CentOS

CentOS 7 Dogtag Certificate System Install

By paul #CentOS, #CentOS7, #Dogtag

Overview

Today we will be installing a Dogtag Certificate System as a subordinate CA with an External CA Signing Certificate running PKI 10.5 on a CentOS 7 server.

Dogtag Server

  • CentOS 7.9.2009
  • PKI 10.5.18

External CA

  • Windows Server 2012 R2

Setup Directory Services

Create DS Instance

# yum install 389-ds-base
# useradd -s /sbin/nologin -c "DS User" ds389

Create setup file

# cat 389-ds_setup.inf
[General]
FullMachineName= dogtag-server.domain.internal
SuiteSpotUserID= ds389
SuiteSpotGroup= ds389
[slapd]
ServerPort= 389
ServerIdentifier= dogtag-server
Suffix= dc=domain,dc=internal
RootDN= cn=Directory Manager
RootDNPwd= Password1

# setup-ds.pl --silent --file=389-ds_setup.inf

Add PKI entry

# cat 389-ds_setup.ini
dn: dc=pki,dc=domain,dc=internal
objectClass: domain
dc: pki

# ldapadd -h $(hostname --fqdn) -x -D "cn=Directory Manager" -w Password1 -f 389-ds_setup.ini

# systemctl enable dirsrv.target

Checks

# ldapsearch -x -b "dc=domain,dc=internal" -H ldap://localhost
# ldapsearch -x -h dogtag-server.domain.internal -p 389 -s base -b "" "objectclass=*"
# systemctl status [email protected]

Reference links

https://access.redhat.com/documentation/en-us/red_hat_certificate_system/10/html/planning_installation_and_deployment_guide/installing_rhds
https://github.com/dogtagpki/pki/wiki/DS-1.3-Installation

Installing the CA

Install packages

# yum install pki-ca pki-kra pki-symkey

Preparing CA Installation

# cat subCA-phase1.cfg
[CA]
pki_admin_email=caadmin@localhost
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Password1
pki_admin_uid=caadmin
pki_backup_keys=True
pki_backup_password=Password1
pki_client_database_password=Password1
pki_client_database_purge=False
pki_client_pkcs12_password=Password1
pki_ds_base_dn=dc=dogtag-server,dc=domain,dc=internal
pki_ds_database=dogtag-server
pki_ds_password=Password1
pki_security_domain_name=dogtag-server-ca
pki_token_password=Password1
pki_external=True
pki_external_step_two=False
pki_ca_signing_csr_path=dogtag-server.csr

# pkispawn -v -f subCA-phase1.cfg -s CA

# less /var/log/pki/pki-ca-spawn.20210430091122.log

Issuing CA Signing Certificate

Now we have our Certificate Signing Request let’s browse to the Certificate Authority Web Enrollment service webpage (https://<servername>/certsrv) that is hosted on the Windows 2012 R2 server and:

  • Request a certificate
  • Advanced certificate request
  • Saved Request field: paste CSR contents
  • Certificate Template: select Subordinate Certification Authority
  • Submit
  • Download DER encoded
    • certificate (certnew.cer)
    • certificate chain (certnew.p7b)

I had some issues with initially being unable to select the required Subordinate Certification Authority template. The Windows Admins resolved the issue for me but I don’t have the details so I can’t help if you encounter the same issue.

Microsoft documentation

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831649(v=ws.11)

Completing CA Installation

# openssl x509 -inform der -in certnew.cer -out certnew.crt
# openssl pkcs7 -inform der -in certnew.p7b -out certconverted.p7b

# cat subCA-phase2.cfg
[CA]
pki_admin_email=root@localhost
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Password1
pki_admin_uid=caadmin
pki_backup_keys=True
pki_backup_password=Password1
pki_client_database_password=Password1
pki_client_database_purge=False
pki_client_pkcs12_password=Password1
pki_ds_base_dn=dc=dogtag-server,dc=domain,dc=internal
pki_ds_database=dogtag-server
pki_ds_password=Password1
pki_security_domain_name=dogtag-server-ca
pki_token_password=Password1
pki_external=True
pki_external_step_two=True
pki_ca_signing_cert_path=certnew.crt
pki_cert_chain_path=certconverted.p7b

# pkispawn -v -f subCA-phase2.cfg -s CA

# less /var/log/pki/pki-ca-spawn.20210430092341.log

# systemctl enable pki-tomcatd.target

Check service

# systemctl status [email protected]

# cat /usr/share/pki/VERSION
Name: pki
Specification-Version: 10.5
Implementation-Version: 10.5.18

# pkidaemon status
Instance pki-tomcat is configured to use nuxwdog: false
Status for pki-tomcat: pki-tomcat is running ..

[CA Status Definitions]
Unsecure URL        = http://dogtag-server.domain.internal:8080/ca/ee/ca
Secure Agent URL    = https://dogtag-server.domain.internal:8443/ca/agent/ca
Secure EE URL       = https://dogtag-server.domain.internal:8443/ca/ee/ca
Secure Admin URL    = https://dogtag-server.domain.internal:8443/ca/services
PKI Console Command = pkiconsole https://dogtag-server.domain.internal:8443/ca
Tomcat Port         = 8005 (for shutdown)

[CA Configuration Definitions]
PKI Instance Name:   pki-tomcat

PKI Subsystem Type:  Subordinate CA (Security Domain)

Registered PKI Security Domain Information:
==========================================================================
Name:  dogtag-server-ca
URL:   https://dogtag-server.domain.internal:8443
==========================================================================

