dogtagpki

Clone
Source Code
GIT

#687 Troubles spawning PKI with external root_CA
Closed: Invalid None Opened 10 years ago by adze.

Closed: Invalid
Reopen Issue

Hi guys,

I have trouble spawning an issuing CA using pkispawn. I have read and read and tried and tried. I have come to the point where i think it's a bug.

I want to create a issuing CA using dogtag and an external offline root-CA. I have used the info at https://www.redhat.com/archives/pki-devel/2012-December/msg00025.html and created the following file:

cat ca_1.cfg
[Common]
pki_admin_password=<password>
pki_backup_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>
pki_security_domain_password=<password>
[CA]
pki_ca_signing_nickname=BIT B.V. Signing CA
pki_ca_signing_subject_dn=cn=BIT B.V. Signing CA,e=support@bit.nl,o=BIT B.V.
pki_ocsp_signing_nickname=BIT B.V. OCSP Signing CA
pki_ocsp_signing_subject_dn=cn=BIT B.V. OCSP Signing CA,e=support@bit.nl,o=BIT B.V.
pki_random_serial_numbers_enable=True
pki_admin_email=support@bit.nl
pki_admin_subject_dn=cn=PKI Administrator,e=support@bit.nl,e=support@bit.nl,o=BIT B.V.
pki_audit_signing_nickname=BIT B.V. Audit Signing CA
pki_audit_signing_subject_dn=cn=BIT B.V. Audit Signing CA,e=support@bit.nl,o=BIT B.V.
pki_subsystem_nickname=BIT B.V. Subsystem CA
pki_subsystem_subject_dn=cn=BIT B.V. Subsystem CA,e=support@bit.nl,o=BIT B.V.
pki_external=True
pki_external_ca_cert_path=/tmp/pki/config/bit_ca.cer
pki_external_csr_path=/tmp/pki/config/ca_signing.csr

But when i try to spawn the new CA i get the following error:

