Talking to Dogtag PKI via curl

As I dig deeper into the Dogtag code, I find I want to be able to talk to the web server from the command line the same way I did when for IPA work. Since Dogtag is certificate based, and the version of curl included in Fedora has NSS build in, I used the NSS/Certificate approach.

When I started on IPA, I didn’t realize that NSS could mean “Network Security Services” as well as “Name Server Switch.” In this article, I mean the former.

First, a note on how I installed the server. I used a single set of ports for all SSL traffic:

 

pkicreate   -pki_instance_root=/var/lib   -subsystem_type=ca   -pki_instance_name=pki-ca2   -secure_port=8443   -unsecure_port=8080   -tomcat_server_port=8005   -user=pkiuser   -group=pkiuser   -verbose

In the future I’ll use pkisilent to configure the server, but for this one I went through the WebUI setup. During the server setup process, the CA provides a certificate to the web browser that can be used for Identification. On mozilla, you can view the certificate with:

Edit->Preferences->Advanced->Encryption->View Certificate->Your Certificates

Select the “backup” or “backup all” options to save to a pkcs12 File format.  I chose backup all and called the file

ipa-server-3.p12

Create a new NSS database. Set the ENV Var that tells curl to use it.

 

certutil -N -d $PWD/db
export SSL_DIR=$PWD/db

Now import the keys into the database.

pk12util  -d $PWD/db -i ipa-server-3.p12 

You’ll be prompted for both the New Database and the PCKS12 File passwords.

Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL

 

To confirm your certificates are in there:

certutil  -d ./db/  -L

Which should produce something along the lines of:

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ipa-server-3-CA                                              C,,  
OCSP Administrator of Instance pki-ocsp's AyoungBostonDevelRedhat Domain ID u,u,u
KRA Administrator of Instance pki-kra2's AyoungBostonDevelRedhat Domain ID u,u,u
CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID u,u,u

Note that I have the CA cert in there as well, but it didn’t seem to work for me during the curl stage.

I got the CA.crt from the WebUI:

https://servername:8443/ca/agent/ca/listCerts

And just cut and pasted it to a file.
 

Now to run curl:


curl --cacert ./CA.crt  \
     --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID"  \
     https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
     --pass freeipa4all

The cacert parameter is the file name, whereas the cert is the nickname from the NSS Database.

1 thought on “Talking to Dogtag PKI via curl

  1. That’s nice, thanks for writing this up.

    For others who’re reading, Adam figured the urls by –right click, ‘This Frame’ -> ‘Show only this frame’

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.