Red Hat Certificate System Registration Authority (RA) HTTPS API, how to submit, issue, revoke, query status of requests and certificates?
Environment
Red Hat Enterprise Linux 5
Red Hat Certificate System 8
Issue
Red Hat Certificate System Registration Authority / RA subsystem: what is the API to submit, issue, revoke and query status of requests and certificates?
Resolution
- Have a request already generated, or CSR
- The + characters need to be escaped
cp -p ~/csr.txt ~/csr.escaped.txt
perl -pi -e 's/\+/%2B/g' ~/csr.escaped.txt
- Create request on RA's EE SSL interface with the CSR / certificate request from above, in file csr.escaped.txt
/usr/bin/curl -d "server_id=www.example.com&site_id=www.example.com&email=msauton@redhat.com&csr=`cat ~/csr.escaped.txt`&xml=true" -k0 --url https://ca1.example.com:12890/ee/server/submit.cgi
- The XML output will provide with the request id
<xml><request_id>40</request_id></xml>
- RA access log file /var/log/pki-ra/access_log
10.14.5.174 - - [19/Apr/2014:11:49:27 -0700] "POST /ee/server/submit.cgi HTTP/1.0" 200 39
- Query request status on RA EE SSL interface:
/usr/bin/curl -d "id=40&xml=true" -k0 --url https://ca1.example.com:12890/ee/request/status.cgi
- The XML output will provide with the request status and eventual serial number is certificate is already issued
<xml><errorString>0</errorString><id>40</id><serialno>unavailable</serialno><status>OPEN</status><type>server</type></xml>
- RA access log file /var/log/pki-ra/access_log
10.14.5.174 - - [19/Apr/2014:11:50:14 -0700] "POST /ee/request/status.cgi HTTP/1.0" 200 123
- An "RA agent" or "RA admin" approves the request, on RA agent SSL interface, using SSL client certificate authentication with certificate already in the Firefox NSS db as an example, in ~/.mozilla/firefox/ca/
/usr/bin/sslget -d ~/.mozilla/firefox/ca/ -p password -n "RA Administrator's example root ca ID" -r /agent/request/op.cgi\?type=approve\&id=40\&xml=true ca1.example.com:12889
- The XML output will provide with the request status and a serial number of the new certificate, otherwise rejected if any errors
<serialno>4c</serialno><status>APPROVED</status>
- Full XML output example:
