<html>
<head>
<meta content="text/html; charset=ISO-2022-JP"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 10/07/2013 05:19 AM, Oleg Antonenko wrote:
<blockquote
cite="mid:34A5A0661B86944184C25952A4F16990869205EF@Exchange-AMS.adaptivemobile.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-2022-JP">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:PMingLiU;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:MingLiU;
panose-1:2 2 5 9 0 0 0 0 0 0;}
@font-face
{font-family:MingLiU;
panose-1:2 2 5 9 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@MingLiU";
panose-1:2 2 5 9 0 0 0 0 0 0;}
@font-face
{font-family:"\@PMingLiU";
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"MS PGothic","sans-serif";
color:black;
mso-fareast-language:JA;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"MS Gothic";
color:black;
mso-fareast-language:JA;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;
mso-fareast-language:JA;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"MS PGothic","sans-serif";
color:black;
mso-fareast-language:JA;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;
mso-fareast-language:JA;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;
mso-fareast-language:JA;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1710646539;
mso-list-type:hybrid;
mso-list-template-ids:735456354 403243009 403243011 403243013 403243009 403243011 403243013 403243009 403243011 403243013;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1781803712;
mso-list-type:hybrid;
mso-list-template-ids:-1775603530 403243009 403243011 403243013 403243009 403243011 403243013 403243009 403243011 403243013;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:110.25pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:146.25pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:182.25pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:218.25pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:254.25pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:290.25pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:326.25pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:362.25pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:398.25pt;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif][if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Nathan, Dmitri,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
for the info and your comments. Please see my answers inline
in red…<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:ZH-TW"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:ZH-TW"
lang="EN-US"> Nathan Kinder [<a class="moz-txt-link-freetext" href="mailto:nkinder@redhat.com">mailto:nkinder@redhat.com</a>]
<br>
<b>Sent:</b> 04 October 2013 20:53<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
<b>Cc:</b> Oleg Antonenko; Ciaran Bradley;
<a class="moz-txt-link-abbreviated" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a><br>
<b>Subject:</b> Re: [Pki-users] will the new version of
RHCS support RHEL6?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 10/04/2013 11:37 AM, Dmitri Pal wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<p class="MsoNormal">On 10/04/2013 02:06 PM, Nathan Kinder
wrote: <o:p></o:p></p>
<div>
<p class="MsoNormal">On 10/04/2013 10:44 AM, Dmitri Pal
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<p class="MsoNormal">On 10/04/2013 12:12 PM, Oleg Antonenko
wrote: <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That’s
all clear now, thank you Dmitri!</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regarding
our wish list
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Basically
we just have evaluated ejbCA, so we want something
similar but without EJB and heavy weight app server…
i.e. -</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">UI
for managing certs</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
Can you define workflows and actors?</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right:72.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
Workflow for iOS devices is well defined in the Apple’s
guide referenced below. We will be building similar for
Android – but simpler without a Profile Server. We use
an MDM system for distributing SCEP
profile/configuration to devices…<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
Who does what when to the certs?</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right:72.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
Device itself plays a role of a SCEP client. After
obtaining a cert devices would you use for setting up a
VPN channel. Normally we are not planning actively
manage certs for devices, except revocation. But for SSL
servers we would have to issue certs manually, and then
export full keysotre for manual deployment.</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-TW">
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
Are certs associated to users or to devices?</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right:72.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
To devices, so the CN will contain a device ID. At the
same time subjectAltName will be set to user’s email. So
in theory it would be good to manage users but that is
for the future…</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
Do you track devices in the CA or somewhere else? </span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
No, we will track them in our application, which will be
integrated with MDM for device enrolment and
configuration (e.g. installing our VPN Client App &
setting up SCEP Profile). So we will need the CA API
only for revoking certs.</span><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
Are users enterprise users (belong to one company) or
internet users (any user from the street)?</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right:72.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
Enterprise</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Support
SCEP & OCSP</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
Dogtag supports both. First as a protocol the second one
is the component that can be installed and turned on.
</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right:72.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
Those are reasons for selecting it</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW">For
SCEP do you actually need a SCEP client ? What do you
use a SEP client?</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right:72.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
For iOS I presume there is an embedded client? For
Android we’re developing our own.
