{"id":22700230,"url":"https://github.com/simp/pupmod-simp-simp_pki_service","last_synced_at":"2025-08-07T08:31:59.800Z","repository":{"id":49416576,"uuid":"118626976","full_name":"simp/pupmod-simp-simp_pki_service","owner":"simp","description":"A SIMP profile for running a fully featured PKI service","archived":false,"fork":false,"pushed_at":"2023-10-12T17:36:04.000Z","size":165,"stargazers_count":1,"open_issues_count":0,"forks_count":7,"subscribers_count":16,"default_branch":"master","last_synced_at":"2024-05-01T08:49:14.588Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/simp.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-01-23T15:11:36.000Z","updated_at":"2024-07-11T23:29:20.029Z","dependencies_parsed_at":"2024-07-11T23:29:13.982Z","dependency_job_id":"ebc81564-9e46-4dcd-a5de-10b50285da96","html_url":"https://github.com/simp/pupmod-simp-simp_pki_service","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fpupmod-simp-simp_pki_service","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fpupmod-simp-simp_pki_service/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fpupmod-simp-simp_pki_service/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fpupmod-simp-simp_pki_service/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/simp","download_url":"https://codeload.github.com/simp/pupmod-simp-simp_pki_service/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229013251,"owners_count":18006191,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-10T06:10:36.470Z","updated_at":"2024-12-10T06:10:37.159Z","avatar_url":"https://github.com/simp.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![License](https://img.shields.io/:license-apache-blue.svg)](http://www.apache.org/licenses/LICENSE-2.0.html)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/73/badge)](https://bestpractices.coreinfrastructure.org/projects/73)\n[![Puppet Forge](https://img.shields.io/puppetforge/v/simp/simp_pki_service.svg)](https://forge.puppetlabs.com/simp/simp_pki_service)\n[![Puppet Forge Downloads](https://img.shields.io/puppetforge/dt/simp/simp_pki_service.svg)](https://forge.puppetlabs.com/simp/simp_pki_service)\n[![Build Status](https://travis-ci.org/simp/pupmod-simp-simp_pki_service.svg)](https://travis-ci.org/simp/pupmod-simp-simp_pki_service)\n\n\n---\n\n +--------------------------------------------------------------+\n | WARNING: This is currently an **EXPERIMENTAL** module things |\n | may change drastically, and in breaking ways, without notice!|\n +--------------------------------------------------------------+\n\n---\n\n## This is a SIMP module\n\nThis module is a component of the\n[System Integrity Management Platform](https://simp-project.com),\na compliance-management framework built on Puppet.\n\nIf you find any issues, they can be submitted to our\n[JIRA](https://simp-project.atlassian.net/).\n\n## Module Description\n\n*simp/simp_pki_service* is a SIMP-oriented installation of the\n[Dogtag Certificate System](http://pki.fedoraproject.org/wiki/PKI_Main_Page).\n\nTraditionally, SIMP has used an internal \"FakeCA\" `openssl`-based CA. Over\ntime, this has proven insufficient for our needs, particularly for capabilities\nin terms of Key Enrollment (SCEP and CMC), OCSP, and overall management of\ncertificates.\n\nAdditionally, we found that many users wanted to adjust the certificate\nparameters for the Puppet subsystem itself outside of the defaults and/or use a\n\"real\", and more scalable CA system for all certificate management.\n\nDogtag was selected since it was likely to be the most familiar to any users of\nthe [FreeIPA](https://www.freeipa.org/page/Main_Page) or\n[Red Hat Identity Management](https://access.redhat.com/products/identity-management)\nproduct suite and should allow for transition from one to the other in a\nvendor supported manner.