<xml><assigned_to>agents</assigned_to><created_at>2014-4-19 11:49:27</created_at><created_by>msauton@redhat.com</created_by><data>server_id=www.example.com;site_id=www.ex<br/>ample.com;csr=MIID7TCCAtUCAQAwgZ0xCzAJBg<br/>NVBAYTAkNOMRAwDgYDVQQIEwdFeGFtcGxlMRgwFg<br/>YDVQQHEw9FeGFtcGxlTG9jYWxpdHkxEzARBgNVBA<br/>oTCkV4YW1wbGVPcmcxEjAQBgNVBAsTCUV4YW1wbG<br/>VPVTEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMR<br/>8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY2<br/>9tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg<br/>KCAQEApjznzvsT96Oj2MUgL+AT5T7E5efWDQpMQ8<br/>gn+RFUQrmH//5H3Hm8o6Jbmnb6YDOVhwIzdtRQKt<br/>IehBJOAih+paL90WdrXlsml98W4n079u/oNvsOis<br/>eia4PaiT0TwCqXtjHoZv6TZ0QnaUTaRtAGS+j5id<br/>Jx2bBETLDtJB+kvVjMnf9AN3FMCgq+WASLKSAI/v<br/>hR84t+CKZeekUHNM+pEqEQgBwpOoPSq7d0ZVIFEE<br/>F2dn7X1vVW8I3zFej7J7RpHqIZb5/3e59Gr5lUTu<br/>SAvI3Dd1a/2sqCgtLE6m/uiNUS6phP/ivGfdLybz<br/>26Q7qFHNc5TH+8Jn0P3EVxLj4H0wIDAQABoIIBCD<br/>CCAQQGCSqGSIb3DQEJDjGB9jCB8zCB8AYDVR0RBI<br/>HoMIHlgR90ZXN0bXNSRkM4MjJBbHROYW1lQGV4YW<br/>1wbGUuY29tggxleGFtcGxlMS5jb22CDGV4YW1wbG<br/>UyLmNvbYYXaHR0cDovL3d3dy5leGFtcGxlLmNvbS<br/>+HEAATAAAAAAAAAAAAAAAAABeHBAoKCgqkdTBzMQ<br/>swCQYDVQQGEwJVUzEPMA0GA1UEChMGTXkgT3JnMR<br/>QwEgYDVQQLEwtNeSBPcmcgVW5pdDEQMA4GA1UEAx<br/>MHTXkgbmFtZTErMCkGCSqGSIb3DQEJARYcdGVzdG<br/>1zRGlyQWx0TmFtZUBleGFtcGxlLmNvbTANBgkqhk<br/>iG9w0BAQUFAAOCAQEAbuPs2KLTM0SPKj1FbPhAUd<br/>yzImaikwfkHIq9TdR/AF0K/lhdLlCvPArmNALHbZ<br/>kk9Ep92J4RScXNqMDV91Jt1jkSIhmlcLf7WLCE7B<br/>N+M8Wmh0xtL6ZAhiUThohAuWwt1zENTzh33MaEyW<br/>ka7GZ0G4zwwEv0uXn70Zlvwju95B5ipyrTim0zgj<br/>Cb9HrQ36cDnWn5cq2KiMiGqCWwxEVQZDu/JBpshs<br/>KoAmWWSkoxHRd88gY1/jGUFs88LzCQqE0wv39AM3<br/>CA0CJj3G2BzC06p8naP9gfN8dV7Mpitz31rHTYpB<br/>rmgCO0EroyzkQ1dcVDDG0jHG0RUOIkzL3W6c/rRQ<br/>==</data><errorString>0</errorString><id>40</id><ip>10.14.5.174</ip><note></note><output>MIIExDCCA6ygAwIBAgIBTDANBgkqhkiG9w0BAQsF<br/>ADA6MRgwFgYDVQQKEw9leGFtcGxlIHJvb3QgY2Ex<br/>HjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0<br/>eTAeFw0xNDA0MTkxODUzMDlaFw0xNDEwMTYxODUz<br/>MDlaMIGdMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH<br/>RXhhbXBsZTEYMBYGA1UEBxMPRXhhbXBsZUxvY2Fs<br/>aXR5MRMwEQYDVQQKEwpFeGFtcGxlT3JnMRIwEAYD<br/>VQQLEwlFeGFtcGxlT1UxGDAWBgNVBAMTD3d3dy5l<br/>eGFtcGxlLmNvbTEfMB0GCSqGSIb3DQEJARYQdGVz<br/>dEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB<br/>BQADggEPADCCAQoCggEBAKY85877E/ejo9jFIC/g<br/>E+U+xOXn1g0KTEPIJ/kRVEK5h//+R9x5vKOiW5p2<br/>+mAzlYcCM3bUUCrSHoQSTgIofqWi/dFna15bJpff<br/>FuJ9O/bv6Db7DorHomuD2ok9E8Aql7Yx6Gb+k2dE<br/>J2lE2kbQBkvo+YnScdmwREyw7SQfpL1YzJ3/QDdx<br/>TAoKvlgEiykgCP74UfOLfgimXnpFBzTPqRKhEIAc<br/>KTqD0qu3dGVSBRBBdnZ+19b1VvCN8xXo+ye0aR6i<br/>GW+f93ufRq+ZVE7kgLyNw3dWv9rKgoLSxOpv7ojV<br/>EuqYT/4rxn3S8m89ukO6hRzXOUx/vCZ9D9xFcS4+<br/>B9MCAwEAAaOCAW8wggFrMB8GA1UdIwQYMBaAFKfU<br/>TYwPhucYjlQSxrsP5pgh+8Y2MDAGCCsGAQUFBwEB<br/>BCQwIjAgBggrBgEFBQcwAYYUaHR0cDovLzo5MTgw<br/>L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMBMGA1Ud<br/>JQQMMAoGCCsGAQUFBwMBMIHwBgNVHREEgegwgeWB<br/>H3Rlc3Rtc1JGQzgyMkFsdE5hbWVAZXhhbXBsZS5j<br/>b22CDGV4YW1wbGUxLmNvbYIMZXhhbXBsZTIuY29t<br/>hhdodHRwOi8vd3d3LmV4YW1wbGUuY29tL4cQABMA<br/>AAAAAAAAAAAAAAAAF4cECgoKCqR1MHMxCzAJBgNV<br/>BAYTAlVTMQ8wDQYDVQQKEwZNeSBPcmcxFDASBgNV<br/>BAsTC015IE9yZyBVbml0MRAwDgYDVQQDEwdNeSBu<br/>YW1lMSswKQYJKoZIhvcNAQkBFhx0ZXN0bXNEaXJB<br/>bHROYW1lQGV4YW1wbGUuY29tMA0GCSqGSIb3DQEB<br/>CwUAA4IBAQC61eJo0cC7pf19kycdq0PRQbd/Vii+<br/>QAN+yBzxtaka1auQMgkk6aYCGPNfunix3HAwoHGo<br/>lSEPC+KzyGeJLp6AMB5NvchqGXoMYFefTm+OKKjY<br/>bERyHHFAh2QaUulHtmg3N2XFV6BlARP3q2DWjHas<br/>Vn0B1ARteyhzVv6ljxxAuoJKdf6vXSC0UGYGTSnh<br/>Je1y5SEe+rvyGYu+UMU4E8fmFs0DyldPe9XeYtCU<br/>IqGphu0Mr4YqjCZHWsHHVM6+z5Ri/Jjar2TLgEFc<br/>UyUH2WFolLVDpQ+X8IShO/EA4LkC8zxphmH53jn+<br/>7aUGYF3t8r+8eoxcubcopMt0kzTzBEf2</output><processed_by>admin</processed_by><serialno>4c</serialno><status>APPROVED</status><type>server</type><uid>admin</uid><updated_at>2014-4-19 11:53:10</updated_at></xml>
- RA access log file /var/log/pki-ra/access_log
10.14.5.174 - - [19/Apr/2014:11:53:08 -0700] "GET /agent/request/op.cgi?type=approve&id=40&xml=true HTTP/1.0" 200 4252
- Error example
<errorString>CA: Request Rejected - Subject Name Not Matched E=test@example.com,CN=www.example.com,OU=ExampleOU,O=ExampleOrg,L=ExampleLocality,ST=Example,C=CN</errorString>
<serialno>unavailable</serialno>
<status>ERROR</status>
- CA's transaction log file /var/log/pki-ca/transactions
9766.http-9444-Processor25 - [19/Apr/2014:11:53:09 PDT] [20] [1] enrollment reqID 103 fromAgent userID: RA-ca1.example.com-12889 authenticated by raCertAuth is completed DN requested: E=test@example.com,CN=www.example.com,OU=ExampleOU,O=ExampleOrg,L=ExampleLocality,ST=Example,C=CN cert issued serial number: 0x4c time: 151
- CA's detailed debug log in file /var/log/pki-ca/debug showing the processing, serial 0x4c = 76
[19/Apr/2014:11:53:08][http-9444-Processor25]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}.
[19/Apr/2014:11:53:08][http-9444-Processor25]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}.
