CA Connector can't create certificate
64 views
Skip to first unread message
Michael Muenz
Jun 6, 2016, 9:33:11 AM6/6/16
to privacyidea
Hi,
I've set up the WebCA as described in
When I try to roll out a new certificate I get:
'X509Req' object has no attribute 'get_extensions'
There's no certificate but the token will be displayed within the token view.
Google tells me about some "wont fixes" with PyOpenSSL.
I'm using Debian 8 with latest packages from Trusty build.
Any ideas?
Thanks
Michael
Cornelius Kölbel
Jun 6, 2016, 10:00:41 AM6/6/16
to priva...@googlegroups.com
Hi,
can you please post your privacyidea.log?
There should be a traceback.
Which version of pyopenssl and which version of openssl are you using?
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
can you please post your privacyidea.log?
There should be a traceback.
Which version of pyopenssl and which version of openssl are you using?
Kind regards
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Michael Muenz
Jun 6, 2016, 4:20:13 PM6/6/16
to privacyidea
ii openssl 1.0.1t-1+deb8u2 amd64 Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all Python 2 wrapper around the OpenSSL library
[2016-06-06 22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] user u'mimu' found in resolver u'maxadmins'
[2016-06-06 22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50'
[2016-06-06 22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] user u'mimu' found in resolver u'maxadmins'
[2016-06-06 22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50'
[2016-06-06 22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] user u'mimu' found in resolver u'maxadmins'
[2016-06-06 22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50'
[2016-06-06 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] user u'mimu' found in resolver u'maxadmins'
[2016-06-06 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50'
[2016-06-06 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] user u'mimu' found in resolver u'maxadmins'
[2016-06-06 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50'
[2016-06-06 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] user u'mimu' found in resolver u'maxadmins'
[2016-06-06 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50'
[2016-06-06 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] user u'mimu' found in resolver u'maxadmins'
[2016-06-06 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50'
[2016-06-06 22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] Exception on /token/init [POST]
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", line 57, in event_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 180, in log_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", line 186, in init
tokenrealms=tokenrealms)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 180, in log_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", line 912, in init_token
tokenobject.update(upd_params)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update
crypto.FILETYPE_PEM, req))
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request
csr_extensions = csr_obj.get_extensions()
AttributeError: 'X509Req' object has no attribute 'get_extensions'
Cornelius Kölbel
Jun 6, 2016, 4:27:47 PM6/6/16
to priva...@googlegroups.com
Oh,
it looks like get_extensions was added to X509Req AFTER the release of
0.14.
Available in 0.15... :-/
https://github.com/pyca/pyopenssl/blob/master/doc/ChangeLog_old.txt#L114
Maybe I will pack a newer version of python-openssl.
Till then you would have to install at least 0.15. Or run in a python
virtualenv...
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com.
it looks like get_extensions was added to X509Req AFTER the release of
0.14.
Available in 0.15... :-/
https://github.com/pyca/pyopenssl/blob/master/doc/ChangeLog_old.txt#L114
Maybe I will pack a newer version of python-openssl.
Till then you would have to install at least 0.15. Or run in a python
virtualenv...
Kind regards
Cornelius
Cornelius Kölbel
Jun 6, 2016, 5:36:09 PM6/6/16
to priva...@googlegroups.com
The CSR extensions are not used at the moment.
So we could as well remove this line and then python-openssl 0.14 would
work fine, again.
Kind regards
Cornelius
Am Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:
> https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com.
So we could as well remove this line and then python-openssl 0.14 would
work fine, again.
Kind regards
Cornelius
Am Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:
Michael Muenz
Jun 7, 2016, 3:59:06 AM6/7/16
to privacyidea
I added the Jessie-Backports since they deliver 0.15, but when I wanted to install it, it greps python-pyopenssl from the trusty ppa and brokes :)
After that I forced it with aptitude -t jessie-backports and now I get a Internal Server Error when accessing the startpage
[Tue Jun 07 09:53:37.895043 2016] [wsgi:error] [pid 489:tid 139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value.
[Tue Jun 07 09:53:37.895273 2016] [wsgi:error] [pid 489:tid 139726979172096] default="/etc/privacyidea/dictionary")
[Tue Jun 07 09:53:37.921642 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] mod_wsgi (pid=489): Target WSGI script '/etc/privacyidea/privacyideaapp.wsgi' cannot be loaded as Python module.
