dogtagpki

Clone
Source Code
GIT

#1384 CRMF request via CLI fails with separate KRA instance
Closed: Fixed None Opened 8 years ago by edewata.

Closed: Fixed
Reopen Issue

When the pki CLI requests a certificate with key archival, it will initially retrieve the transport certificate from KRA, then send the CRMF request to CA. Currently the CLI assumes that the CA and KRA are running in the same instance. If the KRA runs in a different instance the operation will fail:

$ pki -v -c Secret123 client-cert-request uid=testuser --profile caDualCert --type crmf
Server URI: http://server.example.com:8080
Client security database: /home/testuser/.dogtag/nssdb
Message format: null
Command: client-cert-request uid=testuser --profile caDualCert --type crmf
Module: client
Module: cert-request
Initializing client security database
Logging into security token
HTTP request: GET /kra/rest/config/cert/transport HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: server.example.com:8080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.3.5 (java 1.5)
HTTP response: HTTP/1.1 404 Not Found
  Server: Apache-Coyote/1.1
  Content-Type: text/html;charset=utf-8
  Content-Language: en
  Content-Length: 1011
  Date: Tue, 19 May 2015 15:49:21 GMT
com.netscape.certsrv.base.PKIException: Not Found
        at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:567)
        at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:80)
        at com.netscape.certsrv.system.SystemCertClient.getTransportCert(SystemCertClient.java:46)
        at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:221)
        at com.netscape.cmstools.cli.CLI.execute(CLI.java:265)
        at com.netscape.cmstools.client.ClientCLI.execute(ClientCLI.java:57)
        at com.netscape.cmstools.cli.CLI.execute(CLI.java:265)
        at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:523)
        at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:535)

Proposed solution: The client should ask the CA for the transport cert. CA will retrieve the cert from KRA, then return it to the client.

Alternatively, the client could ask the CA for the KRA location. The client will then retrieve the cert directly from KRA.

Proposed milestone: 10.2.5

Fixed in master:

  • e7c6b5ea5a109da2a2385aeb616825082c2ddd60

Metadata Update from @edewata:
- Issue assigned to edewata
- Issue set to the milestone: 10.2.4
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1945

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
major
None
None
None
defect
None
None
None
None
None
Community
None
None
None
None
None
None
Command-Line Utilities
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.