I have 2 hosts where
host1: pki2.example.org has following subsystems:
CA,KRA,OCSP ,
host2: pki3.example.org has CA belonging to a different security Domain
Configured publishing on pki3 to publish crls to OCSP
ca.publish.publisher.instance.ocsp1.enableClientAuth=true ca.publish.publisher.instance.ocsp1.host=pki2.example.org ca.publish.publisher.instance.ocsp1.nickName=subsystemCert cert-Foobar1-CA ca.publish.publisher.instance.ocsp1.path=/ocsp/agent/ocsp/addCRL ca.publish.publisher.instance.ocsp1.pluginName=OCSPPublisher ca.publish.publisher.instance.ocsp1.port=14444
A user was created on OCSP instance with subsystem certificate of CA belonging to host2
Also CA of host2 was added through the OCSP Agent Interface
when publishing CRL's from host2 to OCSP on host1, it fails with error:
[05/Aug/2015:02:07:47][CRLIssuingPoint-MasterCRL]: OCSPPublisher: Host='pki2.example.org' Port='14444' URL='/ocsp/agent/ocsp/addCRL' [05/Aug/2015:02:07:47][CRLIssuingPoint-MasterCRL]: OCSPPublisher: publish failed org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12195) Peer does not recognize and trust the CA that issued your certificate. [05/Aug/2015:02:07:47][CRLIssuingPoint-MasterCRL]: CRL published. [05/Aug/2015:02:07:47][CRLIssuingPoint-MasterCRL]: findNextUpdate: fromLastUpdate: true delta: false [05/Aug/2015:02:07:47][CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed Aug 05 05:00:00 EDT 2015 delay: 10332867 [05/Aug/2015:02:11:08][Timer-0]: In LdapBoundConnFactory::getConn()
Note: All the above subsystems are configured with ECC
Steps to Reproduce:
1. Configure CA1 and OCSP1 subsystem with ECC on Host1 2. Configure CA2 with ECC on host2 3. Configure Publishing on CA2 to publish CRL's to OCSP1 4. Add CA2 CA cert to OCSP1
Actual results:
CRL publishing fails,
Expected results:
CRL publishing should succeed
Additional info:
Host1 , CA1's instance configuration file: [DEFAULT] pki_instance_name=example-ecc-ca1 pki_https_port=8443 pki_http_port=8080 #NSS DB Token Password pki_token_password=Secret123 #Admin Password pki_admin_password=Secret123 pki_admin_keysize=nistp256 pki_admin_key_type=ecc pki_admin_password=Secret123 #Security Domain pki_hostname=pki2.example.org pki_security_domain_name=Example Org pki_security_domain_password=Secret123 #client Dir pki_client_dir=/opt/example-ecc-ca1 pki_client_pkcs12_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 [Tomcat] pki_ajp_port=8009 pki_tomcat_server_port=8005 [CA] pki_import_admin_cert=False pki_ca_signing_key_type=ecc pki_ca_signing_key_size=nistp256 pki_ca_signing_key_algorithm=SHA256withEC pki_ca_signing_signing_algorithm=SHA256withEC pki_ca_signing_subject_dn=cn=CA Signing Certificate3,o=%(pki_security_domain_name)s pki_ocsp_signing_key_type=ecc pki_ocsp_signing_key_size=nistp256 pki_ocsp_signing_key_algorithm=SHA256withEC pki_ocsp_signing_signing_algorithm=SHA256withEC pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate3,o=%(pki_security_domain_name)s pki_audit_signing_key_type=rsa pki_audit_signing_key_size=2048 pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate3,o=%(pki_security_domain_name)s pki_ssl_server_key_type=ecc pki_ssl_server_key_size=nistp256 pki_ssl_server_key_algorithm=SHA256withEC pki_ssl_server_signing_algorithm=SHA256withEC pki_ssl_server_nickname=Server-Cert cert-pki-Foobar1-ca3 pki_subsystem_key_type=ecc pki_subsystem_key_size=nistp256 pki_subsystem_key_algorithm=SHA256withEC