[Pki-users] [Pki-devel] Enterprise CA Architecture

John Magne jmagne at redhat.com
Wed Aug 28 17:37:25 UTC 2013 

As for your OCSP query, try this:

Use the console to edit the certificate profile you are using.

I'm assuming it is caUserCert

You can also do this with config files if you want.
Look in /var/lib/pki-ca/profiles/ca/caUserCert.cfg


Anyway, there is an entry of the AIA extension that looks like this in the file:

policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.userCertSet.5.default.name=AIA Extension Default
policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.userCertSet.5.default.params.authInfoAccessCritical=false
policyset.userCertSet.5.default.params.authInfoAccessNumADs=1


Either using editor or the console, put something in there for this setting:

policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=blah-url

Restart the server and try to issue a cert with this profile.

Also, when the agent approves the cert request, it has the chance to change this setting on that page as well.


For your load balancer issue. Just as a quick test you might venture into your OCSP's conf/CS.cfg file and observe the entries that are pointing you to the CA.
I haven't not tried this but it might be possible to change one of those settings to your LB and see what happens. If there is a more elegant way to do this, others can chime in.

thanks,
jack








----- Original Message -----
> From: orrious at yahoo.com
> To: pki-users at redhat.com, pki-devel at redhat.com
> Sent: Tuesday, August 27, 2013 3:31:59 PM
> Subject: [Pki-devel] Enterprise CA Architecture
> 
> Hi Everyone,
> 
> 
> I am setting up a Dogtag 9.0.3 CA PoC and have a couple deployment questions.
>   My goal is to have a secure and redundant CA and subsystems.  The RA is
> external, redundant, and outside the scope of the discussion (for now).
>   OCSP services will more than likely be distributed in multiple Server/LB
> pairs behind a single GTM VIP.
> 
> 
> I am documenting each step of the install and will happily provide it so
> others don't have to ask the same questions.
> 
> 
> Thank you for taking the time to read and provide feedback.
> 
> 
> 
> Scenario:
> 
> I have successfully deployed CA1 and cloned CA2 from CA1.  The VIP: CA.lab
> load balances all incoming ports to both servers, during testing.
> 
> 
> Q1.) When I configure OCSP1, it will not allow me to configure it to the VIP:
> CA.lab.  Instead I must select either CA1.lab or CA2.lab.  Is there a way to
> configure the OCSP to connect to the VIP rather than a specific CA server?
> 
> 
> Q2.) If I am unable to configure OCSP against a VIP, should I configure
> OCSP1->CA1 and OCSP2->CA2?
> 
> Q3.) If Q2 is True and one of the CA's is down will OCSP failover to the
> other CA or will it just not answer a request.
> 
> Q4.) For the Dogtag Web pages, how do I change the server name in the URI to
> the VIP, rather than the actual host name of the server?  i.e, I go to
> https://ca.lab:9445/ca/services.  Depending on the server I am load balanced
> to, the URLs for "Dogtag Certificate System", 'SSL End Users Services", and
> "Agent Services" all go to CA1.lab:944x/ca.. rather than
> https://ca.lab:944x/ca This also pertains to OCSP pages.
> 
> Q5.) Certificates issues by default contain the OCSP service of the CA server
> that issued the Certificate.  i.e.  http://ca1.lab:9180/ca/ocsp.  Can this
> URI be changed to the LB VIP: http://ca.lab:9180/ca/ocsp or can the VIP only
> be added to the certificate?  If it can only be added, can the priority be
> changed so the VIP is queried first, as the CA would be firewalled in
> production and inaccessible.
> 
> 
> Q6.) Should the OCSP services become unavailable, I would also like to
> publish the CRL in the certificates.  What is the best performance for large
> CRLs, say 100K entries; a web page or LDAP?
> 
> 
> 
> 
>  
> 
> Kind Regards,
> Paul
> 
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>

More information about the Pki-users mailing list