[Pki-devel] [PATCH] Implemented ability to use an external CA
Matthew Harmsen
mharmsen at redhat.com
Wed Dec 5 06:31:44 UTC 2012
The attached patch addresses the following PKI issues:
* TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to handle
external CA
This code has been successfully tested on a slightly earlier version of
the source tree, although the attached patch has been re-based to the
'master'.
To test this code, the following procedure was followed on an x86_64
machine running 64-bit Fedora 18:
* First, a standard CA was created to be used as an "External CA"
using the following command and file ('# mv typescript
typescript.external' once finished):
o script -c 'pkispawn -s CA -f /tmp/pki/external.cfg -vvv'
# cat external.cfg
[Common]
pki_admin_password=<password>
pki_backup_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>
pki_security_domain_password=<password>
[Tomcat]
pki_ajp_port=18009
pki_http_port=18080
pki_https_port=18443
pki_instance_name=pki-external-tomcat
pki_tomcat_server_port=18005
* Next, Step 1 for a CA which depended upon this External CA was
created using the following command and file('# mv typescript
typescript.step_1' once finished):
o script -c 'pkispawn -s CA -f /tmp/pki/ca_1.cfg -vvv'
# cat ca_1.cfg
[Common]
pki_admin_password=<password>
pki_backup_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>
pki_security_domain_password=<password>
[CA]
pki_external=True
pki_external_csr_path=/tmp/pki/ca_signing.csr
* Next, the CSR contained in the file '/tmp/pki/ca_signing.csr' was
utilzed to create a certificate using the "External CA" using the
following procedure:
o External CA:
EE: Enrollment/Renewal Tab
* Use 'Manual Certificate Manager Signing Certificate
Enrollment'
AGENT: Approve request by pressing 'submit'
EE: Retrieval Tab
* Use 'Check Request Status' to obtain the base 64
encoded certificate
* Store this blob into the file specified by the value
of 'pki_external_ca_cert_path'in ca_2.cfg
EE: Retrieval Tab
* Use 'Import CA Certificate Chain' and select the
radio button entitled 'Display certificates in the CA
certificate chain for
importing individually into a server' to obtain the
base 64 encoded certificate chain
* Store this blob into the file specified by the value
of 'pki_external_ca_cert_chain_path'in ca_2.cfg
* Finally, Step 2 for a CA which depended upon this External CA was
created using the following command and file('# mv typescript
typescript.step_2' once finished):
o script -c 'pkispawn -s CA -f /tmp/pki/ca_2.cfg -vvv'
# cat ca_2.cfg
[Common]
pki_admin_password=<password>
pki_backup_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>
pki_security_domain_password=<password>
[CA]
pki_external=True
pki_external_ca_cert_chain_path=/tmp/pki/ca_signing_chain.cert
pki_external_ca_cert_path=/tmp/pki/ca_signing.cert
pki_external_step_two=True
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20121204/7a722155/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20121204-Implemented-ability-to-utilize-an-external-CA.patch
Type: text/x-patch
Size: 19244 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20121204/7a722155/attachment.bin>
More information about the Pki-devel
mailing list