pki_subsystem_signing_algorithm=SHA256withEC pki_subsystem_subject_dn=cn=Subsystem Certificate3,o=%(pki_security_domain_name)s pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s pki_ds_hostname=localhost pki_ds_ldap_port=389 pki_ds_password=Secret123 OCSP1 Instance configuration file [DEFAULT] pki_instance_name=example-ecc-ocsp1 pki_https_port=14443 pki_http_port=14080 #NSS DB Token Password pki_token_password=Secret123 #OCSP Admin password pki_admin_password=Secret123 pki_admin_keysize=nistp256 pki_admin_key_type=ecc pki_admin_password=Secret123 # Security Domain pki_security_domain_hostname=pki2.example.org pki_security_domain_https_port=8443 pki_security_domain_user=caadmin pki_security_domain_password=Secret123 #Client Dir pki_client_dir=/opt/example-ecc-ocsp1 pki_client_pkcs12_password=Secret123 pki_client_database_password=Secret123 # backup pki_backup_keys=True pki_backup_password=Secret123 [Tomcat] pki_ajp_port=14009 pki_tomcat_server_port=14005 [OCSP] pki_subsystem_key_type=ecc pki_subsystem_key_size=nistp256 pki_subsystem_key_algorithm=SHA256withEC pki_ocsp_signing_key_type=rsa pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_signing_algorithm=SHA256withRSA pki_audit_signing_key_type=rsa pki_audit_signing_key_size=2048 pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_signing_algorithm=SHA256withRSA pki_ssl_server_key_type=ecc pki_ssl_server_key_size=nistp256 pki_ssl_server_key_algorithm=SHA256withEC pki_ssl_server_signing_algorithm=SHA256withEC pki_import_admin_cert=False pki_issuing_ca_uri=https://pki2.example.org:8443 pki_ds_hostname=localhost pki_ds_ldap_port=2389 pki_ds_bind_dn=cn=Directory Manager pki_ds_password=Secret123 pki_ds_secure_connection=False CA2 Instance configuration file [DEFAULT] pki_instance_name=Foobar1-CA pki_https_port=8443 pki_http_port=8080 #NSS DB Token Password pki_token_password=Secret123 #Admin Password pki_admin_dualkey=True pki_admin_keysize=nistp256 pki_admin_key_type=ecc pki_admin_password=Secret123 #Security Domain pki_hostname=pki3.example.org pki_security_domain_name=Foobar.org pki_security_domain_password=Secret123 #client Dir pki_client_dir=/opt/Foobar1-CA pki_client_pkcs12_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 [Tomcat] pki_ajp_port=8009 pki_tomcat_server_port=8005 [CA] pki_admin_nickname=PKI Administrator for Foobar Org pki_import_admin_cert=False pki_ca_signing_key_type=ecc pki_ca_signing_key_size=nistp256 pki_ca_signing_key_algorithm=SHA256withEC pki_ca_signing_signing_algorithm=SHA256withEC pki_ocsp_signing_key_type=ecc pki_ocsp_signing_key_size=nistp256 pki_ocsp_signing_key_algorithm=SHA256withEC pki_ocsp_signing_signing_algorithm=SHA256withEC pki_audit_signing_key_type=rsa pki_audit_signing_key_size=2048 pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_signing_algorithm=SHA256withRSA pki_ssl_server_key_type=ecc pki_ssl_server_key_size=nistp256 pki_ssl_server_key_algorithm=SHA256withEC pki_ssl_server_signing_algorithm=SHA256withEC pki_ssl_server_nickname=Server-Cert cert-pki-RootCA pki_subsystem_key_type=ecc pki_subsystem_key_size=nistp256 pki_subsystem_key_algorithm=SHA256withEC pki_subsystem_signing_algorithm=SHA256withEC pki_ds_hostname=localhost pki_ds_ldap_port=389 pki_ds_password=Secret123
per today's meeting, this is not an expected scenario. close won't fix.
Metadata Update from @mrniranjan: - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2099
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.