[Pki-users] cloning a CA fails
Andrew Wnuk
awnuk at redhat.com
Wed Sep 14 16:35:57 UTC 2011
On 09/14/2011 01:19 AM, Alexander Jung wrote:
> ok,
>
> find my howto at
> http://pki.fedoraproject.org/wiki/Fix_clone*.privkey.id_entries_in_CS.cfg_to_reenable_cloning
>
> Mit freundlichen Grüßen,
>
> Alexander Jung
Thank you.
>
>
> 2011/9/13 Andrew Wnuk <awnuk at redhat.com <mailto:awnuk at redhat.com>>
>
> Hi Alexander,
>
> Would be kind enough to add your solution to Dogtag's "How Tos"?
> http://pki.fedoraproject.org/wiki/PKI_How_To
>
> Thank you,
> Andrew
>
>
>
> On 09/13/2011 08:39 AM, Alexander Jung wrote:
>> Hello,
>>
>> in the meantime i got it working. The problem was the master CA
>> setup: after instantating the ca the certs have been replaced by
>> the certs from another instance - but the entires
>> clone*.privkey.id <http://privkey.id> had not been updated.
>>
>> After recognizing this I only had to match the (unsigned) output
>> of certutil -K with the (signed) params in CS.cfg. I did this by
>> inserting some "System.out.println" into
>> com.netscape.cmsutil.crypto.CryptoUtil findPrivateKeyFromID()
>> and patching the new .class-File into the .jar-file. Watching the
>> catalina.out while trying to clone the ca gave then all needed infos.
>>
>> Another fresh install after that completed without problems.
>>
>> Yours,
>>
>> Alexander Jung
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20110914/58cbd797/attachment.htm>
More information about the Pki-users
mailing list