHESs9tBhz4zd3LB7PxDHHT8LyX64eh4ioucyqOVnL+ND558kVE09RT
    TaNQmhlWlyfcqoGEUVwp0Ejf/VKvVi/kMuLcfQhdx8rFVWiJUN6jFZWeM8vtw7ME
    6U8T9MrDtdXrkzHdTpBpPljtooRelmNqzBP2GxsALJrw8aXL3R4D8eAdm68Gp49b
    ORg+/TkEqKt9khQIKHnIoHrnfs+oBwEc9JP3ko0Ru/dm6KSjd66CNQ1W/Je6qm5H
    OUSkXYLrQH29IRWl40LQCAuVM6xpAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA
    UxarjKmxkdNH/HrK9hGN8kIjrtG7qak4C287nLvRroYwlWDOMjc45N6TWJlSvfQ7
    aCnYd0+MsabaLay6l5oeWGx+l6wmiu5gxLnWIKUBiuBawlHgv7RMUOVGmY+LiKZo
    OTwALz5DlSEK+PtyMNTLDYh9fx8FZeyKzITvm1yi5NF4MKEzT+2Dw73B1I8tkXzr
    2lqTXlTBpOWnRFw4ktOIEIFJYkDYC1GG1GlxK20tmLUj07f3NXy7Nch9z2+pp7SJ
    Y4m44Li6wi4yXfkKIxYH44cQ8+AOgrHV/caHgQpHStSXVhNWJ+PBkkOscpQPF1L1
    x32Ak6lQZn95i3V4sbFGQzAAMACgggf6MIID7jCCAtagAwIBAgIBATANBgkqhkiG
    9w0BAQsFADBjMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20gU2VjdXJpdHkg
    RG9tYWluMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWduaW5n
    IENlcnRpZmljYXRlMB4XDTE2MDkxNjE3NDExOFoXDTM2MDkxNjE3NDExOFowYzEr
    MCkGA1UECgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjETMBEG
    A1UECwwKcGtpLXRvbWNhdDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0
    ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKe6OtvFTZ5vH0feZ9A5
    Mro+M45YLyEBdnlA2d19y+ICQcDLnT4vte1AIJIYKUAQ0cTjFVAF9dy35GkCKogv
    poNQOAvKmVEwsDkPtUk9pZARySuNjFN0FY7jzxp36nQYgVHHWBApn8yTHBx5eZOC
    fLGHjnM6fOKSE4Tnjm+cEx6KunHocz5b9plmTT018GpDmNN0zIDEiWwIgHWvtceV
    LSz5nfFH+NYkOOAAQ7uI9MXd9hBXknCIp6qyE74XT9jhY3kTOsU5F5jC6Ly/HCRA
    Db0HmggfjhqeEotaHT2YohQBQPDTlbZKYo2r3AqYd+ZkVS/IEf64058YBwam5d+3
    ZxUCAwEAAaOBrDCBqTAfBgNVHSMEGDAWgBQIxZ31a94RewiPBNBg8xgje59kmDAP
    BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUCMWd9Wve
    EXsIjwTQYPMYI3ufZJgwRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRw
    Oi8vcGtpLnVzZXJzeXMucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcN
    AQELBQADggEBADfcAla6L6Zcs2yFHSLb/Lh4kdFqsh2jB6wlkrKME1d0vV2swrho
    wIc/+MRoUcWKmYNgGTBu1IdwJ1rT17xISLddg6cF17H/UEfQu1vaEzJktFVAEX6g
    MAlSpoQbsYrv2YXxd806153RVYI2+LuONSssoZfpt2zb+zaW7RTPI7PJ64Ctz15Q
    dTvHX5aptjKaYZz1LztUvVi4v32tERr1goHQ+S+sfN6mt2Io3fyDVkxPgBDoXOIP
    6rMpWIfMMI4b44m8Y2xs91nivtYie/U0EooaAYMtKkFg4j+E3XPxU4wacQ2qzYY2
    2jVBXW5hAOxW6QAn6jlTh5qpk1yWdWaBQXswggQEMIIC7KADAgECAgEGMA0GCSqG
    SIb3DQEBCwUAMGMxKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0
    eSBEb21haW4xEzARBgNVBAsMCnBraS10b21jYXQxHzAdBgNVBAMMFkNBIFNpZ25p
    bmcgQ2VydGlmaWNhdGUwHhcNMTYwOTE2MTc0MTIxWhcNMTgwOTA2MTc0MTIxWjCB
    iTErMCkGA1UECgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjET
    MBEGA1UECwwKcGtpLXRvbWNhdDEpMCcGCSqGSIb3DQEJARYaY2FhZG1pbkB1c2Vy
    c3lzLnJlZGhhdC5jb20xGjAYBgNVBAMMEVBLSSBBZG1pbmlzdHJhdG9yMIIBIjAN
    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyJwrjd6e7KSOjS/HGWrSj0XCcZ/Z
    pBFfviseslzzBDSDX7yepv0CTBfzgjRD804jmxOp1AEJYitduQPuaDx/x6P+6mdP
    nPXqXrEqcdlujxcaiaMEA1UuYpIvXgAAWBovGYe/YLlQlByUoVpxk1Ehv6QxVLOb
    Ai7QbuCS4bYpD+RuzHC+AwNkM6DhG3uTDr0GAOCr46D5bROPrTDXvwVYIaUfyzJM
    ddUVlqnJUQWypBx9sFAQrher0b1l5UIoI+HRIurlnDE5tPQLMaosO7Zp+5Y5n4WG
    GQszBLtupYsSANrigI+KsWJci1u+CchitKBgsxo5Hsv9x18dlXtWEOrgoQIDAQAB
    o4GbMIGYMB8GA1UdIwQYMBaAFAjFnfVr3hF7CI8E0GDzGCN7n2SYMEYGCCsGAQUF
    BwEBBDowODA2BggrBgEFBQcwAYYqaHR0cDovL3BraS51c2Vyc3lzLnJlZGhhdC5j
    b206ODA4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF
    BQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggEBAIjXjZVFXLqvNZNvDoU2
    LS4QjbfuNNzIJA0QezofOhxQgdHLzSp4vMcDHSk2v8SdaRbub/lYYzJftF+qIoHJ
    aJlvuj1yEfPKp5E6MfjM1YQvr/qj/lJizpStQFpwVslQtXsnAA3LsCy4EGJmS+5q
    Sb5cs9mmX6SLxWgZ3PtTJwy7PlrlCndZyYrvQuri429y43vE5AOBaOdmgXEr5IfW
    8M6yAXeSZv543kYLa2pv7GiQQ4E2/LHSvgfGQB9epI3j1auWj3NAfCkbNgJ1wYYZ
    QFPaCxQmC27wlvUCnZz7tUxmQsvAe4mRyzByS+nslsJsJX7LCDcHpSu4WBWWU+6A
    OmYxggHPMIIBywIBAzBoMGMxKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBT
    ZWN1cml0eSBEb21haW4xEzARBgNVBAsMCnBraS10b21jYXQxHzAdBgNVBAMMFkNB
    IFNpZ25pbmcgQ2VydGlmaWNhdGUCAQYwCQYFKw4DAhoFAKA+MBcGCSqGSIb3DQEJ
    AzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUJ6B6Em9Hx08oSpLm7mz/QUmJ
    7x0wDQYJKoZIhvcNAQEBBQAEggEAkdUpf25CNr2xr8vZ7d+8FGOsg97g1l0peMxL
    GmjLrQLtDOcEtbezmbDXvGasOSnt8tTa0U9NjcEfXT62QZgRrxCFzv+Fk8YPs7JO
    05FyEDM4id5uMNG0Z32p9f/WaZMn1sFZZQNasuzYjyIjPRFH9R1LP0JQarR+xBYq
    ubLa7RZyTihBmE12C4DhOtzNqhgcHJG3Zav/T/+ebkhXyW66j9wrlEmL4U+kiKG3
    nAOkr/eKS2WA3Vp0WGNJK7K7kCGm3EjYj9r4K3PVVF6tQUg8v7/Qid29dXVU7kYM
    BHpFrBRLPTcAPLTkbUojgEaFTWqx/F19+xaxwZpbbndjSbmvbQ==
    -----END CERTIFICATE REQUEST-----

