 |
 |
Hi David, > I suspect that the problems experienced > by Daniela on Tues could be due to either ... Yes. Assuming that CertWiz works (which seems to be the case) then the problems happened because it's easy to click the wrong buttons. That's a general problem with "Wizard" applications, isn't it? It's why I hate "Windows" so much! So it might be good to list out the right buttons to click to do this work, so we all do it in the standard, quick and easy way. Steve > Dear all, > I feel I should make some clarifications/comments on this recent thread: > > CertWiz has functioned correctly and as expected throughout. No changes > were made to the CW or the server yesterday. I suspect that the problems > experienced by Daniela on Tues could be due to either: > a) An existing CSR with a status other than DELETED was already > present in the DB and had not been deleted. In this case, CWiz will > (correctly) prevent any new cert renewals for a cert with the same > canonical DN (i.e. RFC2253 DN minus the emailAddress). This is necessary > to prevent duplicate CSRs for the same cert. We do however allow existing > host certs that have emailAddress in the DN to be *newly* requested for > the same host name but without the emailAddress (not a renewal). This > allows removal of email addresses from DNs. > b) Before Monday, CWiz did not support renewal of bulk-host certs. > This was expected - bulks are special in that they have a bulk_id and are > submitted using the old bulk pecr scripts. On Mon however, I put in a > server patch that allows a single cert that was originally part of a bulk > to be renewed individually. I don't think this was the issue however. > WRT CA development, here is my current dev task list in order of priority > (I know GOCDB is not CA, but it takes 50% of my time and so feel it should > be mentioned): > 1) GOCDB (50%) > 2) OpenCA replacement - See https://ca-dev2.ca.ngs.ac.uk/caportal . > This is coming along nicely, but it is still work in progress (June~ish > for first release). So far, I have only focused on the RA interface so you > will need a valid cert with an RA role in your browser to access and see > 99% of the portal functionality (i.e. required to see the 'RAOP Actions' > menu item). > 3) REST CA server. This is largely stable and under control. It is > the server for all of the clients below. However, it does still need some > work/tidy-up before we can publish the protocol and go open-src. > 4) CertWiz Maintenance, operational support/bug-fixing. > 5) Scriptable CLI interface to REST CA server (new PeCR scripts +/- > command line CLI interface to CertWiz). As mentioned by Jens, a client is > not trivial as it requires 'Proof of Possession of Private Key (PPPK)' to > cater for expired certs (and not proof of possession of valid certificate > aka regular client cert auth). Our new Perl scripts do work, I also spent > quite a bit of time working on them too, but they do need more work to > complete. I've sent JJ/JK a strategy for this. > 6) CertWiz New developments (last on list). > Depending on progress, I'll see if we can shunt 5) up the list a little. > Thanks for your patience, > David > > > > From: Testbed Support for GridPP member institutes > [mailto:[log in to unmask]] On Behalf Of Daniela Bauer > Sent: 26 March 2013 16:27 > To: [log in to unmask] > Subject: Re: CertWizard + Java > > Hi John, > it now works using the cert wizard. (I'm sitting in a gridpp meeting, so > I used my laptop and the webstart.) > It didn't work when I tried it earlier this day though (same version of > the cert wizard)?! > Two certs down, 38 to go... > > Cheers, > Daniela > > On 26 March 2013 15:51, John Kewley > <[log in to unmask]<mailto:[log in to unmask]>> wrote: > Thanks for that information. Now I now what you are trying to so. So I > tried to replicate the issue. > > Good news (well sort of anyway)! > > I have just successfully requested a new certificate for > sedsk15.grid.hep.ph.ic.ac.uk<http://sedsk15.grid.hep.ph.ic.ac.uk> using > 1.6 java compatible version of CW > > I then deleted my request and tried using the OpenCA i/f. I also managed > to create a new cert