[19/Apr/2014:11:53:08][http-9444-Processor25]: CMSServlet:service() uri = /ca/ee/ca/profileSubmit
[19/Apr/2014:11:53:08][http-9444-Processor25]: CMSServlet::service() param name='cert_request_type' value='pkcs10'
[19/Apr/2014:11:53:08][http-9444-Processor25]: CMSServlet::service() param name='cert_request' value='MIID7TCCAtUC...snip...'
IIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApjznzvsT96Oj2MUgL+AT5T7E5efWDQpMQ8gn+RFUQrmH//5H3Hm8o6Jbmnb6YDOVhwIzdtRQKtIehBJOAih+paL90WdrXlsml98W4n079u/oNvsOiseia4PaiT0TwCqXtjHoZv6TZ0QnaUTaRtAGS+j5idJx2bBETLDtJB+kvVjMnf9AN3FMCgq+WASLKSAI/vhR84t+CKZeekUHNM+pEqEQgBwpOoPSq7d0ZVIFEEF2dn7X1vVW8I3zFej7J7RpHqIZb5/3e59Gr5lUTuSAvI3Dd1a/2sqC
gtLE6m/uiNUS6phP/ivGfdLybz26Q7qFHNc5TH+8Jn0P3EVxLj4H0wIDAQABoIIBCDCCAQQGCSqGSIb3DQEJDjGB9jCB8zCB8AYDVR0RBIHoMIHlgR90ZXN0bXNSRkM4MjJBbHROYW1lQGV4YW1wbGUuY29tggxleGFtcGxlMS5jb22CDGV4YW1wbGUyLmNvbYYXaHR0cDovL3d3dy5leGFtcGxlLmNvbS+HEAATAAAAAAAAAAAAAAAAABeHBAoKCgqkdTBzMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGTXkgT3JnMRQwEgYDVQQLEwtNeSBPcmcgVW5
pdDEQMA4GA1UEAxMHTXkgbmFtZTErMCkGCSqGSIb3DQEJARYcdGVzdG1zRGlyQWx0TmFtZUBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAbuPs2KLTM0SPKj1FbPhAUdyzImaikwfkHIq9TdR/AF0K/lhdLlCvPArmNALHbZkk9Ep92J4RScXNqMDV91Jt1jkSIhmlcLf7WLCE7BN+M8Wmh0xtL6ZAhiUThohAuWwt1zENTzh33MaEyWka7GZ0G4zwwEv0uXn70Zlvwju95B5ipyrTim0zgjCb9HrQ36cDnWn5cq2KiMiGqCWwxEVQZDu/JB
pshsKoAmWWSkoxHRd88gY1/jGUFs88LzCQqE0wv39AM3CA0CJj3G2BzC06p8naP9gfN8dV7Mpitz31rHTYpBrmgCO0EroyzkQ1dcVDDG0jHG0RUOIkzL3W6c/rRQ'
[19/Apr/2014:11:53:08][http-9444-Processor25]: CMSServlet::service() param name='subject' value=''
[19/Apr/2014:11:53:08][http-9444-Processor25]: CMSServlet::service() param name='requestor_name' value=''
[19/Apr/2014:11:53:08][http-9444-Processor25]: CMSServlet::service() param name='xmlOutput' value='true'
[19/Apr/2014:11:53:08][http-9444-Processor25]: CMSServlet::service() param name='profileId' value='caRAserverCertTestms'
[19/Apr/2014:11:53:08][http-9444-Processor25]: CMSServlet: caProfileSubmit start to service.
[19/Apr/2014:11:53:08][http-9444-Processor25]: xmlOutput true
...