       Submit the signed certificate request through the CA end-entities page:

              (a) Open the end-entities page.

              (b) Select the "Signed CMC-Authenticated User Certificate Enrollment" profile.

              (c) Paste the content of the output file into the first text area of this form.

              (d) Remove the "-----BEGIN CERTIFICATE REQUEST-----" header and the "-----END CERTIFICATE REQUEST-----" footer from the pasted content.

              (e) Fill in the contact information, and submit the form.

       The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled


Tests similar to the one provided above should be run against the following tools:

* CMCEnroll
* CMCRequest
* CMCRevoke
* CRMFPopClient, and
* PKCS10Client

-- Matt

Comment 15 Sumedh Sidhaye 2016-09-20 10:37:38 UTC

Matt,

CMCEnroll using both NSS and OPENSSL works fine.

But for CMCRevoke I'm getting the following error:

[root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CMCRevoke -d. -n"PKI Administrator for idmqe.lab.eng.bos.redhat.com" -i"CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain" -s19 -m6 -pSecret123 -h"NSS Certificate DB" -c"test"
cert/key prefix = 
path = .
org.mozilla.jss.NoSuchTokenException
	at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622)
	at com.netscape.cmstools.CMCRevoke.main(CMCRevoke.java:190)
[root@auto-hv-02-guest01 wr5ucrqp.test_profile]# 

I also tried specifying tokenname value as internal, even that did not work.

Comment 16 Sumedh Sidhaye 2016-09-20 11:22:30 UTC

Using PKCS10Client as well it's working fine:

[root@auto-hv-02-guest01 wr5ucrqp.test_profile]# PKCS10Client -d /opt/rhqa_pki/certdb/ -p "Secret123" -a rsa -l 2048 -o test.csr -n "uid=test"
PKCS10Client: Debug: got token.
PKCS10Client: Debug: thread token set.
PKCS10Client: token Internal Key Storage Token logged in...
PKCS10Client: key pair generated.
PKCS10Client: pair.getPublic() called.
PKCS10Client: CertificationRequestInfo() created.
PKCS10Client: CertificationRequest created.
PKCS10Client: calling Utils.b64encode.
PKCS10Client: b64encode completes.
-----BEGIN CERTIFICATE REQUEST-----
MIICfzCCAWcCAQAwFjEUMBIGCgmSJomT8ixkAQETBHRlc3QwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC1+2CW1l6opxJ8RNTtOZfxsDKYVeh0vebs/iR9
9Q6iMOdIM9KQoMFF+mkMFGqph0u5voMUrJlREYR9UbQxM9i/TyK8kgR86CPp6IjJ
zvDfelJDnQahrWylt/m1qesZQZ/jqka+/0t8IyuRbVIzcROxzUd+kkRA7x6Scovo
PusDUUyoqVa7e1QV6mBzwpwIfGnQ9U6MFg1L1QSWgERNptB0vUAGgylNt966XI3L
ike1bx+n0rXxLWF+8al2cYJ/Wa3iwhuOMPMA/jcK6PIzL6vyRQnhF0cmWqMaAm+D
iZb6FC4ZrMb6BfTXaCC968yfUwEs8MkmOJMBGs3B7fyorNdHAgMBAAGgJDAiBggr
BgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDANBgkqhkiG9w0BAQQFAAOC
AQEAdK1vNJ6j1/rtfu3ui31cV0UEWaemQIhSTdF7R4zhCP9aOuvhsWVqf44uRG3V
PNbBKhNXVSV1BBoUYldL01Oyud741heI9B/oqMeARztglRqMKGugHoBP6XSTgLbU
VuGblBm6AUfx8S9UmFis9pqj+vuai1YQpyGLxC4yx2Ffcs253CShttY2Ll9vcFDE
DXixEFD0rkTZ6xDbIye80fC6S259/21hKj6wgNaALXxg0KF1s6Ilm+pfD7bK6mj2
kAiGZDBh7hpRlE1IQuTY3TZ/QeRAtGF6oZup8AULfIUMhqd63HYVB/KUjOyO+UhE
pS+sU3PYOBQmFEvVaKSLJCGNLQ==

-----END CERTIFICATE REQUEST-----

[root@auto-hv-02-guest01 wr5ucrqp.test_profile]# pki ca-cert-request-profile-show caUserCert --output test.xml
--------------------------------------------
Enrollment Template for Profile "caUserCert"
--------------------------------------------
----------------------------------------------------
Saved enrollment template for caUserCert to test.xml
----------------------------------------------------
[root@auto-hv-02-guest01 wr5ucrqp.test_profile]# vim test.xml