Installing CA into /var/lib/pki/pki-tomcat.
pkispawn    : INFO     BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . .
pkispawn    : INFO     ... initializing 'pki.deployment.initialization'
pkispawn    : INFO     ....... adding GID 'pkiuser' for group '17' . . .
pkispawn    : INFO     ....... adding UID 'pkiuser' for user '17' . . .
pkispawn    : INFO     ... populating 'pki.deployment.infrastructure_layout'
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca
pkispawn    : INFO     ....... cp -p /etc/pki/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
pkispawn    : INFO     ....... mkdir -p /var/lib/pki
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/ca
pkispawn    : INFO     ....... ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/ca/registry
pkispawn    : INFO     ... populating 'pki.deployment.instance_layout'
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/conf /etc/pki/pki-tomcat
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/etc/pki/pki-tomcat'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/common
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/common/lib
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/lib
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-pool.jar /var/lib/pki/pki-tomcat/lib/commons-pool.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-tribes.jar /var/lib/pki/pki-tomcat/lib/catalina-tribes.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper-el.jar /var/lib/pki/pki-tomcat/lib/jasper-el.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-ant.jar /var/lib/pki/pki-tomcat/lib/catalina-ant.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-coyote.jar /var/lib/pki/pki-tomcat/lib/tomcat-coyote.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-jdbc.jar /var/lib/pki/pki-tomcat/lib/tomcat-jdbc.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper-jdt.jar /var/lib/pki/pki-tomcat/lib/jasper-jdt.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-dbcp.jar /var/lib/pki/pki-tomcat/lib/commons-dbcp.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/jasper.jar /var/lib/pki/pki-tomcat/lib/jasper.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-ja.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-ja.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/annotations-api.jar /var/lib/pki/pki-tomcat/lib/annotations-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina.jar /var/lib/pki/pki-tomcat/lib/catalina.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-juli.jar /var/lib/pki/pki-tomcat/lib/tomcat-juli.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/log4j.jar /var/lib/pki/pki-tomcat/lib/log4j.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-es.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-es.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-el-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/commons-collections.jar /var/lib/pki/pki-tomcat/lib/commons-collections.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-util.jar /var/lib/pki/pki-tomcat/lib/tomcat-util.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/catalina-ha.jar /var/lib/pki/pki-tomcat/lib/catalina-ha.jar
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-fr.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-fr.jar
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/log4j.properties /var/lib/pki/pki-tomcat/lib/log4j.properties
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/temp
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/_
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca
pkispawn    : INFO     ....... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin
pkispawn    : INFO     ....... ln -s /usr/sbin/tomcat-sysd /var/lib/pki/pki-tomcat/pki-tomcat
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-collections.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-collections.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-lang.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-lang.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/apache-commons-logging.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-logging.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/commons-codec.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-codec.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/httpcomponents/httpclient.jar /var/lib/pki/pki-tomcat/common/lib/httpclient.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/httpcomponents/httpcore.jar /var/lib/pki/pki-tomcat/common/lib/httpcore.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/javassist.jar /var/lib/pki/pki-tomcat/common/lib/javassist.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/jaxrs-api.jar /var/lib/pki/pki-tomcat/common/lib/jaxrs-api.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/jettison.jar /var/lib/pki/pki-tomcat/common/lib/jettison.jar
pkispawn    : INFO     ....... ln -s /usr/lib/java/jss4.jar /var/lib/pki/pki-tomcat/common/lib/jss4.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/ldapjdk.jar /var/lib/pki/pki-tomcat/common/lib/ldapjdk.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-tomcat.jar /var/lib/pki/pki-tomcat/common/lib/pki-tomcat.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-atom-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-atom-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jaxb-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxb-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jaxrs.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxrs.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/resteasy/resteasy-jettison-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jettison-provider.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/scannotation.jar /var/lib/pki/pki-tomcat/common/lib/scannotation.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/tomcatjss.jar /var/lib/pki/pki-tomcat/common/lib/tomcatjss.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/velocity.jar /var/lib/pki/pki-tomcat/common/lib/velocity.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xerces-j2.jar /var/lib/pki/pki-tomcat/common/lib/xerces-j2.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xml-commons-apis.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-apis.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/xml-commons-resolver.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-resolver.jar
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat /var/lib/pki/pki-tomcat/conf
pkispawn    : INFO     ....... ln -s /var/log/pki/pki-tomcat /var/lib/pki/pki-tomcat/logs
pkispawn    : INFO     ... populating 'pki.deployment.subsystem_layout'
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca/archive
pkispawn    : INFO     ....... mkdir -p /var/log/pki/pki-tomcat/ca/signedAudit
pkispawn    : INFO     ....... mkdir -p /etc/pki/pki-tomcat/ca
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/emails /var/lib/pki/pki-tomcat/ca/emails
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/emails'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/profiles /var/lib/pki/pki-tomcat/ca/profiles
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/profiles'
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/flatfile.txt /etc/pki/pki-tomcat/ca/flatfile.txt
