There is more to the certmonger story. A lot more. After my last attempt I tried to use certmonger:

• as a user-launched process
• to get a user certificate
• direct from the dogtag instance behind FreeIPA

I was not 100% successful, but the attempt did have some positive results.

The whole thing started with an ipa-server-install.

To be able to talk direct to Dogtag, though, I opened a few additional ports on the Firewall

Added these lines in /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT

service iptables restart

As part of the IPA install, it records a couple of PKCS12 files with enough information to talk to your Dogtag instance. These are in /root, but I copied them to the /home/fedora directory to make them accessible via scp to my desktop.

scp fedora@hostname:ca-agent.p12 .

I ran Firefox and imported the certificates
From the menu select
edit->preferences
That will pop up the preferences dialog, and select the Advanced tab and the Certificates subtab.
Click view certificates and then “Your Certificates” on that panel, and finally click the Import Button.

Yeah, that is pretty hostile.

I had to add the hostname and ip address for the ipa server int /etc/hosts for my laptop in order to get an https connect to dogtag, but I got it with: https://hostname:8443/ Note that it uses the certificates imported from ca-agent.p12 to connect.

First I made things work as root: I created a new CA configuration for the certmonger system daemon
[root@ipa cas]# cat /var/lib/certmonger/cas/ipa-ca

id=dogtag-ipa
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -i /etc/ipa/ca.crt -E http://ipa.openstack.freeipa.org:8080/ca/ee/ca -A https://$HOSTNAME:8443/ca/agent/ca/

And I was able to request a certificate with:

sudo getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N cn=someothername

That submitted the request. In an ordinary dogtag setup, certificate are not automatically approved. I had to approve it using the web UI on
Approval on: https://$HOSTNAME:8443/ca/agent/ca/

Once it is approved, you can either wait 8 hours for the next query or run a resubmit to get the status and fetch the cert:

sudo getcert resubmit -i 20140226001609

And if you forgot the id you can get it with

sudo getcert list -s

Cert is fetched and placed into /etc/pki/testcert. The key should already have been made in /etc/pki/testkey

(Actually, certmonger crashed, due to a bug that had already been fixed but not yet landed in the yum repo. I reinstalled with an internal build, but you can find yours here: When we restarted the certmonger daemon, it picked right up and succeeded.)

Now to try and get a user cert using the user-runnable version of certmonger. This is called certmonger-session, but you don’t run it directly. It is a dbus driven service. This was done on the ipa server machine, which has no X server on it. If there was, there would be a dbus daemon running, but since there is not:

export DBUS_SESSION_BUS_ADDRESS=`dbus-daemon --session --fork --print-address`

It looks like this:

unix:abstract=/tmp/dbus-ym4pEDwUcj,guid=e7a9adfd8ae299213a39f57a530d3891

To run certmonger:

getcert list-cas -s

The -s option makes it a session request as opposed to talking to the systemd managed server. This creates
~/.config/certmonger but no cas subfolders under there yet. They get written upon certmonger-session exit:

killall certmonger-session

Will dump them into .config/certmonger/cas/. They are named by time stamp:

ls .config/certmonger/cas/
20140226004653  20140226004653-1  20140226004653-2  20140226004653-3

now create .config/certmonger/cas/ipa-dogtag (while daemon is not running, as killing daemon will overwrite the config…) with these contents (using your own hostname):

id=ipa-dogtag
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -i /etc/ipa/ca.crt -E http://ipa.openstack.freeipa.org:8080/ca/ee/ca -A https://ipa.openstack.freeipa.org:8443/ca/agent/ca/ -T caUserCert

And checkout out that your new CA entry is available with: getcert list-cas -s

CA 'SelfSign':
	is-default: no
	ca-type: INTERNAL:SELF
	next-serial-number: 01
CA 'IPA':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'ipa-dogtag':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -i /etc/ipa/ca.crt -E http://ipa.openstack.freeipa.org:8080/ca/ee/ca -A https://ipa.openstack.freeipa.org:8443/ca/agent/ca/ -T caUserCert

Need a place to hold the certs:

mkdir ~/.pki

Since you are running as a user, unconfined, you don’t need to worry about SELinux. If you were somehow to run this non-interactivly, you would need to run

sudo chcon -t cert_t .pki/

Or do something more permanent.

To request a user certificate:

getcert request -c ipa-dogtag -s -f ~/.pki/ayoung.cert.pem -k ~/.pki/ayoung.key.pem -N "uid=ayoung,cn=users,cn=accounts,dc=openstack,dc=freeipa,dc=org"

and to see the request

$ getcert list -s
Number of certificates and requests being tracked: 1.
Request ID '20140226005825':
status: CA_REJECTED
ca-error: Server at "http://$HOSTNAME:8080/ca/ee/ca/profileSubmit" replied: Subject Name Not Found

WHAT! Yeah, doesn’t work yet. Kill the request for now:

getcert stop-tracking -s -i 20140226005825

So it looks like the caUserCert profile does not accept a PKCS11 request, as it is set up to come from the Web Browser, and those use Certificate Request Message Format (CRMF). I’ve been able to hack around it (I think) but there is still more to learn here.