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right:72.0pt"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW">Are
there any specific features of the SCEP protocol that
are required that are currently natively not supported
by the Dogtag CA?<br>
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
There is one area I still don’t have full understanding
of.
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right:72.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">In
the SCEP specs they say that a request for a cert is a
PKCS#7 structure signed by either –<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="mso-margin-top-alt:5.0pt;margin-right:144.0pt;margin-bottom:5.0pt;margin-left:110.25pt;text-indent:-18.0pt;mso-list:l1
level1 lfo3">
<!--[if !supportLists]--><span
style="font-size:11.0pt;font-family:Symbol;color:#1F497D;mso-fareast-language:ZH-TW"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">A
cert issued earlier by the requested CA (re-issuance)</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="mso-margin-top-alt:5.0pt;margin-right:144.0pt;margin-bottom:5.0pt;margin-left:110.25pt;text-indent:-18.0pt;mso-list:l1
level1 lfo3">
<!--[if !supportLists]--><span
style="font-size:11.0pt;font-family:Symbol;color:#1F497D;mso-fareast-language:ZH-TW"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">Self-signed
cert</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="mso-margin-top-alt:5.0pt;margin-right:144.0pt;margin-bottom:5.0pt;margin-left:110.25pt;text-indent:-18.0pt;mso-list:l1
level1 lfo3">
<!--[if !supportLists]--><span
style="font-size:11.0pt;font-family:Symbol;color:#1F497D;mso-fareast-language:ZH-TW"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">A
3<sup>rd</sup> party cert signed by a trusted CA (e.g. a
generic transport cert)</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:5.0pt;margin-right:216.0pt;margin-bottom:5.0pt;margin-left:0cm"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">The
P7 structure contains a P10 request encrypted with the
requested CA pub key.
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:5.0pt;margin-right:216.0pt;margin-bottom:5.0pt;margin-left:0cm"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">When
testing issuing certs for iOS devices in dogtag our
developers had an impression that the P10 is not
encrypted, and the P7 is not signed. I’m frankly not
convinced by their words. Could you confirm please that
the SCEP cert request is processed in dogtag as above?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:
"PMingLiU","serif";"><br>
</span></p>
</blockquote>
</blockquote>
</div>
</blockquote>
<br>
I would leave this to Nathan to confirm.<br>
<br>
<blockquote
cite="mid:34A5A0661B86944184C25952A4F16990869205EF@Exchange-AMS.adaptivemobile.com"
type="cite">
<div class="WordSection1">
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">API
for issuing and revoking certs (cert-based request auth
is preferrable) – as we want to integrate out product
for revoking certs</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
The product can be given a keytab and authenticate
kerberos to the IPA. It is very simple and would be
easier to accomplish.<br>
API for managing serts for hosts and services already
available in IPA so the question is what the certs are
associated with is very important.
<br>
Also certmonger can be used for fetching certs and
storing them in the files or DBs you need.<br>
Are you aware of certmonger?</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right: 72pt;"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
No, did not hear before. As I understand it has a
command line / d-bus interfaces? We need something like
a WS or REST.</span></p>
</blockquote>
</blockquote>
</div>
</blockquote>
<br>
The point is that you can create a simple WS or REST server around
it very easily.<br>
<br>
<blockquote
cite="mid:34A5A0661B86944184C25952A4F16990869205EF@Exchange-AMS.adaptivemobile.com"
type="cite">
<div class="WordSection1">
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<p class="MsoNormal" style="margin-right:72.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
It can be effectively a whole alternative solution. From
your portal you call Certmonger on the local system via
CLI or D-BUS interface and it gets a cert for you.<br>
But I need to understand the workflow better. If you
generate he PKI pair on you portal and deliver them to a
device it is a perfect solution. If you use client side
software on the mobile platform to send the signing
request then it is a different workflow and you need to
send such request to CA.</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
Yes, the latter…</span><span style="font-family:
"PMingLiU","serif";"><br>
</span></p>
</blockquote>
</blockquote>
</div>
</blockquote>
<br>
I see.<br>
<br>