\n\n## Setup\n\n### What simp_pki_service affects\n\nThis module sets up the following components on your system:\n\n * Internal [389ds](http://directory.fedoraproject.org/) Directory Server\n * Bound to `127.0.0.1` only to restrict access\n\n * Dogtag with the following subsystems:\n * Root CA -\u003e `simp-pki-root`\n * Sub CA with KRA and SCEP -\u003e `simp-puppet-pki`\n * Sub CA with KRA and SCEP -\u003e `simp-site-pki`\n\n### Setup Requirements\n\nDue to the high entropy requirements, systems will need to be able to install\nthe `haveged` package from the `EPEL` repository.\n\nThe creation of the PKI infrastructure is **extremely** CPU intensive. Once\ncreated, individual actions are not too burdensome on the system. At a minimum,\nthe system should have:\n\n * 2 CPUs\n * These **will** be completely utilized during setup\n * 512MB RAM Free\n\n## Usage\n\n### Installation\n\nTo install the CA system, you simply need to include the `simp_pki_service`\nclass on your node. This will instantiate the services as follows:\n\n```\n +----------------+\n | |\n | simp-pki-root |\n | Port: 4509 |\n | |\n +----------------+\n |\n ---------------+---------------\n / \\\n v v\n+-----------------+ +---------------+\n| | | |\n| simp-puppet-pki | | simp-site-pki |\n| Port: 5509 | | Port: 8443 |\n| | | |\n+-----------------+ +---------------+\n\n```\n\nThe CA and subordinate CA configuration shown above is controlled by the\n`simp_pki_service::cas` parameter. You can change the settings, including the\nbound ports, for the default infrastructure by manipulating this data hash.\nHowever, **once the system is active you CANNOT change the ports or hostname**\nsince the OCSP information is usually incorporated into all signed certificates\nand will then be invalid.\n\nIf you wish to customize the existing CA settings, or add your own CAs to the\nmix, you can easily do this using the `simp_pki_service::custom_cas` parameter.\nThis hash will be combined with `simp_pki_service::cas` using a `deep_merge` to\nallow for full customization.\n\n### The simp-pki-root CA\n\nThis CA is the root for all subordinate CAs and should never be exposed outside\nof the local system unless it is specifically to an off-system subordinate CA.\n\nIf this CA is compromised, then all subordinate CAs are now invalid and must be\nreplaced, additionally, when this CA expires, all subordinate CAs must be\nregenerated.\n\n### The simp-puppet-pki subordinate CA\n\nThis CA is the new root for all `puppet` operations in the infrastructure. The\ngoal of this is that the `puppet` CA will no longer be used and certificates\nfrom this new CA will be used in place of the traditional `puppet` certificates\nin accordance with the\n[External CA Support](https://puppet.com/docs/puppet/latest/config_ssl_external_ca.html)\ndocumentation from Puppet, Inc.\n\n### The simp-site-pki subordinate CA\n\nThis CA replaces the SIMP `FakeCA` for general purpose internal certificate\ngeneration and maintenance. It is meant to be used with `certmonger`, or\nanother automated enrollment utility but can also be used to generate\ncertificates and ship them using the `simp-pki` puppet module in the same way\nthat the `FakeCA` was traditionally used.\n\n**NOTE:** This has been pinned to port `8443` by default since it is the\ndefault `dogtag` port and the most likely to be allowed through firewalls by\ndefault.\n\n### The `/root/.dogtag` Directory\n\nThis directory holds all configuration and maintenance information and\ncredentials for the various CAs that have been set up on the system.\n\n /root/.dogtag\n ├── generated_configs \u003c- Puppet Generated Files\n │ ├── dogtag_simp-pki-root_ca.cfg\n │ ├── dogtag_simp-puppet-pki_ca.cfg\n │ ├── dogtag_simp-puppet-pki_kra.cfg\n │ ├── dogtag_simp-site-pki_ca.cfg\n │ ├── dogtag_simp-site-pki_kra.cfg\n │ ├── ds_pw.txt \u003c- Directory Server Password\n │ └── ds_simp-pki-ds_setup.inf\n ├── simp-pki-root\n │ ├── ca\n │ │ ├── alias \u003c- NSSDB for Root PKI\n │ │ ├── password.conf \u003c- Password for Root PKI\n │ │ └── pkcs12_password.conf\n │ ├── ca_admin.cert\n │ ├── ca_admin.cert.der\n │ └── ca_admin_cert.p12\n ├── simp-puppet-pki\n │ ├── ca\n │ │ ├── alias \u003c- NSSDB for Puppet Sub PKI\n │ │ ├── password.conf \u003c- Password for Puppet Sub PKI\n │ │ └── pkcs12_password.conf\n │ ├── ca_admin.cert\n │ ├── ca_admin.cert.der\n │ └── ca_admin_cert.p12\n └── simp-site-pki\n ├── ca\n │ ├── alias \u003c- NSSDB for Site Sub PKI\n │ ├── password.conf \u003c- Password for Site Sub PKI\n │ └── pkcs12_password.conf\n ├── ca_admin.cert\n ├── ca_admin.cert.der\n └── ca_admin_cert.p12\n\n### CLI CA Control\n\nThe `pki` subsystem has a great number of\n[command line options](http://pki.fedoraproject.org/wiki/PKI_CLI) that may be\nused to interact with the different subsystems. There is also a\n[server CLI interface](http://pki.fedoraproject.org/wiki/PKI_Server_Instance_CLI)\nbut we recommend using the standard remote CLI so that you know if the remote\nconnections are working properly.\n\n#### BASH aliases\n\n---\n\n**IMPORTANT: DO NOT SKIP THIS SECTION**\n\n---\n\nThe following aliases are recommended to be added to the `root` user's\n`$HOME/.bashrc` file to make daily interaction with the different systems as\neasy as possible:\n\n```bash\n# This will be your most commonly used command\n\nalias site-pki-base='pki -d $HOME/.dogtag/simp-site-pki/ca/alias -C $HOME/.dogtag/simp-site-pki/ca/password.conf'\nalias site-pki='site-pki-base -n \"caadmin\" -P https -p 8443'\n\n# This should only be used for Puppet ecosystem certificates:\n# For example: puppetserver, puppetdb, puppet agent\n\nalias puppet-pki-base='pki -d $HOME/.dogtag/simp-puppet-pki/ca/alias -C $HOME/.dogtag/simp-puppet-pki/ca/password.conf'\nalias puppet-pki='puppet-pki-base -n \"caadmin\" -P https -p 5509'\n\n# This will rarely be used and controls the *root* CA\n# If you invalidate or break the root CA, everything below it will need to be\n# regenerated!\n\nalias pki-root-base='pki -d $HOME/.dogtag/simp-pki-root/ca/alias -C $HOME/.dogtag/simp-pki-root/ca/password.conf'\nalias pki-root='pki-root-base -n \"caadmin\" -P https -p 4509'\n```\n\n#### Adding CA certs for the BASH aliases\n\nPrior to using the aliases above for regular purposes you need to ensure that\nthe CA chains are properly imported into the NSS databases in the corresponding\n`alias` directories listed above.\n\nDon't worry, you only need to do this **once per CA** and it is good to know\nwhat commands are being run for future reference in case you need to add\nadditional certificates in the future!\n\nThe following uses `site-pki` as an example, but you need to repeat the steps\nfor all three aliased CAs.\n\n```bash\n# You'll want to do this in a temp directory, we'll use one in the $HOME/.dogtag space\n[root@ca ~]# cd $HOME/.dogtag\n[root@ca ~]# mkdir crt_tmp\n[root@ca ~]# cd crt_tmp\n\n# Obtain the PKCS12 certificate chain from the server\n\n[root@ca crt_tmp]# pki-server subsystem-cert-export ca signing -i simp-site-pki \\\n--no-key \\\n--pkcs12-file simp-site-pki-certs.p12 \\\n--pkcs12-password-file $HOME/.dogtag/simp-site-pki/ca/password.conf\n\n# Generate a PEM file containing the CA certificate chain from the PKCS12 file\n\n[root@ca crt_tmp]# openssl pkcs12 -in simp-site-pki-certs.p12 \\\n-passin file:$HOME/.dogtag/simp-site-pki/ca/password.conf \\\n-out simp-site-pki-ca-chain.pem\n\n# Split the PEM file out into separate PEM files for each CA\n# This is done to get them into into your NSS database\n#\n# You may also want to provide these to your clients for download but the\n# single file version is generally preferred\n\n[root@ca crt_tmp]# mkdir ca_certs\n[root@ca crt_tmp]# awk '/friendlyName:/{$1=\"\";sub($1 OFS, \"\");n=$0} \\\n/^-----BEGIN.