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caAuditSigningCert.profile /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/serverCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile
pkispawn    : INFO     ....... cp -p /usr/share/pki/ca/conf/subsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile
pkispawn    : INFO     ....... ln -s /var/lib/pki/pki-tomcat/webapps /var/lib/pki/pki-tomcat/ca/webapps
pkispawn    : INFO     ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias
pkispawn    : INFO     ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf
pkispawn    : INFO     ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs
pkispawn    : INFO     ... populating 'pki.deployment.selinux_setup'
pkispawn    : INFO     ... deploying 'pki.deployment.webapp_deployment'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ROOT
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/ROOT /var/lib/pki/pki-tomcat/webapps/ROOT
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ROOT'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/pki
pkispawn    : INFO     ....... cp -rp /usr/share/pki/common-ui /var/lib/pki/pki-tomcat/webapps/pki
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/js /var/lib/pki/pki-tomcat/webapps/pki/js
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/js'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/META-INF /var/lib/pki/pki-tomcat/webapps/pki/META-INF
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/META-INF'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca
pkispawn    : INFO     ....... cp -rp /usr/share/pki/server/webapps/pki/admin /var/lib/pki/pki-tomcat/webapps/ca/admin
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca/admin'
pkispawn    : INFO     ....... cp -rp /usr/share/pki/ca/webapps/ca /var/lib/pki/pki-tomcat/webapps/ca
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca'
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/classes
pkispawn    : INFO     ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-certsrv.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-certsrv.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmsbundle.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsbundle.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmscore.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmscore.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cms.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cms.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-cmsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsutil.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-nsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-nsutil.jar
pkispawn    : INFO     ....... ln -s /usr/share/java/pki/pki-ca.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-ca.jar
pkispawn    : INFO     ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca'
pkispawn    : INFO     ... assigning slots for 'pki.deployment.slot_substitution'
pkispawn    : INFO     ....... copying '/usr/share/pki/ca/conf/CS.cfg' --> '/etc/pki/pki-tomcat/ca/CS.cfg' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/catalina.properties' --> '/etc/pki/pki-tomcat/catalina.properties' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/serverCertNick.conf' --> '/etc/pki/pki-tomcat/serverCertNick.conf' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/server.xml' --> '/etc/pki/pki-tomcat/server.xml' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/context.xml' --> '/etc/pki/pki-tomcat/context.xml' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/sysconfig/pki-tomcat' with slot substitution
pkispawn    : INFO     ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/pki/pki-tomcat/tomcat.conf' with slot substitution
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/velocity.properties'
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/web.xml'
pkispawn    : INFO     ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution
pkispawn    : INFO     ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/ee/ca/ProfileSelect.template'
pkispawn    : INFO     ... generating 'pki.deployment.security_databases'
pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/password.conf'
pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/pfile'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/password.conf'
pkispawn    : INFO     ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/key3.db'
pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db'
pkispawn    : INFO     ....... generating noise file called '/etc/pki/pki-tomcat/ca/noise' and filling it with '1024' random bytes
pkispawn    : INFO     ....... executing 'certutil -S -d /etc/pki/pki-tomcat/alias -h 'internal' -n 'Server-Cert cert-pki-tomcat' -s 'cn=pki-cm.dmz.bit.nl,o=2013-07-15 13:58:25' -m 0 -v 12 -c 'cn=pki-cm.dmz.bit.nl,o=2013-07-15 13:58:25' -t 'CTu,CTu,CTu' -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x > /dev/null 2>&1'
pkispawn    : INFO     ....... rm -f /etc/pki/pki-tomcat/ca/noise
pkispawn    : INFO     ....... rm -f /etc/pki/pki-tomcat/pfile
pkispawn    : INFO     ... configuring 'pki.deployment.configuration'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
pkispawn    : INFO     ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
pkispawn    : INFO     ....... ln -s /lib/systemd/system/pki-tomcatd@.service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service'
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes
pkispawn    : INFO     ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,e=support@bit.nl,e=support@bit.nl,o=BIT B.V.', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']'
pkispawn    : INFO     ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc']
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: Error in obtaining certificate chain from issuing CA: java.lang.NullPointerException
Installation failed.

The root CA consists of just one certificate. There is no chain. I think therefor this is a bug. If you need any extra info, i'd be happy to deliver". I'm new to dogtag, but quite familiar with RSA PKI systems.

Using version: dogtag-pki-10.0.3-1.fc19

A certificate chain can contain one or more certificates. It must be in PKCS7 format though, and I suspect yours may not have been.

Most CA's do provide their certificate chain in PKCS7. Certainly, if your external CA is a Dogtag CA, that option is available.

If not, there are openssl tools to convert from a cert or set of certs to a PKCS7 chain.
http://linux.die.net/man/1/crl2pkcs7

openssl crl2pkcs7 -nocrl -certfile newcert.pem -certfile demoCA/cacert.pem -outform DER -out p7.der

When I tried my install with the relevant certificate and certificate chain in PKCS7 format, it went through just fine.

Closing this as worksforme. If there are other concerns, please reopen.

Metadata Update from @adze:
- Issue assigned to vakwetu
- Issue set to the milestone: N/A
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1256

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
minor
None
None
None
defect
None
pkispawn external
None
None
None
Community
None
None
None
None
None
None
CA
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.