<blockquote
cite="mid:34A5A0661B86944184C25952A4F16990869205EF@Exchange-AMS.adaptivemobile.com"
type="cite">
<div class="WordSection1">
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
<br>
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Desirable
- Export a key store (including cert) as PKCS#12, PEM
(for manual deployment of certs on e.g. SSL servers).</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
When and where? During issuance or ability to later
export it from the back end store?</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right: 72pt;"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
For SSL serves terminating VPN connection from mobile
devices. So we would create them before and parallel to
issuing to devices… I think it’s going to be like an
admin would login into the UI, enter machine details for
the cert & key store. In response the CA would
generate a keypair and issue a cert. Then we would need
to export the keystore either as p12 or PEM file…</span></p>
</blockquote>
</blockquote>
</div>
</blockquote>
<br>
You might want to consider using IPA to mange servers and their
certs. AFAIR IPA allows you to save certs in a PEM file.<br>
Then for the devices you will use Dogtag directly but for servers
you will leverage all the advantages of IPA. Seems like a double
win.<br>
<br>
<blockquote
cite="mid:34A5A0661B86944184C25952A4F16990869205EF@Exchange-AMS.adaptivemobile.com"
type="cite">
<div class="WordSection1">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-right:72.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">As
mentioned earlier we are planning to use a CA for
issuing and delivering certs to mobile devices via SCEP.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
I am sorry I am not familiar with the details of the
workflow in this case.<br>
Can you describe the chain of communication between
mobile device, your portal and CA and what protocols
used where?<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW">iOS
devices uses SCEP to enroll for certificates. The basic
flow is that you have a "Profile Server", which is
responsible for delivering a XML profile onto the
authenticated iOS device. This XML profile contains
details on how the iOS device should contact the CA via
SCEP. When the profile is installed, the SCEP request is
made and the returned certificate is installed. There is
a good visual workflow of this process in this document:<br>
<br>
<a moz-do-not-send="true"
href="https://developer.apple.com/library/ios/documentation/networkinginternet/conceptual/iphoneotaconfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1">https://developer.apple.com/library/ios/documentation/networkinginternet/conceptual/iphoneotaconfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
This is very helpful.<br>
So it seems that IPA CA might be used for this as is. The
certs would just not be associeted with any specific entry
and leave in the CA storage.<br>
Do I get it right?<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW">I
think so.</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
Yes, correct. Btw, what storage the CA is using? Ldap?</span><span
style="font-family: "PMingLiU","serif";"><br>
</span></p>
</div>
</blockquote>
<br>
Yes.<br>
<br>
<blockquote
cite="mid:34A5A0661B86944184C25952A4F16990869205EF@Exchange-AMS.adaptivemobile.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
The trick might be to add additional profile to IPA CA after
IPA installation and use that profile instead of the default
one in SCEP requests.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW">Yes,
getting the profile set up would be then main thing to
tackle.</span><span
style="font-family:"PMingLiU","serif";color:#1F497D;mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
Could you give me a bit more insight what is advantage/why
to use an additional SCEP profile?</span><span
style="font-family: "PMingLiU","serif";"><br>
</span></p>
</div>
</blockquote>
<br>
Cert profile is a template for issuing certs.<br>
Dogtag allows you to have more than a single template.<br>
This makes possible to issue certs containing different contents and
used for different purposes: VPN, authentication, message signing
etc.<br>
IPA installs just one profile. I suspect that mobile devices would
need to have certs with specific attributes in them. For that you
would need to either modify the existing profile or add another one.
Latest versions of Dogtag CA have REST API to manage these profiles
programmatically but this capability is not integrated into IPA yet.
So with existing IPA version you would need to either modify
existing profile or add a new one manually. If you start with latest
Dogtag and version in Fedora 19 that will be a part of RHEL7 you can
probably use REST API directly and add/modify profiles as you need.
In future IPA will provide API/CLI/UI that would wrap this REST API
and allow you to mange this consistently with the rest of the IPA
objects.<br>
<br>
<blockquote
cite="mid:34A5A0661B86944184C25952A4F16990869205EF@Exchange-AMS.adaptivemobile.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
Since with Dogtag 10 you have REST API and CLI to add and
manage those profiles and the data is sort of orthogonal to
IPA data I do not see a reason why portal can't integrate
those and use them directly.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW">To
clarify, profile management REST interfaces are in Dogag
10.1 (not 10.0). Regardless, profiles can be configured
without the REST interfaces and be used directly with IPA
being none the wiser.<br>
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
We would configure the CA manually. API is needed for cert
revocation only. Does dogtag 9 supports REST for revocation?</span></p>
</div>
</blockquote>
Dogtag 9 does not support any REST API. <br>
<blockquote
cite="mid:34A5A0661B86944184C25952A4F16990869205EF@Exchange-AMS.adaptivemobile.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW">-NGK<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So
far we managed to issue certs for iphones via SCEP in ejbCA
and Dogtag (pki-ca 9.0.3-30 package).</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dogtag
wins provided we can carry on using standalone CA services
in the future for free as a part of RHEL IPA…</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
Yes this is a clear winner keeping in mind that we had some
distant plans about the use case you are describing.
Unfortunately we were not able to get a good understanding
of the details of the use case in the past thus so many
questions. Sorry.<br>
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red;mso-fareast-language:ZH-TW">[OA]
That’s cool, it seems you’ve got it right…</span><span
style="font-family: "PMingLiU","serif";"><br>
</span></p>
</div>
</blockquote>
<br>
We would like to help you as much as possible with what we have now
and give you a clear migration path for the solutions we are
building. This is why Dogtag 10+ and IPA 3.2+ is probably the best
starting point.<br>
<br>
<br>
<blockquote
cite="mid:34A5A0661B86944184C25952A4F16990869205EF@Exchange-AMS.adaptivemobile.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
Thanks<br>
Dmitri<br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Oleg</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> Dmitri Pal [<a moz-do-not-send="true"
href="mailto:dpal@redhat.com">mailto:dpal@redhat.com</a>]
<br>
<b>Sent:</b> 04 October 2013 16:54<br>
<b>To:</b> Oleg Antonenko<br>
<b>Cc:</b> Nathan Kinder (<a moz-do-not-send="true"
href="mailto:nkinder@redhat.com">nkinder@redhat.com</a>);
Ciaran Bradley;
<a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a><br>
<b>Subject:</b> Re: [Pki-users] will the new version of
RHCS support RHEL6?</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">On 10/04/2013 11:48 AM, Oleg Antonenko
wrote: <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Dmitri, Nathan,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thank
you for speedy responses.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Could
you please confirm my understanding?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:20.25pt;text-indent:-18.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">RHCS
is going to be shipped as a part of RHEL7.x in the
foreseeable future;
</span><o:p></o:p></p>
<p class="MsoNormal"><br>
It is not "a part" it is a stand alone product and not free.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:20.25pt;text-indent:-18.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">IPA
is a free part of RHEL 6.x and will remain as such in the
foreseeable future;</span><o:p></o:p></p>
<p class="MsoNormal"><br>
Correct and same is true for RHEL7.x<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:20.25pt;text-indent:-18.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">RHEL
6.x does not ship RHCS, but includes only pki-ca packages in
order to support IPA.</span><o:p></o:p></p>
<p class="MsoNormal"><br>
Correct<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Could
you also clarify your point here ?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><i>The CA portion in RHEL is not supported
by Red Hat for standalone use
</i><b><i><span style="color:red">without an entitlement for
the rest of RHCS</span></i></b><i>, which isn't
available on RHEL 6</i><o:p></o:p></p>
<p class="MsoNormal"><br>
RHCS is a layered product and can be acquired separately.<br>
We do not ship a version of RHCS on top of RHEL6. It is a big
product and takes a lot of time to deliver.<br>
We decided to skip a major RHEL version.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Does
it mean RHCS is not free?</span><o:p></o:p></p>
<p class="MsoNormal"><br>
Correct.<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regarding
this -</span><o:p></o:p></p>
<p class="MsoNormal"><i>We would be actually very interested if
we can support this use case with core IPA.<br>
Would you be interested in a conversation about this?<br>
<br>
<br>
<br>
</i><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Yes,
we’d love to.</span><o:p></o:p></p>
<p class="MsoNormal"><br>
Ok let us have one.<br>
I am sorry, I have not been following the whole thread, just
this mail caught my eye so what kind of functionality we are
looking for?<br>
Can you formulate a "wish list" for your use case assuming the
CA is a part of IPA?<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Many
thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Oleg</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">
<a moz-do-not-send="true"
href="mailto:pki-users-bounces@redhat.com">pki-users-bounces@redhat.com</a>
[<a moz-do-not-send="true"
href="mailto:pki-users-bounces@redhat.com">mailto:pki-users-bounces@redhat.com</a>]
<b>On Behalf Of </b>Dmitri Pal<br>
<b>Sent:</b> 04 October 2013 16:21<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a><br>
<b>Subject:</b> Re: [Pki-users] will the new version of
RHCS support RHEL6?</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">On 10/04/2013 11:08 AM, Oleg Antonenko
wrote: <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Nathan,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Could
you please shed some light on the future plans for the
pki-ca portion of RHEL?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Will
it be included in the standard RHEL distribution in the
future?</span><o:p></o:p></p>
<p class="MsoNormal"><br>
Dogtag 10+ will become a RHSC product on top of RHEL7.x <br>
<br>
Some of its portions will be gradually included into IPA that
comes for free with RHEL.<br>
IMO full blown IPA is not that "full blown" in this case.<br>
<br>
We would be actually very interested if we can support this
use case with core IPA.<br>
Would you be interested in a conversation about this?<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’m
asking because we’re planning to use the CA bit only for
issuing certificates to mobile devices via SCEP. We do not
require any other services or the full blown IPA…</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">With
thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Oleg</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">
<a moz-do-not-send="true"
href="mailto:pki-users-bounces@redhat.com">pki-users-bounces@redhat.com</a>
[<a moz-do-not-send="true"
href="mailto:pki-users-bounces@redhat.com">mailto:pki-users-bounces@redhat.com</a>]
<b>On Behalf Of </b>Nathan Kinder<br>
<b>Sent:</b> 27 September 2013 20:03<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a><br>
<b>Subject:</b> Re: [Pki-users] will the new version of
RHCS support RHEL6?</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 09/26/2013 10:25 PM, <span lang="JA">安
泱</span> wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi all,<br>
<br>
I'm a beginner of the dogtag certificate system, dogtag<span
lang="JA">(</span>RHCS<span lang="JA">)</span>is a
wonderful project, but I'm confused about RHCS, could you
give any help?<br>
<br>
The latest version of RHCS is 8.1, which is based on dogtag
8.1, it supports RHEL5.8, and in RHEL6, pki-ca 9.0.3 was
included without the other 5 subsystems, could you show me
the consideration why RHCS do not support RHEL6?
<br>
Is RHEL6 not secure enough or some other reasons<span
lang="JA">?</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal">It was simply not a targeted platform (nor
are there plans to release it there). The pki-ca portion is
included for use by IdM (based on the FreeIPA project).<br>
<br>
Thanks,<br>
-NGK<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><br>
Regards.<br>
An Yang<br>
<br>
<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Pki-users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a><o:p></o:p></pre>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Pki-users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a><o:p></o:p></pre>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Thank you,<o:p></o:p></pre>
<pre>Dmitri Pal<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Sr. Engineering Manager for IdM portfolio<o:p></o:p></pre>
<pre>Red Hat Inc.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>-------------------------------<o:p></o:p></pre>
<pre>Looking to carve out IT costs?<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Thank you,<o:p></o:p></pre>
<pre>Dmitri Pal<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Sr. Engineering Manager for IdM portfolio<o:p></o:p></pre>
<pre>Red Hat Inc.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>-------------------------------<o:p></o:p></pre>
<pre>Looking to carve out IT costs?<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Thank you,<o:p></o:p></pre>
<pre>Dmitri Pal<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Sr. Engineering Manager for IdM portfolio<o:p></o:p></pre>
<pre>Red Hat Inc.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-------------------------------<o:p></o:p></pre>
<pre>Looking to carve out IT costs?<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Thank you,<o:p></o:p></pre>
<pre>Dmitri Pal<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Sr. Engineering Manager for IdM portfolio<o:p></o:p></pre>
<pre>Red Hat Inc.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-------------------------------<o:p></o:p></pre>
<pre>Looking to carve out IT costs?<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<p class="MsoNormal"><span
style="font-family:"PMingLiU","serif";mso-fareast-language:ZH-TW"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>