*CERTIFICATE/,/^-----END.*CERTIFICATE/{print \u003e\"ca_certs/\"n\".pem\"}' \\\n\u003c simp-site-pki-ca-chain.pem\n\n# Finally, import the CA certificates into the associated trust chain NSS\n# database\n\n[root@ca crt_tmp]# cd ca_certs\n[root@ca ca_certs]# for x in *.pem; do\n site-pki-base client-cert-import \"`basename \"$x\" .pem`\" --ca-cert \"$x\"\ndone\n```\n\n---\n\n**IMPORTANT: IF YOU SKIPPED THIS SECTION, GO BACK AND READ IT!!!**\n\n---\n\n### Certificate Operations\n\n#### Certificate Enrollment\n\nThis section describe three different certificate enrollment options, each\nof which has been exercised in this module's acceptance tests.\n\nA summary of these options is listed in the following table:\n\n| Option | Pros | Cons |\n| --------------- | ---------------------- | ------------------------------------------- |\n| certmonger SCEP | Enrollment via HTTP(S) | Does not work in FIPS mode yet |\n| | Automatic cert refresh | |\n| | Simple API | |\n| | Single use passwords | |\n| | | |\n| SSCEP | Simple API | Does not work in FIPS mode yet |\n| | Single use passwords | Enrollment via HTTP only |\n| | | Only MD5 or SHA1 for fingerprints or PKCS#7 |\n| | | |\n| CMC | Works in FIPS mode | Only appropriate (secure) when on CA server |\n| | | Clunky API |\n\n\n##### Certmonger SCEP\n\n---\n\n**IMPORTANT:** For `certmonger` \u003c 0.79.6, this will **NOT** work properly in FIPS\nmode due to a bug in `certmonger` and an associated bug in `dogtag` which, when\ncombined, result in the inability to negotiate a proper cipher set for SCEP\ncommunication.\n\n * https://pagure.io/certmonger/issue/89\n * https://pagure.io/dogtagpki/issue/627\n\n---\n\nCertmonger allows clients to obtain certificates from CAs via SCEP. Each\nSCEP request is validated via a one time password linked to the client's\nIP address. Requests can be sent over HTTPS (preferred) or HTTP.\n\n###### Server Setup\n\nEach CA has a text file, `flatfile.txt`, that contains the per-client one\ntime passwords.\n\nFor the `site-pki` CA, this would be in\n`/var/lib/pki/simp-site-pki/ca/conf/flatfile.txt`.\n\nThe file is organized as a set of paired values, one for the **IP address**\n(not hostname) of the client that will be enrolling and the other a unique, one\ntime use, password that will be used by the client during enrollment. Each\npair **must** be separated by a blank line.\n\n**WARNING**: The `PWD` entries can not contain underscores `_`!\n\n**Example**\n\n UID:1.2.3.4\n PWD:my-one-time-password\n\n UID:1.2.3.5\n PWD:your-one-time-password\n\n---\n\nNOTE: You do **NOT** need to restart anything after editing the file!\n\n---\n\n###### Client Setup\n\n1. Ensure that the `certmonger` package is installed and that the `certmonger`\n process is running and enabled.\n\n ```bash\n [root@client ~]# yum -y install certmonger\n [root@client ~]# systemctl start certmonger\n [root@client ~]# systemctl enable certmonger\n ```\n\n2. Obtain the **root** certificate for the CA that you will be connecting to. In\n this case, we'll assume that you've saved it to a file named\n `/etc/pki/simp-pki-root-ca.pem` with SELinux context `cert_t`.