[root@auto-hv-02-guest01 wr5ucrqp.test_profile]# pki ca-cert-request-submit test.xml
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 22
  Type: enrollment
  Request Status: pending
  Operation Result: success
[root@auto-hv-02-guest01 wr5ucrqp.test_profile]# pki -d /opt/rhqa_pki/certdb/ -c Secret123 -n "PKI Administrator for idmqe.lab.eng.bos.redhat.com" ca-cert-request-review 22 --action approve
-------------------------------
Approved certificate request 22
-------------------------------
  Request ID: 22
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x14
[root@auto-hv-02-guest01 wr5ucrqp.test_profile]#

Comment 17 Sumedh Sidhaye 2016-09-20 11:26:15 UTC

For CRMFPopClient I am seeing the following error:


[root@auto-hv-02-guest01 wr5ucrqp.test_profile]#  modutil -dbdir /var/lib/pki/pki-tomcat/ca/alias/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
-----------------------------------------------------------

[root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CRMFPopClient -v -d . -h "NSS Certificate DB" -p Secret123 -n "uid=foobar2" -a rsa -l 2048 -f caEncUserCert 
Initializing security database: .
org.mozilla.jss.NoSuchTokenException
	at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622)
	at com.netscape.cmstools.CRMFPopClient.main(CRMFPopClient.java:401)
ERROR: null
Try 'CRMFPopClient --help' for more information.

Comment 18 Sumedh Sidhaye 2016-09-20 11:41:20 UTC

For CMCRequest as well I am getting a similar error:

[root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CMCRequest CMCRequest.cfg 

cert/key prefix = 
path = .
CryptoManger initialized
org.mozilla.jss.NoSuchTokenException
	at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622)
	at com.netscape.cmstools.CMCRequest.main(CMCRequest.java:1027)

Comment 19 Matthew Harmsen 2016-09-22 23:11:17 UTC

(In reply to Sumedh Sidhaye from comment #17)
> For CRMFPopClient I am seeing the following error:
> 
> 
> [root@auto-hv-02-guest01 wr5ucrqp.test_profile]#  modutil -dbdir
> /var/lib/pki/pki-tomcat/ca/alias/ -list
> 
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>   1. NSS Internal PKCS #11 Module
> 	 slots: 2 slots attached
> 	status: loaded
> 
> 	 slot: NSS Internal Cryptographic Services
> 	token: NSS Generic Crypto Services
> 
> 	 slot: NSS User Private Key and Certificate Services
> 	token: NSS Certificate DB
> -----------------------------------------------------------
> 
> [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CRMFPopClient -v -d . -h
> "NSS Certificate DB" -p Secret123 -n "uid=foobar2" -a rsa -l 2048 -f
> caEncUserCert 
> Initializing security database: .
> org.mozilla.jss.NoSuchTokenException
> 	at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622)
> 	at com.netscape.cmstools.CRMFPopClient.main(CRMFPopClient.java:401)
> ERROR: null
> Try 'CRMFPopClient --help' for more information.

This error is probably produced by the fact that you are using an incorrect value for the token (the default is -h "internal, and can simply be left off of the invocation since you are using the "internal" token instead of an HSM).

Although a man page has not yet been constructed for this command, an example is explained in https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Command-Line_Tools_Guide/CRMF_Pop_Request.html.

Please retry this command and see if this info resolves your issue.

Comment 20 Matthew Harmsen 2016-09-22 23:21:00 UTC

(In reply to Sumedh Sidhaye from comment #15)
> Matt,
> 
> CMCEnroll using both NSS and OPENSSL works fine.
> 
> But for CMCRevoke I'm getting the following error:
> 
> [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CMCRevoke -d. -n"PKI
> Administrator for idmqe.lab.eng.bos.redhat.com" -i"CN=CA Signing
> Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain"
> -s19 -m6 -pSecret123 -h"NSS Certificate DB" -c"test"
> cert/key prefix = 
> path = .
> org.mozilla.jss.NoSuchTokenException
> 	at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622)
> 	at com.netscape.cmstools.CMCRevoke.main(CMCRevoke.java:190)
> [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# 
> 
> I also tried specifying tokenname value as internal, even that did not work.

Again, try leaving the "-h"NSS Certificate DB" parameter off of this command, and retry it; the name of the internal token is "-hinternal", but should not be needed as it is the default value.