[19/Apr/2014:11:53:09][http-9444-Processor25]: authorization search base: cn=Registration Manager Agents,ou=groups,dc=ca1.example.com-pki-ca
[19/Apr/2014:11:53:09][http-9444-Processor25]: authorization search filter: (uniquemember=uid=RA-ca1.example.com-12889,ou=People,dc=ca1.example.com-pki-ca)
[19/Apr/2014:11:53:09][http-9444-Processor25]: authorization result: true
[19/Apr/2014:11:53:09][http-9444-Processor25]: returnConn: mNumConns now 3
[19/Apr/2014:11:53:09][http-9444-Processor25]: AgentCertAuthentication: authenticated uid=RA-ca1.example.com-12889,ou=People,dc=ca1.example.com-pki-ca
[19/Apr/2014:11:53:09][http-9444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$ : RA-ca1.example.com-12889][Outcome=Success][AuthMgr=raCertAuth] authentication success
...
[19/Apr/2014:11:53:09][http-9444-Processor25]: EnrollProfile certInfo : [
Version: V3
Subject: E=test@example.com,CN=www.example.com,OU=ExampleOU,O=ExampleOrg,L=ExampleLocality,ST=Example,C=CN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
...
[19/Apr/2014:11:53:09][http-9444-Processor25]: CAEnrollProfile: execute reqId=103
[19/Apr/2014:11:53:09][http-9444-Processor25]: issueX509Cert
[19/Apr/2014:11:53:09][http-9444-Processor25]: dnUTF8Encoding false
[19/Apr/2014:11:53:09][http-9444-Processor25]: CertificateRepository: getNextSerialNumber mEnableRandomSerialNumbers=false
[19/Apr/2014:11:53:09][http-9444-Processor25]: Repository: in getNextSerialNumber.
[19/Apr/2014:11:53:09][http-9444-Processor25]: Repository: checkRange mLastSerialNo=76
[19/Apr/2014:11:53:09][http-9444-Processor25]: Repository: getNextSerialNumber: returning retSerial 76
[19/Apr/2014:11:53:09][http-9444-Processor25]: About to mCA.sign cert.
[19/Apr/2014:11:53:09][http-9444-Processor25]: sign cert get algorithm
[19/Apr/2014:11:53:09][http-9444-Processor25]: sign cert encoding cert
[19/Apr/2014:11:53:09][http-9444-Processor25]: sign cert encoding algorithm
[19/Apr/2014:11:53:09][http-9444-Processor25]: CA cert signing: signing cert
[19/Apr/2014:11:53:09][http-9444-Processor25]: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest
[19/Apr/2014:11:53:09][http-9444-Processor25]: Signing Certificate
[19/Apr/2014:11:53:09][http-9444-Processor25]: storeX509Cert 76
[19/Apr/2014:11:53:09][http-9444-Processor25]: In storeX509Cert
...
[19/Apr/2014:11:53:09][http-9444-Processor25]: Number of publishing threads: 1
- Query the status again by request id, on the RA EE SSL interface:
/usr/bin/curl -d "id=40&xml=true" -k0 --url https://ca1.example.com:12890/ee/request/status.cgi