\n\n * This is probably called `CA Signing Certificate - SIMP.pem` in the\n `ca_certs` directory if you followed the steps outlined above.\n\n3. Obtain the certificate chain for the CA that you will be connecting to. In\n this case, we'll assume that you've saved it to a file named\n `/etc/pki/simp-site-pki-ca.pem` with SELinux context `cert_t`.\n\n * This is probably called `caSigningCert cert-simp-site-pki CA.pem` in the\n `ca_certs` directory if you followed the steps outlined above.\n\n4. Add the CA to `certmonger`:\n\n ```bash\n [root@client ~]# getcert add-scep-ca -c SIMP_Site \\\n -u https://ca.your.domain:8443/ca/cgi-bin/pkiclient.exe \\\n -R /etc/pki/simp-pki-root-ca.pem -I /etc/pki/simp-site-pki-ca.pem\n ```\n\n5. Ensure that your default `nssdb` space exists, as, under the hood,\n certmonger uses certutil, which, in turn requires this NSS database\n to be present:\n\n ```bash\n [root@client ~]#\n if [ ! -d $HOME/.netscape ]; then\n mkdir $HOME/.netscape\n certutil -N\n fi\n ```\n\n6. Request a certificate using `certmonger`:\n\n ```bash\n [root@client ~]# getcert request -c SIMP_Site -k /etc/pki/host_cert.pem \\\n -f /etc/pki/host_cert.pub \\\n -I Host_Cert_Nickname \\\n -r -w -L \u003cpassword from server setup step\u003e\n ```\n\n **NOTE:** The target for the public and private keys **must** have context\n `cert_t` for `certmonger` to be able to write the keys appropriately.\n\n\n##### SSCEP Enrollment\n\n**IMPORTANT:** For `sscep` \u003c= 0.6.1, this will **NOT** work properly in FIPS\nmode, because, even with the `-S sha1` option set, `sscep` under the hood still\ntries to generate the certificate request transaction ID using MD5.\n\n* https://github.com/certnannay/scep/issues/#86\n\n\n[SSCEP](https://github.com/certnanny/sscep) allows clients to obtain certificates\nfrom CAs via SCEP. Each SCEP request is validated via a one time password linked\nto the client's IP address. Requests can only be sent over HTTP.\n\n###### Server Setup\n\nYou must set one time passwords for each client on the CA server, exactly as\nis described in [Server Setup for Certmonger](#server-setup).\n\n###### Client Setup\n\n1. Ensure that the `sscep` package is installed.\n\n ```bash\n [root@client ~]# yum -y install sscep\n ```\n\n2. Obtain the CA certificate for the CA that you will be connecting to. In this\n example, we will be connecting to the `simp-site-pki` CA.\n\n ```bash\n [root@client ~]# sscep getca \\\n -u http://ca.your.domain:8080/ca/cgi-bin/pkiclient.exe \\\n -c ca.crt \\\n -F sha1\n ```\n\n3. Create a certificate request.\n\n * For simple cases, you can use the `mkrequest` script provided by the `sscep`\n package. This will create `local.key` and `local.csr` files.\n\n ```bash\n [root@client ~]# mkrequest -ip `hostname -i` \u003cpassword from server setup step\u003e\n ```\n * For cases, in which you need to customize the CSR beyond what is provided\n by `mkrequest` script, you can use `openssl genrsa` and `openssl req` to\n generate the key and CSR files, respectively. A complete example that uses\n those `openssl` commands can be found in the Puppet certificate replacement\n test, `spec/acceptance/suites/default/20_puppet_swap_spec.rb`.\n\n4. Request a certificate using `sscep`:\n\n ```bash\n [root@client ~]# sscep enroll \\\n -u http://ca.your.domain:8080/ca/cgi-bin/pkiclient.exe \\\n -c ca.crt \\\n -k local.key \\\n -r local.csr \\\n -l cert.crt \\\n -S sha1\n ```\n\n##### CMC Manual Enrollment\n\nAn alternate method for certificate enrollment,\n[CMC](https://tools.ietf.org/html/rfc5273) may be used if you need to generate\ncertificates for a set of hosts or users and distribute them via the `simp-pki`\npuppet module or some other means.\n\nAt this time, single use credentials have not been implemented so you should\nnot add this capability to all hosts.