Certificate information

# pki-server cert-find
Cert ID: ca_signing
Nickname: caSigningCert cert-pki-tomcat CA
...
Cert ID: ca_ocsp_signing
Nickname: ocspSigningCert cert-pki-tomcat CA
...
Cert ID: sslserver
Nickname: Server-Cert cert-pki-tomcat
...
Cert ID: subsystem
Nickname: subsystemCert cert-pki-tomcat
...
Cert ID: ca_audit_signing
Nickname: auditSigningCert cert-pki-tomcat CA

# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
DevSite-SubCA2                                               CT,C,C
DevIssuing-CA                                                CT,C,C
caSigningCert cert-pki-tomcat CA                             CTu,Cu,Cu
auditSigningCert cert-pki-tomcat CA                          u,u,Pu
Server-Cert cert-pki-tomcat                                  u,u,u
DevSite-CA                                                   CT,C,C
ocspSigningCert cert-pki-tomcat CA                           u,u,u
subsystemCert cert-pki-tomcat                                u,u,u

# pki ca-cert-find --name 'PKI Administrator'
---------------
1 entries found
---------------
  Serial Number: 0x5
  Subject DN: CN=PKI Administrator,E=root@localhost,OU=pki-tomcat,O=dogtag-server-ca
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=dogtag-server-ca
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Apr 30 09:24:35 AWST 2021
  Not Valid After: Thu Apr 20 09:24:35 AWST 2023
  Issued On: Fri Apr 30 09:24:35 AWST 2021
  Issued By: system
----------------------------
Number of entries returned 1
----------------------------

Reference Links

https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.md
https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/10/html/planning_installation_and_deployment_guide/setting_up_subsystems_with_an_external_ca

Job Scheduler configuration

Let’s configure some reminders to renew our certificates before they expire.

# systemctl stop [email protected]

# vim /etc/pki/pki-tomcat/ca/CS.cfg
jobsScheduler.enabled=true
jobsScheduler.job.certRenewalNotifier.enabled=true
jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=75
jobsScheduler.job.certRenewalNotifier.senderEmail=root@dogtag-server.domain.internal
jobsScheduler.job.certRenewalNotifier.summary.recipientEmail=alerts@domain.internal
jobsScheduler.job.certRenewalNotifier.summary.senderEmail=root@dogtag-server.domain.internal

# systemctl start [email protected]

Once configured as above the job will run Monday to Friday at 03:00 and send the following emails.

Certificate Renewal Notification email

For every certificate inside the expiry window configured an email will be sent to the email address configured in the certificate. Using our ‘PKI Administrator’ certificate as example the renewal email will be sent to root@localhost.

If there is no email address then no email will be sent.

Certificate Renewal Notification Summary email

This email will contain a summary of all the renewal emails sent on that day advising whether is was successful (Renewal notification status = succeeded) or failed (Renewal notification status = failed).

For those certificates with no email address they will be included in the summary and flagged as ‘Renewal notification status = failed

Reference Links

https://access.redhat.com/documentation/en-us/red_hat_certificate_system/10/html/administration_guide/setting_up_the_job_scheduler
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/10/html/administration_guide/Setting_up_Specific_Jobs#Configuration_Parameters_of_certRenewalNotifier

Browser setup for PKI Administrator

Source the CA chain by browsing https://dogtag-server.domain.internal:8443/ca/ee/ca/ and performing the following steps:

  • Retrieval tab
    • Import CA Certificate Chain
    • Import the CA certificate chain into your browser
    • file saved: getCAChain

Source the special agent certificate from:

  • /root/.dogtag/pki-tomcat/ca_admin_cert.p12

I used Firefox. Other browsers may differ slightly in the steps:

  • URL: about:preferences#privacy
  • View Certificates
  • Authorities tab
    • Import: getCAChain
    • Check: Trust this CA to identify web sites
  • Your Certificates tab
    • Import: ca_admin_cert.p12
    • password as above: Password1
    • certificate installed
      • Org: dogtag-server-ca
      • CN: PKI Administrator

Test access to Agent Services

  • Open private browsing window
  • Browse to https://dogtag-server.domain.internal:8443/ca/agent/ca/
    • If you receive ‘Invalid Credential’ when browsing Agent Services
    • Be sure you identified yourself with the correct PKI Administrator certificate
    • May need to restart browser if another certificate has already been accepted

Reference Links

https://access.redhat.com/documentation/en-us/red_hat_certificate_system/10/html/administration_guide/web-interface
https://github.com/dogtagpki/pki/wiki/Default-CA-Admin

Web Interface Theme

The theme package appears to have gone missing in the CentOS repos but you can search the internet and install this one to pretty it up.

  • dogtag-pki-server-theme-10.5.7-1.fc27.noarch.rpm

Conclusion

I was tasked with renewing the CA certificates for a Dogtag service that was spun up almost two years ago and the system certificates were due for renewal. If the CA Signing certificate were to expire then this would cause a trust problem for all the devices with certificates issued from the Dogtag Certificate system.

With practically no documentation created post-implementation of the initial setup I wanted a DEV box that I could use to get myself well acquainted with Dogtag. There already existed TEST and PROD environments for the Dogtag service but I wanted a DEV box that I could break and rebuild with no consequences. I didn’t want to risk breaking the TEST environment as I needed to have that for testing the renewal process once I was ready.

In my next post I will be documenting the renewal process.

By paul

Related Post

CentOS Fedora Nextcloud

Nextcloud migrate data to Amazon S3

paul
CentOS

Nextcloud backup to Google Drive with rclone

paul
CentOS

CentOS 7 ‘Bare Metal’ recovery with Avamar

paul

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

CentOS Fedora Nextcloud

Nextcloud migrate data to Amazon S3

CentOS

Nextcloud backup to Google Drive with rclone

CentOS

CentOS 7 ‘Bare Metal’ recovery with Avamar

CentOS

CentOS 7 Dogtag Certificate System Renewal