using that. > I'll now go and remove that request too. > > The only differences were that I used my email address > > I won't try PeCR since I think jens is looking at some issues with that. > > So I don't lose my sanity, can you just try the same: > > 1. Use CW (whichever version works with your Java) > > 2. Go to the Manage certs screen > > 3. Select your personal certificate > > 4. Select "Apply for Cert" > > 5. Enter Imperial/Physics for the RA > > 6. sedsk15.grid.hep.ph.ic.ac.uk<http://sedsk15.grid.hep.ph.ic.ac.uk> > for the CN > > 7. Etc > > If it doesn't work can you let me know: > > * What OS > > * What Java > > * Which CW download - was it a zip / webstart/launch whatever > > Then try using the OpenCA web i/f? > > If neither work (which you say didn't work before) then let me know. > > Cheers > > JK > > From: Testbed Support for GridPP member institutes > [mailto:[log in to unmask]<mailto:[log in to unmask]>] On > Behalf Of Daniela Bauer > Sent: 26 March 2013 15:29 > > To: [log in to unmask]<mailto:[log in to unmask]> > Subject: Re: CertWizard + Java > > Hi John, > I am trying to get the email adress in the hostcert removed, that's what > the whole threat is about. > I have an old certificate (in use, hence no revoking) and I am trying to > get a new one (sans email address). So I can't renew (keeps the email > address) and I cannot ask for a new one, because certwizard/pecr/webpage > (I've tried all three now), complain (correctly) that I already have a > valid hostcert for the machine in question. > I've tried it with > sedsk15.grid.hep.ph.ic.ac.uk<http://sedsk15.grid.hep.ph.ic.ac.uk>. > As Jens mentioned, I don't think certwizard is the best tool to > renew/request certificates in bulk, typing in 40+ hostnames is asking for > trouble. > I am the RA, so if I revoke a cert, will that not be automatically > approved ? > Cheers, > Daniela > > > On 26 March 2013 15:08, John Kewley > <[log in to unmask]<mailto:[log in to unmask]>> wrote: >> I just tried the cert wizard, with the same result: cannot get a new >> cert, the old one exists. > If we are to work out what is going on then we need a few more details. > What I have stated several times on this forum is how it should work so if > it doesn't then we need to be able to work out what the bugs are. > > Answers to some or all of the following may help: > * Why do you want a new certificate when an old one already exists? > * Do you have possession of the old one and is it in use? > * Is it to remove an emailAddress from the DN? If not, why can't you > renew? > * What is the certificate number you are using? > >> It doesn't recognise it as a new DN. >> So I am relying on a revocation not being approved (I guess it would >> have to come >> from someone who is not me as I am the RA) and hope I can get >> the new cert before this filters through the system. > If you say to your RA Op - "Please don't approve this request" then you > are relying on him/her to adhere to your requests in the same way as when > applying for a renewal you are relying on him/her to approve it before > your old one expires - I don't see this is an issue, unless you have > reasons to be distrustful of your RA's RA Ops. > > There is nothing to filter through the system - it will sit there forever > if the request isn't approved. > >> Some small bit in my mind wants to scream. > I feel I am repeating myself as well, so let's see if we can get some info > on why it isn't working > > JK > -- > Scanned by iCritical. > > > > -- > Sent from the pit of despair > > ----------------------------------------------------------- > [log in to unmask]<mailto:[log in to unmask]> > HEP Group/Physics Dep > Imperial College > Tel: +44-(0)20-75947810<tel:%2B44-%280%2920-75947810> > http://www.hep.ph.ic.ac.uk/~dbauer/<http://www.hep.ph.ic.ac.uk/%7Edbauer/> > > > -- > Scanned by iCritical. > > > > > -- > Sent from the pit of despair > > ----------------------------------------------------------- > [log in to unmask]<mailto:[log in to unmask]> > HEP Group/Physics Dep > Imperial College > Tel: +44-(0)20-75947810 > http://www.hep.ph.ic.ac.uk/~dbauer/ > > -- > Scanned by iCritical. > >