JISCMail - TB-SUPPORT Archives

While documentation could be improved (see below) we should bear in mind the following:

1. The use case presented here of applying for a new certificate when one already exists with an analogous interface (i.e. except existing one has email and new one doesn't) isn't a complicated one for either CW (or the old OpenCA i/f). You follow the same procedure as you would for any other NEW host certificate where one with an identical DN does not exist:
    a) "Apply for" a new host certificate (using a valid user certificate as always)
    b) That's it, nothing more

2. The exceptional route use case which I presented is for emergency use only and therefore doesn't need special documentation. It will be offered on a case by case basis by the helpdesk in exceptional cases. These include, but
are not restricted to:
    a) s/w bugs
    b) where these is no provable bug, but timescales are so short that it is more expedient to issues these 
          instructions than prove whether there is a bug or finger trouble.

I'll check the instructions we have to check that they handle the case of Host certificate requests as well as Personal certificates.

JK

-----Original Message-----
From: Testbed Support for GridPP member institutes [mailto:[log in to unmask]] On Behalf Of Steve Jones
Sent: 27 March 2013 10:19
To: [log in to unmask]
Subject: Re: CertWizard + Java

Hi David,

> I suspect that the problems experienced by Daniela on Tues could be 
> due to either ...

Yes. Assuming that CertWiz works (which seems to be the case) then the problems  happened because it's easy to click the wrong buttons. That's a general problem with "Wizard" applications, isn't it? It's why I hate "Windows" so much!

So it might be good to list out the right buttons to click to do this work, so we all do it in the standard, quick and easy way.

