Red Hat Certificate System Certificate Authority (CA) HTTP API ,how to add a CA chain link

Solution Verified - Updated -

Environment

Red Hat Enterprise Linux 5
Red Hat Certificate System 8
Firefox web browser

Issue

How can I modify the Red Hat Certificate System (RHCS) Certificate Authority (CA) End Entity (EE) page to provide the feature "Import CA certificate Chain" using the HTTP API?

Resolution

Modify the CA's "End Entity"/EE landing page to use the getCAChain Tomcat's servlet.
There are several possibilities:

  • Can have HTML added to a page, for example:
<a href="http://ca1.example.com:9180/ca/ee/ca/getCAChain?op=download&mimeType=application/x-x509-ca-cert">Get CA chain</a></li>

Example of a command line providing an XML output:

/usr/bin/wget -nc --no-check-certificate -O ~/getCertChain.txt https://ca1.example.com:9444/ca/ee/ca/getCertChain
  • Or have the following on a www.example.com host httpd configuraton in file /etc/httpd/conf/httpd.conf using mod_proxy to not hit the CA directly:
Redirect /cachain http://10.14.7.222/getcachain?op=download&mimeType=application/x-x509-ca-cert
ProxyPass /getcachain http://10.14.5.14:9180/ca/ee/ca/getCAChain
ProxyPassReverse /getcachain http://10.14.5.14:9180/ca/ee/ca/getCAChain

As an example, Firefox browsing to

http://www.example.com/cachain

Will prompt the user with a popup window to download and trust the CA chain.

Root Cause

The "Get CA chain" feature may need to be implemented separately for customization purpose.

Diagnostic Steps

CA's debug log entries examples:

less /var/log/pki-ca/debug
...

Display example:

[28/Sep/2013:17:40:16][http-9444-Processor24]: CMSServlet:service() uri = /ca/ee/ca/getCAChain
[28/Sep/2013:17:40:16][http-9444-Processor24]: CMSServlet::service() param name='submit' value='Submit'
[28/Sep/2013:17:40:16][http-9444-Processor24]: CMSServlet::service() param name='mimeType' value='application/x-x509-ca-cert'
[28/Sep/2013:17:40:16][http-9444-Processor24]: CMSServlet::service() param name='op' value='displayIND'
[28/Sep/2013:17:40:16][http-9444-Processor24]: CMSServlet: caGetCAChain start to service.

Download example:

[30/Sep/2013:11:25:08][http-9180-Processor25]: CMSServlet:service() uri = /ca/ee/ca/getCAChain
[30/Sep/2013:11:25:08][http-9180-Processor25]: CMSServlet::service() param name='mimeType' value='application/x-x509-ca-cert'
[30/Sep/2013:11:25:08][http-9180-Processor25]: CMSServlet::service() param name='op' value='download'
[30/Sep/2013:11:25:08][http-9180-Processor25]: CMSServlet: caGetCAChain start to service.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments