<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <tt>The attached patch addresses the following PKI issues:</tt><tt><br>
    </tt>
    <ul>
      <li><tt>TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to
          handle external CA</tt></li>
    </ul>
    <tt>This code has been successfully tested on a slightly earlier
      version of the source tree, although the attached patch has been
      re-based to the 'master'.</tt><tt><br>
    </tt><tt><br>
    </tt><tt>To test this code, the following procedure was followed on
      an x86_64 machine running 64-bit Fedora 18:</tt><tt><br>
    </tt>
    <ul>
      <li><tt>First, a standard CA was created to be used as an
          "External CA" using the following command and file ('# mv
          typescript typescript.external' once finished):</tt></li>
      <ul>
        <li><tt>script -c 'pkispawn -s CA -f /tmp/pki/external.cfg -vvv'</tt><tt><br>
          </tt><tt><br>
          </tt><tt># cat external.cfg </tt><tt><br>
          </tt><tt>[Common]</tt><tt><br>
          </tt><tt>pki_admin_password=<password></tt><tt><br>
          </tt><tt>pki_backup_password=<password></tt><tt><br>
          </tt><tt>pki_client_pkcs12_password=<password></tt><tt><br>
          </tt><tt>pki_ds_password=<password></tt><tt><br>
          </tt><tt>pki_security_domain_password=<password></tt><tt><br>
          </tt><tt>[Tomcat]</tt><tt><br>
          </tt><tt>pki_ajp_port=18009</tt><tt><br>
          </tt><tt>pki_http_port=18080</tt><tt><br>
          </tt><tt>pki_https_port=18443</tt><tt><br>
          </tt><tt>pki_instance_name=pki-external-tomcat</tt><tt><br>
          </tt><tt>pki_tomcat_server_port=18005</tt><tt><br>
          </tt><tt><br>
          </tt></li>
      </ul>
      <li><tt>Next, Step 1 for a CA which depended upon this External CA
          was created using the following command and file</tt><tt><tt>
            ('# mv typescript typescript.step_1' once finished)</tt>:</tt></li>
      <ul>
        <li><tt>script -c 'pkispawn -s CA -f /tmp/pki/ca_1.cfg -vvv'</tt><tt><br>
          </tt><tt><br>
          </tt><tt># cat ca_1.cfg </tt><tt><br>
          </tt><tt>[Common]</tt><tt><br>
          </tt><tt>pki_admin_password=<password></tt><tt><br>
          </tt><tt>pki_backup_password=<password></tt><tt><br>
          </tt><tt>pki_client_pkcs12_password=<password></tt><tt><br>
          </tt><tt>pki_ds_password=<password></tt><tt><br>
          </tt><tt>pki_security_domain_password=<password></tt><tt><br>
          </tt><tt>[CA]</tt><tt><br>
          </tt><tt>pki_external=True</tt><tt><br>
          </tt><tt>pki_external_csr_path=/tmp/pki/ca_signing.csr</tt><tt><br>
          </tt><tt><br>
          </tt></li>
      </ul>
      <li><tt>Next, the CSR contained in the file
          '/tmp/pki/ca_signing.csr' was utilzed to create a certificate
          using the "External CA" using the following procedure:</tt></li>
      <ul>
        <li><tt>External CA:</tt><tt><br>
          </tt><tt><br>
          </tt><tt>EE:     Enrollment/Renewal Tab</tt><tt><br>
          </tt><tt>        * Use 'Manual Certificate Manager Signing
            Certificate Enrollment'</tt><tt><br>
          </tt><tt><br>
          </tt><tt>AGENT:  Approve request by pressing 'submit'</tt><tt><br>
          </tt><tt><br>
          </tt><tt>EE:     Retrieval Tab</tt><tt><br>
          </tt><tt>        * Use 'Check Request Status' to obtain the
            base 64 encoded certificate</tt><tt><br>
          </tt><tt>        * Store this blob into the file specified by
            the value of 'pki_external_ca_cert_path'</tt><tt> in
            ca_2.cfg<br>
          </tt><tt><br>
          </tt><tt>EE:     Retrieval Tab</tt><tt><br>
          </tt><tt>        * Use 'Import CA Certificate Chain' and
            select the radio button entitled 'Display certificates in
            the CA certificate chain for</tt><tt><br>
          </tt><tt>          importing individually into a server' to
            obtain the base 64 encoded certificate chain</tt><tt><br>
          </tt><tt>        * Store this blob into the file specified by
            the value of 'pki_external_ca_cert_chain_path'</tt><tt> in
            ca_2.cfg<br>
          </tt><tt><br>
          </tt></li>
      </ul>
      <li><tt>Finally, Step 2 for a CA which depended upon this External
          CA was created using the following command and file</tt><tt><tt><tt>
              ('# mv typescript typescript.step_2' once finished)</tt></tt>:</tt></li>
      <ul>
        <li><tt>script -c 'pkispawn -s CA -f /tmp/pki/ca_2.cfg -vvv'</tt><tt><br>
          </tt><tt><br>
          </tt><tt># cat ca_2.cfg </tt><tt><br>
          </tt><tt>[Common]</tt><tt><br>
          </tt><tt>pki_admin_password=<password></tt><tt><br>
          </tt><tt>pki_backup_password=<password></tt><tt><br>
          </tt><tt>pki_client_pkcs12_password=<password></tt><tt><br>
          </tt><tt>pki_ds_password=<password></tt><tt><br>
          </tt><tt>pki_security_domain_password=<password></tt><tt><br>
          </tt><tt>[CA]</tt><tt><br>
          </tt><tt>pki_external=True</tt><tt><br>
          </tt><tt>pki_external_ca_cert_chain_path=/tmp/pki/ca_signing_chain.cert</tt><tt><br>
          </tt><tt>pki_external_ca_cert_path=/tmp/pki/ca_signing.cert</tt><tt><br>
          </tt><tt>pki_external_step_two=True</tt><tt><br>
          </tt><br>
        </li>
      </ul>
    </ul>
  </body>
</html>