<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>The attached patch addresses the following PKI issues:</tt><tt><br>
</tt>
<ul>
<li><tt>TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to
handle external CA</tt></li>
</ul>
<tt>This code has been successfully tested on a slightly earlier
version of the source tree, although the attached patch has been
re-based to the 'master'.</tt><tt><br>
</tt><tt><br>
</tt><tt>To test this code, the following procedure was followed on
an x86_64 machine running 64-bit Fedora 18:</tt><tt><br>
</tt>
<ul>
<li><tt>First, a standard CA was created to be used as an
"External CA" using the following command and file ('# mv
typescript typescript.external' once finished):</tt></li>
<ul>
<li><tt>script -c 'pkispawn -s CA -f /tmp/pki/external.cfg -vvv'</tt><tt><br>
</tt><tt><br>
</tt><tt># cat external.cfg </tt><tt><br>
</tt><tt>[Common]</tt><tt><br>
</tt><tt>pki_admin_password=<password></tt><tt><br>
</tt><tt>pki_backup_password=<password></tt><tt><br>
</tt><tt>pki_client_pkcs12_password=<password></tt><tt><br>
</tt><tt>pki_ds_password=<password></tt><tt><br>
</tt><tt>pki_security_domain_password=<password></tt><tt><br>
</tt><tt>[Tomcat]</tt><tt><br>
</tt><tt>pki_ajp_port=18009</tt><tt><br>
</tt><tt>pki_http_port=18080</tt><tt><br>
</tt><tt>pki_https_port=18443</tt><tt><br>
</tt><tt>pki_instance_name=pki-external-tomcat</tt><tt><br>
</tt><tt>pki_tomcat_server_port=18005</tt><tt><br>
</tt><tt><br>
</tt></li>
</ul>
<li><tt>Next, Step 1 for a CA which depended upon this External CA
was created using the following command and file</tt><tt><tt>
('# mv typescript typescript.step_1' once finished)</tt>:</tt></li>
<ul>
<li><tt>script -c 'pkispawn -s CA -f /tmp/pki/ca_1.cfg -vvv'</tt><tt><br>
</tt><tt><br>
</tt><tt># cat ca_1.cfg </tt><tt><br>
</tt><tt>[Common]</tt><tt><br>
</tt><tt>pki_admin_password=<password></tt><tt><br>
</tt><tt>pki_backup_password=<password></tt><tt><br>
</tt><tt>pki_client_pkcs12_password=<password></tt><tt><br>
</tt><tt>pki_ds_password=<password></tt><tt><br>
</tt><tt>pki_security_domain_password=<password></tt><tt><br>
</tt><tt>[CA]</tt><tt><br>
</tt><tt>pki_external=True</tt><tt><br>
</tt><tt>pki_external_csr_path=/tmp/pki/ca_signing.csr</tt><tt><br>
</tt><tt><br>
</tt></li>
</ul>
<li><tt>Next, the CSR contained in the file
'/tmp/pki/ca_signing.csr' was utilzed to create a certificate
using the "External CA" using the following procedure:</tt></li>
<ul>
<li><tt>External CA:</tt><tt><br>
</tt><tt><br>
</tt><tt>EE: Enrollment/Renewal Tab</tt><tt><br>
</tt><tt> * Use 'Manual Certificate Manager Signing
Certificate Enrollment'</tt><tt><br>
</tt><tt><br>
</tt><tt>AGENT: Approve request by pressing 'submit'</tt><tt><br>
</tt><tt><br>
</tt><tt>EE: Retrieval Tab</tt><tt><br>
</tt><tt> * Use 'Check Request Status' to obtain the
base 64 encoded certificate</tt><tt><br>
</tt><tt> * Store this blob into the file specified by
the value of 'pki_external_ca_cert_path'</tt><tt> in
ca_2.cfg<br>
</tt><tt><br>
</tt><tt>EE: Retrieval Tab</tt><tt><br>
</tt><tt> * Use 'Import CA Certificate Chain' and
select the radio button entitled 'Display certificates in
the CA certificate chain for</tt><tt><br>
</tt><tt> importing individually into a server' to
obtain the base 64 encoded certificate chain</tt><tt><br>
</tt><tt> * Store this blob into the file specified by
the value of 'pki_external_ca_cert_chain_path'</tt><tt> in
ca_2.cfg<br>
</tt><tt><br>
</tt></li>
</ul>
<li><tt>Finally, Step 2 for a CA which depended upon this External
CA was created using the following command and file</tt><tt><tt><tt>
('# mv typescript typescript.step_2' once finished)</tt></tt>:</tt></li>
<ul>
<li><tt>script -c 'pkispawn -s CA -f /tmp/pki/ca_2.cfg -vvv'</tt><tt><br>
</tt><tt><br>
</tt><tt># cat ca_2.cfg </tt><tt><br>
</tt><tt>[Common]</tt><tt><br>
</tt><tt>pki_admin_password=<password></tt><tt><br>
</tt><tt>pki_backup_password=<password></tt><tt><br>
</tt><tt>pki_client_pkcs12_password=<password></tt><tt><br>
</tt><tt>pki_ds_password=<password></tt><tt><br>
</tt><tt>pki_security_domain_password=<password></tt><tt><br>
</tt><tt>[CA]</tt><tt><br>
</tt><tt>pki_external=True</tt><tt><br>
</tt><tt>pki_external_ca_cert_chain_path=/tmp/pki/ca_signing_chain.cert</tt><tt><br>
</tt><tt>pki_external_ca_cert_path=/tmp/pki/ca_signing.cert</tt><tt><br>
</tt><tt>pki_external_step_two=True</tt><tt><br>
</tt><br>
</li>
</ul>
</ul>
</body>
</html>