Comment 21 Matthew Harmsen 2016-09-22 23:26:15 UTC

(In reply to Sumedh Sidhaye from comment #15)
> Matt,
> 
> CMCEnroll using both NSS and OPENSSL works fine.
> 
> But for CMCRevoke I'm getting the following error:
> 
> [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CMCRevoke -d. -n"PKI
> Administrator for idmqe.lab.eng.bos.redhat.com" -i"CN=CA Signing
> Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain"
> -s19 -m6 -pSecret123 -h"NSS Certificate DB" -c"test"
> cert/key prefix = 
> path = .
> org.mozilla.jss.NoSuchTokenException
> 	at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622)
> 	at com.netscape.cmstools.CMCRevoke.main(CMCRevoke.java:190)
> [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# 
> 
> I also tried specifying tokenname value as internal, even that did not work.

Again, try leaving the "-h"NSS Certificate DB" parameter off of this command, and retry it; the name of the internal token is "-hinternal", but should not be needed as it is the default value.

Expanding on Comment #20 above:

Although the man page has not yet been constructed, for this command, an example is explained in https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Command-Line_Tools_Guide/CMC_Revocation.html.

Comment 22 Matthew Harmsen 2016-09-22 23:31:16 UTC

(In reply to Sumedh Sidhaye from comment #18)
> For CMCRequest as well I am getting a similar error:
> 
> [root@auto-hv-02-guest01 wr5ucrqp.test_profile]# CMCRequest CMCRequest.cfg 
> 
> cert/key prefix = 
> path = .
> CryptoManger initialized
> org.mozilla.jss.NoSuchTokenException
> 	at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622)
> 	at com.netscape.cmstools.CMCRequest.main(CMCRequest.java:1027)

Finally, I am only guessing here, but I am wondering if you changed the name of "tokenname=internal" to "tokenname="NSS Certificate DB" in your configuration file entitled "CMCRequest.cfg".

Again, the man page has not yet been constructed for this command, but an example is explained in https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Command-Line_Tools_Guide/CMC_Request.html.

Please try out my change suggestions in Comments 19, 21, and 22, and let me know if you get any farther.

Re-assigning bug to ON_QA.

Comment 23 Sumedh Sidhaye 2016-09-23 12:34:06 UTC

CMCRevoke works if I remove the -h option.

I tested with the following command and it worked:

[root@pki1 nxiiz1ap.default]# CMCRevoke -v -d. -n"PKI CA Administrator for Example.Org" -i"CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org" -s27 -m6 -pSecret123 -c"test"