[Tue Jun 07 09:53:37.921834 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] mod_wsgi (pid=489): Exception occurred processing WSGI script '/etc/privacyidea/privacyideaapp.wsgi'.
[Tue Jun 07 09:53:37.921948 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] Traceback (most recent call last):
[Tue Jun 07 09:53:37.922116 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/etc/privacyidea/privacyideaapp.wsgi", line 3, in <module>
[Tue Jun 07 09:53:37.922265 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] from privacyidea.app import create_app
[Tue Jun 07 09:53:37.922359 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/app.py", line 28, in <module>
[Tue Jun 07 09:53:37.922952 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] import privacyidea.api.before_after
[Tue Jun 07 09:53:37.923097 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module>
[Tue Jun 07 09:53:37.923599 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] from ..lib.user import get_user_from_param
[Tue Jun 07 09:53:37.923697 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line 55, in <module>
[Tue Jun 07 09:53:37.924472 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] from .resolver import (get_resolver_object,
[Tue Jun 07 09:53:37.924585 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module>
[Tue Jun 07 09:53:37.925108 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] from config import (get_resolver_types,
[Tue Jun 07 09:53:37.925207 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", line 47, in <module>
[Tue Jun 07 09:53:37.926073 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] from .caconnectors.localca import BaseCAConnector
[Tue Jun 07 09:53:37.926233 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173
[Tue Jun 07 09:53:37.926344 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] csr_extensions = csr_obj.get_extensions()
[Tue Jun 07 09:53:37.926499 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] ^
[Tue Jun 07 09:53:37.926583 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] IndentationError: unexpected indent
I think I'm gonna reinstall from scratch ...
cornelius.koelbel
Jun 7, 2016, 4:04:19 AM6/7/16
to Michael Muenz, privacyidea
Hi Michael.
My suggestion:
Forget about backport and 0.15.
You can patch the localca.py and simply remove line 173. I already committed this on github. We do not need the CSR get_extentions.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
-------- Ursprüngliche Nachricht --------
Von: Michael Muenz <m.m...@gmail.com>
Datum: 07.06.16 09:59 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: [privacyidea] CA Connector can't create certificate
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/b89d0ffc-b9ff-4362-bce6-9c81124d481e%40googlegroups.com.
Michael Muenz
Jun 7, 2016, 4:04:24 AM6/7/16
to privacyidea
Ok, removed the line and it works again.
Now I can download the PKCS12.
But I had to remove the password from the ca.key ... will this be the final version or do you plan some fields in the UI to enter the password for the root-ca?
Michael
cornelius.koelbel
Jun 7, 2016, 4:15:14 AM6/7/16
to Michael Muenz, privacyidea
Hi Michael,
I was thinking the passphrase on the ca key.
In my opinion having a passphtase only makes limited sense.
The passphrase would be encrypted in the database. Encrypted with the encryption key, which is probably only protected by file access. So you can protect the ca key with file access in the first place.
Think of the local ca as a working proof of concept :-)
Any feedback and input is appreciated.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
NetKnights GmbH
-------- Ursprüngliche Nachricht --------
Von: Michael Muenz <m.m...@gmail.com>
Datum: 07.06.16 10:04 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: [privacyidea] CA Connector can't create certificate
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/fda5957c-bbd1-41b7-b1c2-71ba7b4b79b1%40googlegroups.com.
Michael Muenz
Jun 7, 2016, 5:25:11 AM6/7/16
to privacyidea, m.m...@gmail.com
Hi,
true that! :)
So what about users already running a company wide CA via OpenSSL?
Then I would create a new Intermediate CA with no PW, but then the openssl command has to be edited to include the original root-certificate in the chain.
Any chance to do this?
I'm not a PKI expert, but does this makes sense?
Michael
Cornelius Kölbel
Jun 7, 2016, 6:03:48 AM6/7/16
to priva...@googlegroups.com
Hi Michael,
this very much depends on your overall PKI design.
As a matter of fact I am also doing PKI consultancy for enterprise sized
PKIs. Including hardware security modules and smartcards if needed.
Yes, setting up an Intermediate CA would make sense. But the
intermediate CA does not need the Root CA to sign a certificate.
You could however include the whole CA chain for download. But this is
also not required. So technically: No Root CA needed on this machine.
