Wednesday, 8 November 2017

Configuring Dog Tag (PKI) Certificate Authority on Fedora

After trialling several web based CA's Dog Tag was one of the few CA's I found a reasonable amount of documentation for and has readily available packages for CentOS / Fedora.

Firstly let's install the package (it's not currently available in the stable repo yet):

sudo yum --enablerepo=updates-testing install dogtag-pki 389-ds-base

We will use 389 Directory Server to create a new LDAP server instance that Dogtag can use:

sudo setup-ds.pl --silent\
 General.FullMachineName=`hostname`\
 General.SuiteSpotUserID=nobody\
 General.SuiteSpotGroup=nobody\
 slapd.ServerPort=389\
 slapd.ServerIdentifier=pki-tomcat\
 slapd.Suffix=dc=example,dc=com\
 slapd.RootDN="cn=Directory Manager"\
 slapd.RootDNPwd=yourpassword

and then create our CA subsystem with:

sudo su -
pkispawn

Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: 

Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [caadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 

Directory Server:
  Hostname [YOURVM.LOCAL]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 
  Base DN [o=pki-tomcat-CA]: 

Security Domain:
  Name [LOCAL Security Domain]: 

Begin installation (Yes/No/Quit)? Y

Log file: /var/log/pki/pki-ca-spawn.20171108144208.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.
Created symlink /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target → /usr/lib/systemd/system/pki-tomcatd.target.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-tomcat.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-tomcat.service

      The URL for the subsystem is:
            https://YOURVM.LOCAL:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================

We can now either use the CLI or web-based interface to manage the server - however we will firstly need to ensure that the certificate we generated prior (/root/.dogtag/pki-tomcat/ca_admin.cert) is included in the Firefox certificate store:

Firefox >> Edit >> Preferences >> Advanced >> Certificates >> View Certificates >> 'Your Certificates' >> 'Import...'

Browse to the web ui: https://YOURVM.LOCAL:8443/ca

You should be presented with a certificate dialog like below:


End users can access the following URL in order to request certificates:

https://yourvm.local:8443/ca/ee/ca/

For this purposes of this tutorial we will keep things simple and generate a certificate for use on a Windows machine - so let's firstly select 'Manual Server Certificate Enrolment':

openssl genrsa -out computer.key 2048
openssl req -new -sha256 -key computer.key -out computer.csr

cat computer.csr

and paste the certificate in as below:


Hopefully then (after hitting submit) we'll see:

Now - let's head to the admin section and approve the request:

https://yourvm.local:8443/ca/agent/ca/

List Requests >> Find


Click on the request, check the details etc. and finally hit 'Approve' at the bottom.

Once it has been approved you should see a copy of the (BASE64 encoded) certificate at the bottom of the confirmation page.

Finally we'll want to package this up a long with the corresponding private key:

openssl pkcs12 -inkey computer.key -in computer.pem -export -out computer.pfx

(where 'computer.pem' is the public portion that has just been generated.)

Proceed by importing the PFX file into the Windows Computer certificate store under 'Personal'.

Sources

Fedora Project :: PKI :: Quick Start

0 comments:

Post a comment