\n\nAll of the following steps should be done from a host that has access to one of\nthe privileged PKI user certificates (in general this is only your CA).\n\n1. Ensure that your default `nssdb` space exists, as certutil requires\n this NSS database to be present:\n\n ```bash\n [root@ca ~]#\n if [ ! -d $HOME/.netscape ]; then\n mkdir $HOME/.netscape\n certutil -N\n fi\n ```\n\n2. Create a certificate request for your host, using a seed of 512\n bytes from /dev/urandom:\n\n ```bash\n [root@ca ~]# mkdir -f CMC \u0026\u0026 cd CMC\n [root@ca CMC]# dd if=/dev/urandom of=seed count=1\n [root@ca CMC]# certutil -R \\\n -s \"cn=`hostname -f`,ou=Hosts,dc=your,dc=domain\" \\\n -k rsa \\\n -g 4096 \\\n -Z SHA384 \\\n -z seed \\\n | openssl req -inform DER -outform PEM \u003e hostcert.req\n ```\n\n3. Create a `cmc-request.cfg` file with the following content:\n\n ```\n # NSS database directory.\n dbdir=/root/.dogtag/simp-site-pki/ca/alias\n\n # NSS database password.\n password=\u003cpassword from /root/.dogtag/simp-site-pki/ca/password.conf\u003e\n\n # Token name (default is internal).\n tokenname=internal\n\n # Nickname for CA agent certificate.\n nickname=caadmin\n\n # Request format: pkcs10 or crmf.\n format=pkcs10\n\n # Total number of PKCS10/CRMF requests.\n numRequests=1\n\n # Path to the PKCS10/CRMF request.\n # The content must be in Base-64 encoded format.\n # Multiple files are supported. They must be separated by space.\n input=/root/CMC/hostcert.req\n\n # Path for the CMC request.\n output=/root/CMC/sslserver-cmc-request.bin\n ```\n\n4. Generate the `CMCRequest` *bin* file\n\n ```bash\n [root@ca CMC]# CMCRequest cmc-request.cfg\n ```\n\n5. Create a `cmc-submit.cfg` file with the following content\n\n ```\n # PKI server host name.\n host=ca.\u003cyour.domain\u003e\n\n # PKI server port number.\n port=8443\n\n # Use secure connection.\n secure=true\n\n # Use client authentication.\n clientmode=true\n\n # NSS database directory.\n dbdir=/root/.dogtag/simp-site-pki/ca/alias\n\n # NSS database password.\n password=\u003cpassword from /root/.dogtag/simp-site-pki/ca/password.conf\u003e\n\n # Token name (default: internal).\n tokenname=internal\n\n # Nickname of CA agent certificate.\n nickname=caadmin\n\n # CMC servlet path\n servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCserverCert\n\n # Path for the CMC request.\n input=/root/CMC/sslserver-cmc-request.bin\n\n # Path for the CMC response.\n output=/root/CMC/sslserver-cmc-response.bin\n ```\n\n6. Submit the CMC Request\n\n ```bash\n [root@ca CMC]# HttpClient cmc-submit.cfg\n ```\n\n7. Unpack the signed certificate along with its certificate chain into\n a PKCS #7 PEM-formatted file:\n `nssdb` for this):\n\n ```bash\n [root@ca CMC]# CMCResponse -d ~/.dogtag/simp-puppet-pki/ca/alias \\\n -i sslserver-cmc-response.bin -o signed_host_cert_chain.p7b\n ```\n8. Extract the all the certificates in the chain from the PKCS #7 file\n into a single file:\n\n ```bash\n [root@ca CMC]# openssl pkcs7 -print_certs \\\n -in signed_host_cert_chain.p7b \\\n -out signed_host_cert_chain.pem\n ```\n\n9. Manually save the new certificate to its own file, move\n to the appropriate directory and ensure the file has the SELinux\n context `cert_t`.\n\n\n#### Listing Certificates\n\nYou can list the certificates for the `site` CA using the following command:\n\n```bash\n[root@ca ~]# site-pki cert-find\n```\n\n#### Certificate Revocation\n\nYou can revoke certificates from the `site` CA using the following command:\n\n```bash\n[root@ca ~]# site-pki cert-revoke \u003cCERT ID\u003e\n```\n\n---\n\n**IMPORTANT:** Take care not to revoke any certificate below ID `0x9` since\nthose are internal subsystem certificates and may cause issues.