Steve



> Dear all,
> I feel I should make some clarifications/comments on this recent thread:
>
> CertWiz has functioned correctly and as expected throughout. No 
> changes were made to the CW or the server yesterday. I suspect that 
> the problems experienced by Daniela on Tues could be due to either:
> a)      An existing CSR with a status other than DELETED was already
> present in the DB and had not been deleted. In this case, CWiz will
> (correctly) prevent any new cert renewals for a cert with the same 
> canonical DN (i.e. RFC2253 DN minus the emailAddress). This is 
> necessary to prevent duplicate CSRs for the same cert. We do however 
> allow existing host certs that have emailAddress in the DN to be 
> *newly* requested for the same host name but without the emailAddress 
> (not a renewal). This allows removal of email addresses from DNs.
> b)      Before Monday, CWiz did not support renewal of bulk-host certs.
> This was expected - bulks are special in that they have a bulk_id and 
> are submitted using the old bulk pecr scripts. On Mon however, I put 
> in a server patch that allows a single cert that was originally part 
> of a bulk to be renewed individually. I don't think this was the issue however.
> WRT CA development, here is my current dev task list in order of 
> priority (I know GOCDB is not CA, but it takes 50% of my time and so 
> feel it should be mentioned):
> 1)      GOCDB (50%)
> 2)      OpenCA replacement - See https://ca-dev2.ca.ngs.ac.uk/caportal  .
> This is coming along nicely, but it is still work in progress 
> (June~ish for first release). So far, I have only focused on the RA 
> interface so you will need a valid cert with an RA role in your 
> browser to access and see 99% of the portal functionality (i.e. required to see the 'RAOP Actions'
> menu item).
> 3)      REST CA server. This is largely stable and under control. It is
> the server for all of the clients below. However, it does still need 
> some work/tidy-up before we can publish the protocol and go open-src.
> 4)      CertWiz Maintenance, operational support/bug-fixing.
> 5)      Scriptable CLI interface to REST CA server (new PeCR scripts +/-
> command line CLI interface to CertWiz).  As mentioned by Jens, a 
> client is not trivial as it requires 'Proof of Possession of Private 
> Key (PPPK)' to cater for expired certs (and not proof of possession of 
> valid certificate aka regular client cert auth).  Our new Perl scripts 
> do work, I also spent quite a bit of time working on them too, but 
> they do need more work to complete. I've sent JJ/JK a strategy for this.
> 6)      CertWiz New developments (last on list).
> Depending on progress, I'll see if we can shunt 5) up the list a little.
> Thanks for your patience,
> David
>
>
>
> From: Testbed Support for GridPP member institutes 
> [mailto:[log in to unmask]] On Behalf Of Daniela Bauer
> Sent: 26 March 2013 16:27
> To: [log in to unmask]
> Subject: Re: CertWizard + Java
>
> Hi John,
> it now works using the cert wizard.  (I'm sitting in a gridpp meeting, 
> so I used my laptop and the webstart.) It didn't work when I tried it 
> earlier this day though (same version of the cert wizard)?!
> Two certs down, 38 to go...
>
> Cheers,
> Daniela
>
> On 26 March 2013 15:51, John Kewley
> <[log in to unmask]<mailto:[log in to unmask]>> wrote:
> Thanks for that information. Now I now what you are trying to so. So I 
> tried to replicate the issue.
>
> Good news (well sort of anyway)!
>
> I have just successfully requested a new certificate for 
> sedsk15.grid.hep.ph.ic.ac.uk<http://sedsk15.grid.hep.ph.ic.ac.uk> 
> using
> 1.6 java compatible version of CW
>
> I then deleted my request and tried using the OpenCA i/f. I also 
> managed to create a new cert using that.
> I'll now go and remove that request too.
>
> The only differences were that I used my email address
>
> I won't try PeCR since I think jens is looking at some issues with that.
>
> So I don't lose my sanity, can you just try the same:
>
> 1.      Use CW (whichever version works with your Java)
>
> 2.      Go to the Manage certs screen
>
> 3.      Select your personal certificate
>
> 4.      Select "Apply for Cert"
>
> 5.      Enter Imperial/Physics for the RA
>
> 6.      sedsk15.grid.hep.ph.ic.ac.uk<http://sedsk15.grid.hep.ph.ic.ac.uk>
> for the CN
>
> 7.      Etc
>
> If it doesn't work can you let me know:
>
> *         What OS
>
> *         What Java
>
> *         Which CW download - was it a zip / webstart/launch whatever
>
> Then try using the OpenCA web i/f?
>
> If neither work (which you say didn't work before) then let me know.
>
> Cheers
>
> JK
>
> From: Testbed Support for GridPP member institutes 
> [mailto:[log in to unmask]<mailto:[log in to unmask]>] 
> On Behalf Of Daniela Bauer
> Sent: 26 March 2013 15:29
>
> To: [log in to unmask]<mailto:[log in to unmask]>
> Subject: Re: CertWizard + Java
>
> Hi John,
> I am trying to get the email adress in the hostcert removed, that's 
> what the whole threat is about.
> I have an old certificate (in use, hence no revoking) and I am trying 
> to get a new one (sans email address). So I can't renew (keeps the 
> email
> address) and I cannot ask for a new one, because 
> certwizard/pecr/webpage (I've tried all three now), complain 
> (correctly) that I already have a valid hostcert for the machine in question.
> I've tried it with
> sedsk15.grid.hep.ph.ic.ac.uk<http://sedsk15.grid.hep.ph.ic.ac.uk>.
> As Jens mentioned, I don't think certwizard is the best tool to 
> renew/request certificates in bulk, typing in 40+ hostnames is asking 
> for trouble.
> I am the RA, so if I revoke a cert, will that not be automatically 
> approved ?
> Cheers,
> Daniela
>
>
> On 26 March 2013 15:08, John Kewley
> <[log in to unmask]<mailto:[log in to unmask]>> wrote:
>> I just tried the cert wizard, with the same result: cannot get a new 
>> cert, the old one exists.
> If we are to work out what is going on then we need a few more details.
> What I have stated several times on this forum is how it should work 
> so if it doesn't then we need to be able to work out what the bugs are.
>
> Answers to some or all of the following may help:
> * Why do you want a new certificate when an old one already exists?
> * Do you have possession of the old one and is it in use?
> * Is it to remove an emailAddress from the DN? If not, why can't you 
> renew?
> * What is the certificate number you are using?
>
>> It doesn't recognise it as a new DN.
>> So I am relying on a revocation not being approved (I guess it would 
>> have to come from someone who is not me as I am the RA) and hope I 
>> can get the new cert before this filters through the system.
> If you say to your RA Op - "Please don't approve this request" then 
> you are relying on him/her to adhere to your requests in the same way 
> as when applying for a renewal you are relying on him/her to approve 
> it before your old one expires - I don't see this is an issue, unless 
> you have reasons to be distrustful of your RA's RA Ops.
>
> There is nothing to filter through the system - it will sit there 
> forever if the request isn't approved.
>
>> Some small bit in my mind wants to scream.
> I feel I am repeating myself as well, so let's see if we can get some 
> info on why it isn't working
>
> JK
> --
> Scanned by iCritical.
>
>
>
> --
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask]<mailto:[log in to unmask]>
> HEP Group/Physics Dep
> Imperial College
> Tel: +44-(0)20-75947810<tel:%2B44-%280%2920-75947810>
> http://www.hep.ph.ic.ac.uk/~dbauer/<http://www.hep.ph.ic.ac.uk/%7Edbau
> er/>
>
>
> --
> Scanned by iCritical.
>
>
>
>
> --
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask]<mailto:[log in to unmask]>
> HEP Group/Physics Dep
> Imperial College
> Tel: +44-(0)20-75947810
> http://www.hep.ph.ic.ac.uk/~dbauer/
>
> --
> Scanned by iCritical.
>
>
-- 
Scanned by iCritical.