Kind regards
Cornelius
this very much depends on your overall PKI design.
As a matter of fact I am also doing PKI consultancy for enterprise sized
PKIs. Including hardware security modules and smartcards if needed.
Yes, setting up an Intermediate CA would make sense. But the
intermediate CA does not need the Root CA to sign a certificate.
You could however include the whole CA chain for download. But this is
also not required. So technically: No Root CA needed on this machine.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/ecd70d72-f2a1-4bb5-b21b-fa79b9a65474%40googlegroups.com.
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
NetKnights GmbH
Michael Muenz
Jul 13, 2016, 5:45:47 AM7/13/16
to privacyidea, m.m...@gmail.com
Hi,
Again playing around with the CA connector.
Are there any plans for setting an import password for the generated PKCS12 files?
Thanks
Michael
Cornelius Kölbel
Jul 13, 2016, 6:16:14 AM7/13/16
to priva...@googlegroups.com
Hi Michael,
this already can be done.
When setting the token PIN, this will be the password for the pkcs12
file.
Kind regards
Cornelius
Am Mittwoch, den 13.07.2016, 02:45 -0700 schrieb Michael Muenz:
> Hi,
>
>
this already can be done.
When setting the token PIN, this will be the password for the pkcs12
file.
Kind regards
Cornelius
Am Mittwoch, den 13.07.2016, 02:45 -0700 schrieb Michael Muenz:
> Hi,
>
>
Michael Muenz
Jul 13, 2016, 6:37:09 AM7/13/16
to privacyidea
Hi,
doesn't work for me.
Hm, with my first setup I remember that it was working, but now when importing an existing CA there are no import pw's.
Will try again with a CA from scratch.
Cornelius Kölbel
Jul 13, 2016, 6:38:14 AM7/13/16
to priva...@googlegroups.com
To avoid confusion:
The private key of the CA is not password protected!
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/82a9b56a-0708-45fe-81d4-67717ace99df%40googlegroups.com.
The private key of the CA is not password protected!
Kind regards
Cornelius
Michael Muenz
Jul 13, 2016, 6:39:36 AM7/13/16
to privacyidea
:)
No, I removed the password after our last discussion (for the testing system)
The certificates get created and I can import them, but they don't have a password.
Cornelius Kölbel
Jul 13, 2016, 6:50:38 AM7/13/16
to priva...@googlegroups.com
You should clearly state HOW you created the user certificate.
Especially HOW you created the keypair!
> https://groups.google.com/d/msgid/privacyidea/c8e30961-5972-4aaa-a38f-78e44f56a284%40googlegroups.com.
Especially HOW you created the keypair!
Michael Muenz
Jul 13, 2016, 7:25:22 AM7/13/16
to privacyidea
Hm, I followed now: http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html
mkdir /etc/privacyidea/CA
cp /opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf /etc/privacyidea/CA/
openssl req -days 3650 -new -x509 -keyout /etc/privacyidea/CA/ca.key \
-out /etc/privacyidea/CA/ca.crt \
-config /etc/privacyidea/CA/openssl.cnf
chmod 0600 /etc/privacyidea/CA/ca.key
touch /etc/privacyidea/CA/index.txt
echo 01 > /etc/privacyidea/CA/serial
openssl rsa -in ca.key -out ca-nopw.key
mv ca-nopw.key ca.key
chown -R privacyidea /etc/privacyidea/CA
I enroll a certificate and set a PW in the PIN field, but I can import it successfully with my W10
Michael Muenz
Jul 13, 2016, 7:44:16 AM7/13/16
to privacyidea
I copied the pkcs12 to the otp machine and exported the CA Cert but it's empty.
There seems to be something wrong, but I'm not sure if it's my fault. :/
root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts -nokeys -out cacert.pem
Enter Import Password:
MAC verified OK
root@otp1:~# cat cacert.pem
root@otp1:~#
Did the same with an existing .p12 created for another project and the corret root ca was exported.
...
Cornelius Kölbel
Jul 13, 2016, 12:23:27 PM7/13/16
to priva...@googlegroups.com
The below mentioned link does not contain any pkcs12.
http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html
I am really not sure what you mean here.
Are you talking about the CA certificate, this is the certificate
signing the others?
Or are you talking about a "certificate token", i.e. a user certificate.
Which PKCS12 did you copy, export CA certificate?
