When the pki CLI requests a certificate with key archival, it will initially retrieve the transport certificate from KRA, then send the CRMF request to CA. Currently the CLI assumes that the CA and KRA are running in the same instance. If the KRA runs in a different instance the operation will fail:
$ pki -v -c Secret123 client-cert-request uid=testuser --profile caDualCert --type crmf Server URI: http://server.example.com:8080 Client security database: /home/testuser/.dogtag/nssdb Message format: null Command: client-cert-request uid=testuser --profile caDualCert --type crmf Module: client Module: cert-request Initializing client security database Logging into security token HTTP request: GET /kra/rest/config/cert/transport HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: server.example.com:8080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.3.5 (java 1.5) HTTP response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 1011 Date: Tue, 19 May 2015 15:49:21 GMT com.netscape.certsrv.base.PKIException: Not Found at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:567) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:80) at com.netscape.certsrv.system.SystemCertClient.getTransportCert(SystemCertClient.java:46) at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:221) at com.netscape.cmstools.cli.CLI.execute(CLI.java:265) at com.netscape.cmstools.client.ClientCLI.execute(ClientCLI.java:57) at com.netscape.cmstools.cli.CLI.execute(CLI.java:265) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:523) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:535)
Proposed solution: The client should ask the CA for the transport cert. CA will retrieve the cert from KRA, then return it to the client.
Alternatively, the client could ask the CA for the KRA location. The client will then retrieve the cert directly from KRA.
Proposed milestone: 10.2.5
Fixed in master:
Metadata Update from @edewata: - Issue assigned to edewata - Issue set to the milestone: 10.2.4
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1945
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.