\n\n---\n\n#### OCSP Validation\n\nThere is an OCSP endpoint attached to all CA systems automatically. To validate\nthat OCSP is working properly for the `site` CA, you can use the following\ncommand:\n\n```bash\n[root@ca ~]# OCSPClient -d ~/.dogtag/simp-site-pki/ca/alias -h `hostname -f` \\\n -p 8080 -t /ca/ocsp --serial 1 -vv -c caadmin\n```\n\nIf that works, then you can try an external query by pulling the OCSP endpoint\nout of a generated certificate as follows:\n\n```bash\n[root@ca ~]# openssl ocsp -issuer site-pki-ca-chain.pem -cert to_verify.pem \\\n -text -url `openssl x509 -noout -ocsp_uri -in to_verify.pem`\n```\n\n#### Certificate Problem Debug\n\nDebugging the reason a certificate request failed can be challenging. This\nsection contains a few notes to aid in that debug.\n\n* The `dogtag` server logs for a CA are found at `/var/log/pki/\u003cCA name\u003e/ca`\n * The `system` log will contain any enrollment error message.\n * The `debug` file will contain hex dumps of DER-encoded request messages.\n You can print those request messages out as follows:\n\n 1. Copy the hex dump of a single request to a file named `debug_snippet`.\n 2. Create a DER-formatted file from that hex dump by executing the\n following Ruby code:\n\n ```bash\n File.open('debug.req', 'w'){|fh| fh.puts [File.read('debug_snippet').gsub(\"\\n\",' ').gsub(' ','')].pack('H*') }\n ```\n\n 3. Use `openssl` to inspect the file contents:\n\n ```bash\n openssl req -inform DER -in debug.req -text\n ```\n\n* If you see\n \"CEP Enrollment: CRS enrollment failed: Could not post new request. Error Invalid Credential\"\n in the CA server `system` log, the wrong password was used for the SCEP request. Verify\n a one time password for the client is set in `/var/lib/pki/\u003cCA name\u003e/ca/conf/flatfile.txt`\n on the CA server and that the specified password matches the one used in the certificate\n request.\n\n* If you see \"sscep: wrong (or missing) MIME content type\" from the\n `scep enroll` command or\n \"Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: DerValue.getDirectoryString: invalid tag\"\n in the CA server `system` log, the SCEP one time password may contain\n characters disallowed by the underlying software (e.g., an underscore).\n Per RFC 2985, these passwords must be of X.520 type `DirectoryString`,\n which is comprised of UTF-8 encoded Unicode characters. However, the\n validation software may impose additional restrictions.\n\n* If you see\n \"CEP Enrollment: Enrollment failed: user used duplicate transaction ID.\"\n in the CA server `system` log, that means you need to regenerate your\n client private key.\n\n### Directory Operations\n\nThe administrative DN for 389ds consists of the value in\n`simp_pki_service::pki_security_domain` appended with `Directory Manager`.\n\nBy default, to access the 389ds configuration, you would use the following:\n\n```bash\n[root@ca ~]# ldapsearch -H ldap://localhost:389 -y $HOME/.dogtag/generated_configs/ds_pw.txt \\\n -D \"cn=SIMP Directory Manager\" -s base -b \"cn=config\"\n```\n\n## Development\n\nPlease read our [Contribution Guide](https://simp.readthedocs.io/en/stable/contributors_guide/index.html).\n\nIf you find any issues, they can be submitted to our\n[JIRA](https://simp-project.atlassian.net).\n\n[System Integrity Management Platform](https://simp-project.com)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimp%2Fpupmod-simp-simp_pki_service","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsimp%2Fpupmod-simp-simp_pki_service","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimp%2Fpupmod-simp-simp_pki_service/lists"}