Tag Archives: pki

Configuring Certificate Chaining using mozilla nss(network security services)

Me and Shanks were trying to configure IPA server installation with an external CA set-up. For testing purpose, we planned to use certutil — part of mozilla nss-tools (Network Security Services) package. IPA generates a CSR(certificate signing request) called ipa.csr when you try to install it w/ the option –external-ca . The plan is to sign ipa.csr with an external CA(let’s say SubCA) which is signed by another CA(RootCA). So that there is a certificate chain of trust involved. After a bit of trial and error, this how it worked out:

To auto-generate a CSR (located /root/ipa.csr) to be signed by an external CA, while configuring IPA server, run:


$ ipa-server-install --external-ca

For illustration purpose, let’s create a temporary NSS db


$ certutil -N -d /var/tmp/testdb

Create a (self-signed)Root CA
Now, create a (self-signed)Root CA, and list the contents of the NSS(Network Security Services) db


$ certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d .

$ certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

IPA ROOTCA certificate                                           CTu,u,u

Note: Under the ‘Trust Attributes’, the ‘u’ attribute indicates that corresponding private key is also available in that database. Keys can be listed by running # certutil -K -d /path/to/nssdb

Setup Subordinate CA
Create a CSR for the Subordinate CA which will be signed by the Root CA created in the previous step


$ certutil -R -s "cn=SUB-Certificate Authority, O=LAB.TEST.REDHAT.COM" -p "9323" -o ipasubca.req -d . -a

Now, sign this CSR with Master CA and output the certificate to a file


$ certutil -C -m 2346 -i ipasubca.req -o ipasubcacert.crt -c "IPA ROOTCA certificate" -d . -a

And, add this certificate to the NSS db, and provide a nick name to it.


$ certutil -A -d . -i ipasubcacert.crt -t "CTu,Cu,Cu" -n "IPA SUBCA certificate"

Now, list the certificates. (Both certs are listed and available)


$ certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

IPA ROOTCA certificate                                       CTu,u,u
IPA SUBCA certificate                                        CTu,Cu,Cu

Sign certs using the SubCA
First, export the ROOTCA cert into b64 ascii cert. So that we can later create an ascii chain ca cert file


$ certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt

Create a CA chain file by concatenating iparootca.crt and ipasubcacert.crt into one single file.


$ cat iparootca.crt ipasubcacert.crt > chainca.crt

Let’s sign the ipa.csr using the SubCA configured previously.


$ certutil -C -m 2346 -i ipa.csr -o ipa.crt -c "IPA SUBCA certificate" -d . -a

Now, to install IPA server successfully using the external chainca set-up, provide this command-line


$ ipa-server-install --external_cert_file=ipa.crt --external_ca_file=/tmp/chainca.crt

Voila! IPA server successfully configured. [I didn’t include the complete, long stdout of ipa-server-install to keep this brief.]

Also note: Instead of the ipa.csr, you can sign any other CSRs(user,server,etc..) generated using either certutil or any other tool(like openssl) using the above RootCA/Subca set-up.

6 Comments

Filed under Uncategorized

Dogtag Certificate System 9.0 release…

Late post  by a couple of weeks, but still…  Dogtag Certificate System  team announced the release of 9.0 release (for Fedora -15)

Release Notes can be found here.

To try out on your Fedora-15 system:

1/ Install the pre-requisites (389-ds ldap instance) :

 # yum install 389-ds-base -y

2/ Configure the 389-ds instance by running( accept all the default/typical options.) :

 # /usr/sbin/setup-ds.pl

3/ Install the dogtag certificate system CA(certificate Authority) package.

# yum install pki-ca pki-silent -y

(NOTE:  To get all Dogtag CS packages, use — # yum install dogtag-pki -y )

4/ Create a Certificate Authority(CA) instance using ‘pkicreate’ tool. I placed the default CA instance create script in a simple file noted below:

# wget http://kashyapc.fedorapeople.org/dogtag-pki/instance-create-scripts/ca.bash
 # chmod +x ca.bash
 #./ca.bash
 (CA instance should be successfully created.)

5/ Now, let’s configure the previously created CA instance. There are 2 ways to configure an instance:  One – via the browser ; the other, using ‘pkisilent’ tool to silently configure the CA.
For illustration purposes, let’s go the  ‘pkisilent’ route. I composed a sanitized  pkisilent configuration script for CA here — http://kashyapc.fedorapeople.org/dogtag-pki/pkisilent-scripts/ca-silent.bash.
Also, before you try the ‘ca-silent.bash’  – replace the passwords in the script accordingly.

# wget http://kashyapc.fedorapeople.org/dogtag-pki/pkisilent-scripts/ca-silent.bash 
# chmod +x ca.bash 
# ./ca-silent.bash 
# service pki-cad restart
# service pki-cad status
 pki-ca (pid 1418) is running...                            [  OK  ]
 Unsecure Port       = http://lovelock1.foo.bar.com:9180/ca/ee/ca
 Secure Agent Port   = https://lovelock1.foo.bar.com:9443/ca/agent/ca
 Secure EE Port      = https://lovelock1.foo.bar.com:9444/ca/ee/ca
 Secure Admin Port   = https://lovelock1.foo.bar.com:9445/ca/services
 EE Client Auth Port = https://lovelock1.foo.bar.com:9446/ca/eeca/ca
 PKI Console Port    = pkiconsole https://lovelock1.foo.bar.com:9445/ca
 Tomcat Port         = 9701 (for shutdown)
PKI Instance Name:   pki-ca
PKI Subsystem Type:  Root CA (Security Domain)
Registered PKI Security Domain Information:
 ==========================================================================
 Name:  silentdom
 URL:   https://lovelock1.foo.bar.com:9445
 ==========================================================================

6/ Now, Let’s try to: [a] Export the CA agent certificate into a p12 file from the temporary NSS db. [b] Install the CA Agent’s certificate into NSS database of the browser(from where CA Agent pages can be invoked):

#####################################
 # certutil -L -d .
Certificate Nickname                                         Trust Attributes
 SSL,S/MIME,JAR/XPI
testnick                                                     P,,
 Certificate Authorityca-t1 - silentdom                       c,c,
 ca-agent                                                     u,u,u
 #
 ####################################
 # /usr/bin/pk12util -o ca-agent.p12 -n "ca-agent" -d /var/tmp/testdb/
 Enter Password or Pin for "NSS Certificate DB":
 Enter password for PKCS12 file:
 Re-enter password:
 pk12util: PKCS12 EXPORT SUCCESSFUL
 #####################################
 # /usr/bin/pk12util -i ca-agent.p12 -d /home/kashyap/.mozilla/firefox/irphredr.default/ 
 #####################################

Leave a comment

Filed under Uncategorized