[Pki-users] cloning of PKI-CA
kashyap chamarthy
kchamart at redhat.com
Tue Oct 13 09:43:49 UTC 2009
Heyden, Klaus (Allianz ASIC SE) wrote:
> Hello,
>
> i have propblems cloning an CA. The import of the keys failed.
> First when adding the filename the servlet every time adds the path
> "/usr/lib/<instance-name>/alias. I put the PKCS12 file directy in the
> alias-directory and changed the owner to pkiuser, the i get an error
> "missing permissions". in debug-log:
>
> [09/Oct/2009:15:55:04][http-9445-Processor22]: panel no=5
> [09/Oct/2009:15:55:04][http-9445-Processor22]: panel name=restorekeys
> [09/Oct/2009:15:55:04][http-9445-Processor22]: total number of panels=19
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: process
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet:service()
> uri = /ca/admin/console/config/wizard
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service()
> param name='__password' value='(sensitive)'
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service()
> param name='path' value='master.p12'
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service()
> param name='p' value='5'
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service()
> param name='op' value='next'
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: op=next
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: size=19
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: in next 5
> [09/Oct/2009:15:55:25][http-9445-Processor24]: panel no=5
> What is going wron
Hi,
can you try as below?
-- create a new slapd(directory) instance for clone-CA (note the new directory server port)
-- create a new CA instance (for clone)
-- use the PKCS12Export utility the certificates from Master CA and copy it to clone alias
directory ( *before* you start configuring the clone CA instance)
-- chown pkiuser:pkiuser cacerts.p12
-- /now/ , start configuring the clone CA instance
-- Join an "existing" security domain(the master CA domain)
-- At the "Internal Database" , enter the Fully Qualified Domain Name(instead of
localhost) of Clone CA and appropriate port no.
-- Just enter the cacerts.p12 file name when "Path where the pk12 files are located" is
prompted for the clone CA ( /do not/ mention the complete file path)
-- Enter the rest of the details and see if you're able to proceed with clone CA instance.
what version of certificate system are you trying to use?
hope that helps,
/kashyap
>
> Kind regards,
> Klaus Heyden
>
> E-Mail Klaus.Heyden at Allianz.com <mailto:Klaus.Heyden at Allianz.com>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list