This all makes no sense to me.
But no problem, I also provide great PKI workshops:
https://netknights.it/en/leistungen/one-time-services/
Please note: Certificates is a topic it is very important you understand
the underlying processes, rules and crytpography.
privacyIDEA has very basic certificate management capabilities.
But I am happy, if you help to improve the software.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/91212e60-bed1-45dc-8e3b-45ee56faa34b%40googlegroups.com.
http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html
I am really not sure what you mean here.
Are you talking about the CA certificate, this is the certificate
signing the others?
Or are you talking about a "certificate token", i.e. a user certificate.
Which PKCS12 did you copy, export CA certificate?
This all makes no sense to me.
But no problem, I also provide great PKI workshops:
https://netknights.it/en/leistungen/one-time-services/
Please note: Certificates is a topic it is very important you understand
the underlying processes, rules and crytpography.
privacyIDEA has very basic certificate management capabilities.
But I am happy, if you help to improve the software.
Kind regards
Cornelius
Michael Muenz
Jul 13, 2016, 12:52:18 PM7/13/16
to privacyidea
Cornelius,
I'll definitely order some hours when the first server goes into production, but for now I'm evaluating all features internally here.
So, I created the CA as documented before and enrolled a certificate token for user e.g. mimu.
Now I can download the certificate as PKCS12. Normally this file should include certificate, key and root cert.
With a doubleclick I can install the certificate (PKCS12) but when asked for a import pw only a empty password works.
Now, when opening the mmc snapin I can see the certificate unter Own Certificates. But there's no root ca installed.
That's why I tried to extract the root ca from the pkcs12 via openssl, but it's empty.
I'm quite sure that with a first test machine with Ubuntu ppa version 2.12 it worked.
Now I'm using PiP 2.13
Michael
Cornelius Kölbel
Jul 13, 2016, 1:06:14 PM7/13/16
to priva...@googlegroups.com
Am Mittwoch, den 13.07.2016, 09:52 -0700 schrieb Michael Muenz:
> Cornelius,
>
>
> I'll definitely order some hours when the first server goes into
> production, but for now I'm evaluating all features internally here.
Hello Michael,
> Cornelius,
>
>
> I'll definitely order some hours when the first server goes into
> production, but for now I'm evaluating all features internally here.
Please explain to me: In the moment you need to MOST help, you refuse to
get help. You try with a lot of effort to do everything on your own.
Why?
> So, I created the CA as documented before and enrolled a certificate
> token for user e.g. mimu.
Please think about it yourself: How did you enroll the certificate
token? There are many different ways to do so. This is important
information - also to you!
This is really what makes it very challenging for me to act on the
mailing list. Because most people to not take a look at what they are
doing.
Here probably is your problem. "You enrolled the certificate token"...
Did it ever came up to your mind, that the problem the certificate token
does not behave as expected is due to the fact, that the token was not
enrolled as you thought you would?
So the logical consequence would be, to take a deeper look at the token
enrollment process. And not only drop this topic in half a sentence.
So again. How did you enroll the certificate token?
I very much recommend for all of you to study physics!
...to train your analytic skills...
Kind regards
Cornelius
Michael Muenz
Jul 13, 2016, 2:40:11 PM7/13/16
to privacyidea
Am Mittwoch, 13. Juli 2016 19:06:14 UTC+2 schrieb Cornelius Kölbel:
Hello Michael,
Please explain to me: In the moment you need to MOST help, you refuse to
get help. You try with a lot of effort to do everything on your own.
Why?
Because I'm not the one in the company who decides to spend money for :) This will be the internal systems, so there's no money to earn.
When we are so far to sell services, we'll also order some consultancy to check if everything is setup correctly.
Also, when the CA stuff doesn't work the way we want, we'll just don't use it and use CLI (as before), but the way PI does it, it's a good way to roll them out to the user.
> So, I created the CA as documented before and enrolled a certificate
> token for user e.g. mimu.
STOP. You say a complicated process very lightly in half a sentence?
Please think about it yourself: How did you enroll the certificate
token? There are many different ways to do so. This is important
information - also to you!
This is really what makes it very challenging for me to act on the
mailing list. Because most people to not take a look at what they are
doing.
OK, I setup a small article with some pictures, hopefully you can follow me now, sorry for not beeing clear enough:
I checked the privacyidea.log, no traceback (the certificate token gets created mostly perfect) and apache log is also quit.
