As I dig deeper into the Dogtag code, I find I want to be able to talk to the web server from the command line the same way I did when for IPA work. Since Dogtag is certificate based, and the version of curl included in Fedora has NSS build in, I used the NSS/Certificate approach.
When I started on IPA, I didn’t realize that NSS could mean “Network Security Services” as well as “Name Server Switch.” In this article, I mean the former.
First, a note on how I installed the server. I used a single set of ports for all SSL traffic:
pkicreate -pki_instance_root=/var/lib -subsystem_type=ca -pki_instance_name=pki-ca2 -secure_port=8443 -unsecure_port=8080 -tomcat_server_port=8005 -user=pkiuser -group=pkiuser -verbose
In the future I’ll use pkisilent to configure the server, but for this one I went through the WebUI setup. During the server setup process, the CA provides a certificate to the web browser that can be used for Identification. On mozilla, you can view the certificate with:
Edit->Preferences->Advanced->Encryption->View Certificate->Your Certificates
Select the “backup” or “backup all” options to save to a pkcs12 File format. I chose backup all and called the file
ipa-server-3.p12
Create a new NSS database. Set the ENV Var that tells curl to use it.
certutil -N -d $PWD/db export SSL_DIR=$PWD/db
Now import the keys into the database.
pk12util -d $PWD/db -i ipa-server-3.p12
You’ll be prompted for both the New Database and the PCKS12 File passwords.
Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL
To confirm your certificates are in there:
certutil -d ./db/ -L
Which should produce something along the lines of:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipa-server-3-CA C,, OCSP Administrator of Instance pki-ocsp's AyoungBostonDevelRedhat Domain ID u,u,u KRA Administrator of Instance pki-kra2's AyoungBostonDevelRedhat Domain ID u,u,u CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID u,u,u
Note that I have the CA cert in there as well, but it didn’t seem to work for me during the curl stage.
I got the CA.crt from the WebUI:
https://servername:8443/ca/agent/ca/listCerts
And just cut and pasted it to a file.
Now to run curl:
curl --cacert ./CA.crt \ --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID" \ https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \ --pass freeipa4all
The cacert parameter is the file name, whereas the cert is the nickname from the NSS Database.
That’s nice, thanks for writing this up.
For others who’re reading, Adam figured the urls by –right click, ‘This Frame’ -> ‘Show only this frame’