[Pki-users] cloning of PKI-CA

kashyap chamarthy kchamart at redhat.com
Tue Oct 13 09:43:49 UTC 2009 

Heyden, Klaus (Allianz ASIC SE) wrote:
> Hello,
>  
> i have propblems cloning an CA. The import of the keys failed.
> First when adding the filename the servlet every time adds the path 
> "/usr/lib/<instance-name>/alias. I put the PKCS12 file directy in the 
> alias-directory and changed the owner to pkiuser, the i get an error 
> "missing permissions". in debug-log:
>  
> [09/Oct/2009:15:55:04][http-9445-Processor22]: panel no=5
> [09/Oct/2009:15:55:04][http-9445-Processor22]: panel name=restorekeys
> [09/Oct/2009:15:55:04][http-9445-Processor22]: total number of panels=19
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: process
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet:service() 
> uri = /ca/admin/console/config/wizard
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() 
> param name='__password' value='(sensitive)'
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() 
> param name='path' value='master.p12'
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() 
> param name='p' value='5'
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() 
> param name='op' value='next'
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: op=next
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: size=19
> [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: in next 5
> [09/Oct/2009:15:55:25][http-9445-Processor24]: panel no=5
> What is going wron

Hi,
can you try as below?

-- create a new slapd(directory) instance for clone-CA (note the new directory server port)
-- create a new CA instance (for clone)

-- use the PKCS12Export utility the certificates from Master CA and copy it to clone alias 
directory ( *before* you start configuring the clone CA instance)

-- chown pkiuser:pkiuser cacerts.p12

-- /now/ , start configuring the clone CA instance

-- Join an "existing" security domain(the master CA domain)

-- At the "Internal Database" , enter the Fully Qualified Domain Name(instead of 
localhost) of Clone CA and appropriate port no.

-- Just enter the cacerts.p12 file name  when "Path where the pk12 files are located" is 
prompted for the clone CA ( /do not/ mention the complete file path)

-- Enter the rest of the details and see if you're able to proceed with clone CA instance.

what version of certificate system are you trying to use?

hope that helps,

/kashyap

>  
> Kind regards,
> Klaus Heyden
>  
> E-Mail Klaus.Heyden at Allianz.com <mailto:Klaus.Heyden at Allianz.com>
>  
> 
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list