Thanks
Michael
Cornelius Kölbel
Jul 13, 2016, 4:23:30 PM7/13/16
to priva...@googlegroups.com
Am Mittwoch, den 13.07.2016, 11:40 -0700 schrieb Michael Muenz:
>
>
> Am Mittwoch, 13. Juli 2016 19:06:14 UTC+2 schrieb Cornelius Kölbel:
>
> Hello Michael,
>
> Please explain to me: In the moment you need to MOST help, you
> refuse to
> get help. You try with a lot of effort to do everything on
> your own.
> Why?
>
>
> Because I'm not the one in the company who decides to spend money
> for :) This will be the internal systems, so there's no money to earn.
> When we are so far to sell services, we'll also order some consultancy
> to check if everything is setup correctly.
> Also, when the CA stuff doesn't work the way we want, we'll just don't
> use it and use CLI (as before), but the way PI does it, it's a good
> way to roll them out to the user.
Honestly I very much doubt this. At the moment you have a big pain. But
>
>
> Am Mittwoch, 13. Juli 2016 19:06:14 UTC+2 schrieb Cornelius Kölbel:
>
> Hello Michael,
>
> Please explain to me: In the moment you need to MOST help, you
> refuse to
> get help. You try with a lot of effort to do everything on
> your own.
> Why?
>
>
> Because I'm not the one in the company who decides to spend money
> for :) This will be the internal systems, so there's no money to earn.
> When we are so far to sell services, we'll also order some consultancy
> to check if everything is setup correctly.
> Also, when the CA stuff doesn't work the way we want, we'll just don't
> use it and use CLI (as before), but the way PI does it, it's a good
> way to roll them out to the user.
you (your company) is not willing. Why should they be later, when
everything runs smoothly? Well, we will see ;-)
Anyways: The PIN is not correctly set during the enrollment of the
token.
You need to
1. set the PIN on the token details and then
2. reload the the token details.
Then you can download the PKCS12 PIN protected.
PKCS12 does not require to contain a CA certificate.
Kind regards
Cornelius
Michael Muenz
Jul 13, 2016, 4:42:26 PM7/13/16
to privacyidea
Am Mittwoch, 13. Juli 2016 22:23:30 UTC+2 schrieb Cornelius Kölbel:
Anyways: The PIN is not correctly set during the enrollment of the
token.
You need to
1. set the PIN on the token details and then
2. reload the the token details.
Then you can download the PKCS12 PIN protected.
Yay, you're right. When I set the PIN again and reload it's in there.
Shall I create an issue in github?
PKCS12 does not require to contain a CA certificate.
But why don't you do that? The Root CA has to be specified within the UI, so the filename is clear.
Then you have a clean path from Root to User CA when checking the certificate.
Cornelius Kölbel
Jul 13, 2016, 4:45:27 PM7/13/16
to priva...@googlegroups.com
Am Mittwoch, den 13.07.2016, 13:42 -0700 schrieb Michael Muenz:
>
>
> Am Mittwoch, 13. Juli 2016 22:23:30 UTC+2 schrieb Cornelius Kölbel:
>
>
> Anyways: The PIN is not correctly set during the enrollment of
> the
> token.
> You need to
> 1. set the PIN on the token details and then
> 2. reload the the token details.
> Then you can download the PKCS12 PIN protected.
>
>
>
> Yay, you're right. When I set the PIN again and reload it's in there.
> Shall I create an issue in github?
>
> PKCS12 does not require to contain a CA certificate.
>
>
> But why don't you do that?
Two hands?
>
>
> Am Mittwoch, 13. Juli 2016 22:23:30 UTC+2 schrieb Cornelius Kölbel:
>
>
> Anyways: The PIN is not correctly set during the enrollment of
> the
> token.
> You need to
> 1. set the PIN on the token details and then
> 2. reload the the token details.
> Then you can download the PKCS12 PIN protected.
>
>
>
> Yay, you're right. When I set the PIN again and reload it's in there.
> Shall I create an issue in github?
>
> PKCS12 does not require to contain a CA certificate.
>
>
> But why don't you do that?
24 hours? ;-)
You are free to issue and issue or a pull request or order this feature.
It sounds sensible to me.
Kind regards
Cornelius
Reply all
Reply to author
Forward
0 new messages