cert/key prefix = 
path = .
CMCRevoke: searching for certificate nickname:PKI CA Administrator for Example.Org
-----BEGIN CERTIFICATE REQUEST-----
MIIGzgYJKoZIhvcNAQcCoIIGvzCCBrsCAQMxCzAJBgUrDgMCGgUAMIHbBggrBgEF
BQcMAqCBzgSByzCByDCBvzAvAgEBBggrBgEFBQcHBjEgBB5FUm84cTEzOXZOVVZW
WVZ5bGd1R3ZKTmpuOEU9DQowgYsCAQIGCCsGAQUFBwcRMXwwejBhMSUwIwYDVQQK
DBx0b3BvbG9neS0wMl9Gb29iYXJtYXN0ZXIub3JnMRcwFQYDVQQLDA50b3BvbG9n
eS0wMi1DQTEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZQIBGwoBBgQJ
U2VjcmV0MTIzDAR0ZXN0MAAwADAAoIID+DCCA/QwggLcoAMCAQICAQYwDQYJKoZI
hvcNAQELBQAwYTElMCMGA1UECgwcdG9wb2xvZ3ktMDJfRm9vYmFybWFzdGVyLm9y
ZzEXMBUGA1UECwwOdG9wb2xvZ3ktMDItQ0ExHzAdBgNVBAMMFkNBIFNpZ25pbmcg
Q2VydGlmaWNhdGUwHhcNMTYwOTIzMDQzODUzWhcNMTgwOTEzMDQzODUzWjCBgDEl
MCMGA1UECgwcdG9wb2xvZ3ktMDJfRm9vYmFybWFzdGVyLm9yZzEXMBUGA1UECwwO
dG9wb2xvZ3ktMDItQ0ExIjAgBgkqhkiG9w0BCQEWE2NhYWRtaW5AZXhhbXBsZS5j
b20xGjAYBgNVBAMMEVBLSSBBZG1pbmlzdHJhdG9yMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAuA7WYxq9gWTDtq6+7wfzup7mS94mmMu7XeGKfZoBHcHI
ChVm6elyXa9So96dz7edCvAJ83kEVTJJXYnH3ytEnkHxlClVTerhhdqPoHCyk+/x
A1VCnc0C9DDyOTMW4X/A7mxL2GEqOzH1NlZdbgseTRt5F57BHGUOjY2ngO1Zjyo2
W+K8eJCwOM3iSDyOsdfMFHJPTjb1KnN4XjL9tTiqxfQVci7JAXu7U2AZhM37uxo/
w1WInb9Y5zzD7n2OxVEcEbkfhwjtO1Ktpyb0us136V9JePouPKAvRmcupYmcPX/D
3eOjO9AW46vm8zG/I2dvHp92ei3zOTbPSXCRtUAUZQIDAQABo4GWMIGTMB8GA1Ud
IwQYMBaAFK2t7KQGcanGlsGVXexAN7Eu1pj6MEEGCCsGAQUFBwEBBDUwMzAxBggr
BgEFBQcwAYYlaHR0cDovL3BraTEuZXhhbXBsZS5jb206MjAwODAvY2Evb2NzcDAO
BgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0G
CSqGSIb3DQEBCwUAA4IBAQBv52Y98W+ldkoZokvaMOrndvbgpMgFMnApUvLWoU2e
ja+ooJZNQ2w0wxRtfO1iIjN5SMGDKaSn0DkbCishtnr8A9CG3dbTu0bdufAwZa2r
awE+w+jlS8vDw/mfQOR6EIhXCn8gaPsGEhkRrN+FD74x0jmPOGlvImMnKX2dDpTA
WRhn5tPxMqr2EGF2xvVvhwPmHR5BRkWEChKy1fKvWfwZt+mlW2dz7d2Frd7f+MQC
c8RL3mhne/0vCR0zRn0nLt5ujUCNzncFespM5OjqxPtjIoyvVoxaiHUwdMnM18dV
diCheEJJK7lHh8SEXj4RUqshZu6KoobZzD3DQXZErE1FMYIBzTCCAckCAQMwZjBh
MSUwIwYDVQQKDBx0b3BvbG9neS0wMl9Gb29iYXJtYXN0ZXIub3JnMRcwFQYDVQQL
DA50b3BvbG9neS0wMi1DQTEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0
ZQIBBjAJBgUrDgMCGgUAoD4wFwYJKoZIhvcNAQkDMQoGCCsGAQUFBwwCMCMGCSqG
SIb3DQEJBDEWBBQrA3kiAOabFkkoz3V8XqJQ80rqNjANBgkqhkiG9w0BAQEFAASC
AQBM0UcQeDAFupgomKxNvyS8mpgS4A91Buo6RmtncbDYV4akobPXpU7vCCkoUu99
wLWJzigChqKfr3WXm2FjY4u7jODLB5T0FodCogPiBhW6TIZf9psn7gW/W4HlM2ga
LLXItmt34cpC59SMwUk8T4JRkZoeHbqDKRg7UvG6CMnUiKsVT8DfAaDrWHzMufIq
sMTQTu7BdWUvRbxTx6Rnm6jTVtBS3gEcx5lb4VUgmBaEJdK65IscXOMUS/CDWjNU
lRfITrXB8ZEeTfzs54jz+OH+Q68tx/+7CbVvZz7aZ2H6dkQhCwoqkuG/PuKVK9Vm
x3q/MWfO8mgwBQj+EG0tHmPt
-----END CERTIFICATE REQUEST-----

Pasting the above CMCRevoke output in the CMC Revoke menu in CA's EE page revoked the cert as well.

0x1b 	revoked 	UID=foobar3,E=foobar3

Comment 24 Sumedh Sidhaye 2016-09-26 15:50:10 UTC

Hi Matt,

CMCRequest is working fine now after modifying the cfg file with correct params.

Also CRMFPopClient and PKCS10Client asre working as expected.

Hence marking this verified.

Comment 26 errata-xmlrpc 2016-11-04 05:27:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html

Note You need to log in before you can comment on or make changes to this bug.