As I dig deeper into the Dogtag code, I find I want to be able to talk to the web server from the command line the same way I did when for IPA work. Since Dogtag is certificate based, and the version of curl included in Fedora has NSS build in, I used the NSS/Certificate approach.
When I started on IPA, I didn’t realize that NSS could mean “Network Security Services” as well as “Name Server Switch.” In this article, I mean the former.
First, a note on how I installed the server. I used a single set of ports for all SSL traffic:
pkicreate -pki_instance_root=/var/lib -subsystem_type=ca -pki_instance_name=pki-ca2 -secure_port=8443 -unsecure_port=8080 -tomcat_server_port=8005 -user=pkiuser -group=pkiuser -verbose
In the future I’ll use pkisilent to configure the server, but for this one I went through the WebUI setup. During the server setup process, the CA provides a certificate to the web browser that can be used for Identification. On mozilla, you can view the certificate with:
Edit->Preferences->Advanced->Encryption->View Certificate->Your Certificates
Select the “backup” or “backup all” options to save to a pkcs12 File format. I chose backup all and called the file
Create a new NSS database. Set the ENV Var that tells curl to use it.
certutil -N -d $PWD/db export SSL_DIR=$PWD/db
Now import the keys into the database.
pk12util -d $PWD/db -i ipa-server-3.p12
You’ll be prompted for both the New Database and the PCKS12 File passwords.
Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL
To confirm your certificates are in there:
certutil -d ./db/ -L
Which should produce something along the lines of:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipa-server-3-CA C,, OCSP Administrator of Instance pki-ocsp's AyoungBostonDevelRedhat Domain ID u,u,u KRA Administrator of Instance pki-kra2's AyoungBostonDevelRedhat Domain ID u,u,u CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID u,u,u
Note that I have the CA cert in there as well, but it didn’t seem to work for me during the curl stage.
I got the CA.crt from the WebUI:
And just cut and pasted it to a file.
Now to run curl:
curl --cacert ./CA.crt \ --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID" \ https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \ --pass freeipa4all
The cacert parameter is the file name, whereas the cert is the nickname from the NSS Database.