- The XML output will provide with the request status and serial number of the new issued certificate
<xml><errorString>0</errorString><id>40</id><serialno>4c</serialno><status>APPROVED</status><type>server</type></xml>
- RA access log file /var/log/pki-ra/access_log
10.14.5.174 - - [19/Apr/2014:11:59:06 -0700] "POST /ee/request/status.cgi HTTP/1.0" 200 118
- Read the certificate by serial number from the agent interface, SSL with client certificate authentication
/usr/bin/sslget -d ~/.mozilla/firefox/ca/ -p password -n "RA Administrator's example root ca ID" -r /agent/cert/read.cgi?serialno=4c\&xml=true ca1.example.com:12889
- The XML output will provide with the certificate status, certificate, serial, serial number, subject DN
<xml>...snip...<certStatus>not revoked</certStatus><certificate>MIIExDCCA...snip...</certificate>...<rid><serialno>4c</serialno><subject_dn>E=test@example.com,CN=www.example.com...snip..</xml>
- Full XML output example:
<xml><approved_by>admin</approved_by><certStatus>not revoked</certStatus><certificate>MIIExDCCA6ygAwIBAgIBTDANBgkqhkiG9w0BAQsF<br/>ADA6MRgwFgYDVQQKEw9leGFtcGxlIHJvb3QgY2Ex<br/>HjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0<br/>eTAeFw0xNDA0MTkxODUzMDlaFw0xNDEwMTYxODUz<br/>MDlaMIGdMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH<br/>RXhhbXBsZTEYMBYGA1UEBxMPRXhhbXBsZUxvY2Fs<br/>aXR5MRMwEQYDVQQKEwpFeGFtcGxlT3JnMRIwEAYD<br/>VQQLEwlFeGFtcGxlT1UxGDAWBgNVBAMTD3d3dy5l<br/>eGFtcGxlLmNvbTEfMB0GCSqGSIb3DQEJARYQdGVz<br/>dEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB<br/>BQADggEPADCCAQoCggEBAKY85877E/ejo9jFIC/g<br/>E+U+xOXn1g0KTEPIJ/kRVEK5h//+R9x5vKOiW5p2<br/>+mAzlYcCM3bUUCrSHoQSTgIofqWi/dFna15bJpff<br/>FuJ9O/bv6Db7DorHomuD2ok9E8Aql7Yx6Gb+k2dE<br/>J2lE2kbQBkvo+YnScdmwREyw7SQfpL1YzJ3/QDdx<br/>TAoKvlgEiykgCP74UfOLfgimXnpFBzTPqRKhEIAc<br/>KTqD0qu3dGVSBRBBdnZ+19b1VvCN8xXo+ye0aR6i<br/>GW+f93ufRq+ZVE7kgLyNw3dWv9rKgoLSxOpv7ojV<br/>EuqYT/4rxn3S8m89ukO6hRzXOUx/vCZ9D9xFcS4+<br/>B9MCAwEAAaOCAW8wggFrMB8GA1UdIwQYMBaAFKfU<br/>TYwPhucYjlQSxrsP5pgh+8Y2MDAGCCsGAQUFBwEB<br/>BCQwIjAgBggrBgEFBQcwAYYUaHR0cDovLzo5MTgw<br/>L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMBMGA1Ud<br/>JQQMMAoGCCsGAQUFBwMBMIHwBgNVHREEgegwgeWB<br/>H3Rlc3Rtc1JGQzgyMkFsdE5hbWVAZXhhbXBsZS5j<br/>b22CDGV4YW1wbGUxLmNvbYIMZXhhbXBsZTIuY29t<br/>hhdodHRwOi8vd3d3LmV4YW1wbGUuY29tL4cQABMA<br/>AAAAAAAAAAAAAAAAF4cECgoKCqR1MHMxCzAJBgNV<br/>BAYTAlVTMQ8wDQYDVQQKEwZNeSBPcmcxFDASBgNV<br/>BAsTC015IE9yZyBVbml0MRAwDgYDVQQDEwdNeSBu<br/>YW1lMSswKQYJKoZIhvcNAQkBFhx0ZXN0bXNEaXJB<br/>bHROYW1lQGV4YW1wbGUuY29tMA0GCSqGSIb3DQEB<br/>CwUAA4IBAQC61eJo0cC7pf19kycdq0PRQbd/Vii+<br/>QAN+yBzxtaka1auQMgkk6aYCGPNfunix3HAwoHGo<br/>lSEPC+KzyGeJLp6AMB5NvchqGXoMYFefTm+OKKjY<br/>bERyHHFAh2QaUulHtmg3N2XFV6BlARP3q2DWjHas<br/>Vn0B1ARteyhzVv6ljxxAuoJKdf6vXSC0UGYGTSnh<br/>Je1y5SEe+rvyGYu+UMU4E8fmFs0DyldPe9XeYtCU<br/>IqGphu0Mr4YqjCZHWsHHVM6+z5Ri/Jjar2TLgEFc<br/>UyUH2WFolLVDpQ+X8IShO/EA4LkC8zxphmH53jn+<br/>7aUGYF3t8r+8eoxcubcopMt0kzTzBEf2</certificate><created_at>2014-4-19 11:53:10</created_at><rid>40</rid><serialno>4c</serialno><subject_dn>E=test@example.com,CN=www.example.com,OU=ExampleOU,O=ExampleOrg,L=ExampleLocality,ST=Example,C=CN</subject_dn><uid>admin</uid></xml>
- RA access log file /var/log/pki-ra/access_log
10.14.5.174 - - [19/Apr/2014:12:00:49 -0700] "GET /agent/cert/read.cgi?serialno=4c&xml=true HTTP/1.0" 200 2396
- Example to only get the certificate
/usr/bin/sslget -d ~/.mozilla/firefox/ca/ -p password -n "RA Administrator's example root ca ID" -r /agent/cert/read.cgi?serialno=4c\&xml=true ca1.example.com:12889 |sed -e 's/^.xml.*<certificate>//;s/<\/certificate.*$//;s/\<\;br\/\>/\r\n/g;/^HTTP/,/^II/{/^HTTP\|^Date\|^Server\|^Conn\|Cont\|^$/d}'
MIIExDCCA6ygAwIBAgIBTDANBgkqhkiG9w0BAQsF
ADA6MRgwFgYDVQQKEw9leGFtcGxlIHJvb3QgY2Ex
HjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0
...snip...
- Revocation, RA's agent interface with SSL client crtificate authentication, by serial number
/usr/bin/sslget -d ~/.mozilla/firefox/ca/ -p password -n "RA Administrator's example root ca ID" -r /agent/cert/submit.cgi?rid=40\&serialno=4c\&reason=6\&xml=true ca1.example.com:12889
- XML output example:
<xml><errorString>0</errorString><rid>40</rid><serialno>4c</serialno><subject_dn></subject_dn><uid>admin</uid></xml>
- RA access log file /var/log/pki-ra/access_log
10.14.5.174 - - [19/Apr/2014:12:06:17 -0700] "GET /agent/cert/submit.cgi?rid=40&serialno=4c&reason=6&xml=true HTTP/1.0" 200 117
- Read the certificate by serial number from the agent interface, SSL with client certificate authentication
/usr/bin/sslget -d ~/.mozilla/firefox/ca/ -p password -n "RA Administrator's example root ca ID" -r /agent/cert/read.cgi?serialno=4c\&xml=true ca1.example.com:12889
- The XML output will provide with the certificate status, certificate, serial, serial number, subject DN
<xml>...snip...<certStatus>revoked:6</certStatus><certificate>MIIExDCC..snip...</certificate>...<rid>40</rid><serialno>4c</serialno><subject_dn>E=test@example.com...</xml>
- Full XML output example:
<xml><approved_by>admin</approved_by><certStatus>revoked:6</certStatus><certificate>MIIExDCCA6ygAwIBAgIBTDANBgkqhkiG9w0BAQsF<br/>ADA6MRgwFgYDVQQKEw9leGFtcGxlIHJvb3QgY2Ex<br/>HjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0<br/>eTAeFw0xNDA0MTkxODUzMDlaFw0xNDEwMTYxODUz<br/>MDlaMIGdMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH<br/>RXhhbXBsZTEYMBYGA1UEBxMPRXhhbXBsZUxvY2Fs<br/>aXR5MRMwEQYDVQQKEwpFeGFtcGxlT3JnMRIwEAYD<br/>VQQLEwlFeGFtcGxlT1UxGDAWBgNVBAMTD3d3dy5l<br/>eGFtcGxlLmNvbTEfMB0GCSqGSIb3DQEJARYQdGVz<br/>dEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB<br/>BQADggEPADCCAQoCggEBAKY85877E/ejo9jFIC/g<br/>E+U+xOXn1g0KTEPIJ/kRVEK5h//+R9x5vKOiW5p2<br/>+mAzlYcCM3bUUCrSHoQSTgIofqWi/dFna15bJpff<br/>FuJ9O/bv6Db7DorHomuD2ok9E8Aql7Yx6Gb+k2dE<br/>J2lE2kbQBkvo+YnScdmwREyw7SQfpL1YzJ3/QDdx<br/>TAoKvlgEiykgCP74UfOLfgimXnpFBzTPqRKhEIAc<br/>KTqD0qu3dGVSBRBBdnZ+19b1VvCN8xXo+ye0aR6i<br/>GW+f93ufRq+ZVE7kgLyNw3dWv9rKgoLSxOpv7ojV<br/>EuqYT/4rxn3S8m89ukO6hRzXOUx/vCZ9D9xFcS4+<br/>B9MCAwEAAaOCAW8wggFrMB8GA1UdIwQYMBaAFKfU<br/>TYwPhucYjlQSxrsP5pgh+8Y2MDAGCCsGAQUFBwEB<br/>BCQwIjAgBggrBgEFBQcwAYYUaHR0cDovLzo5MTgw<br/>L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMBMGA1Ud<br/>JQQMMAoGCCsGAQUFBwMBMIHwBgNVHREEgegwgeWB<br/>H3Rlc3Rtc1JGQzgyMkFsdE5hbWVAZXhhbXBsZS5j<br/>b22CDGV4YW1wbGUxLmNvbYIMZXhhbXBsZTIuY29t<br/>hhdodHRwOi8vd3d3LmV4YW1wbGUuY29tL4cQABMA<br/>AAAAAAAAAAAAAAAAF4cECgoKCqR1MHMxCzAJBgNV<br/>BAYTAlVTMQ8wDQYDVQQKEwZNeSBPcmcxFDASBgNV<br/>BAsTC015IE9yZyBVbml0MRAwDgYDVQQDEwdNeSBu<br/>YW1lMSswKQYJKoZIhvcNAQkBFhx0ZXN0bXNEaXJB<br/>bHROYW1lQGV4YW1wbGUuY29tMA0GCSqGSIb3DQEB<br/>CwUAA4IBAQC61eJo0cC7pf19kycdq0PRQbd/Vii+<br/>QAN+yBzxtaka1auQMgkk6aYCGPNfunix3HAwoHGo<br/>lSEPC+KzyGeJLp6AMB5NvchqGXoMYFefTm+OKKjY<br/>bERyHHFAh2QaUulHtmg3N2XFV6BlARP3q2DWjHas<br/>Vn0B1ARteyhzVv6ljxxAuoJKdf6vXSC0UGYGTSnh<br/>Je1y5SEe+rvyGYu+UMU4E8fmFs0DyldPe9XeYtCU<br/>IqGphu0Mr4YqjCZHWsHHVM6+z5Ri/Jjar2TLgEFc<br/>UyUH2WFolLVDpQ+X8IShO/EA4LkC8zxphmH53jn+<br/>7aUGYF3t8r+8eoxcubcopMt0kzTzBEf2</certificate><created_at>2014-4-19 11:53:10</created_at><rid>40</rid><serialno>4c</serialno><subject_dn>E=test@example.com,CN=www.example.com,OU=ExampleOU,O=ExampleOrg,L=ExampleLocality,ST=Example,C=CN</subject_dn><uid>admin</uid></xml>
- RA access log file /var/log/pki-ra/access_log
10.14.5.174 - - [19/Apr/2014:12:06:59 -0700] "GET /agent/cert/read.cgi?serialno=4c&xml=true HTTP/1.0" 200 2394
Root Cause
There is no API documented for RHCS 8.1
The upstream project at http://pki.fedoraproject.org/ do have a SDK examples from Dogtag version 9, at
http://pki.fedoraproject.org/wiki/PKI_Authentication_Plug-ins
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments