<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">The CA needs to generate or sign
certificates for other servers- e.g. a web server. Clients of
those servers should trust the CA's certificate as the CA
certificate that signs the server certificates. They don't need
to communicate with the CA directly. (The exception might be
if the CA is also an online certificate revocation server - but
that is beyond my experience.)<br>
<br>
You should assume that your CA will eventually crash- or that you
might make a configuration change or an update that you want to
roll back. As with any server, you should back up the critical
files. if this is a virtual machine, it makes backing up the
entire machine much easier.<br>
<br>
<br>
I wouldn't imagine that the entire CA configuration and database
directories are very big. <br>
<br>
<br>
<br>
<br>
<br>
<br>
On 10/10/14 07:18, kritee jhawar wrote:<br>
</div>
<blockquote
cite="mid:CAGJVne3eKACPNoKDFNK7mHGNfKx9jSHHvHjQbvuLOP561N3GVQ@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_quote">
<div dir="ltr">
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">Hello,<br>
</span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">I am an engineer from India and I
have been struggling with this for the past 2 weeks.
Request you to help me out.</span></p>
<p class="MsoNormal"><b><span style="color:black">USE-CASE:
</span></b><span style="color:black"></span></p>
<p class="MsoNormal"><span style="color:black">Dogtag is the
private CA for
multiple services in a cluster. Trust is established by
providing the root
certificate of dogtag to all the services. What happens
if dogtag crashes? All
the services will have to be given the root certificate
of the new dogatg.</span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">How
can we avoid this?</span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">Can
we bring up multiple instances dogtag with a static
certificate every time?</span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">The
only way I could find is by using the<b> external CA</b>
option. </span></p>
<p class="MsoNormal"><span style="color:black">I am
following the 2-step pkispawn
process with 2 config files (deployment-1.cfg and
deployment-2.cfg) </span></p>
<p class="MsoNormal"><span style="color:black">In the first
step the csr is
generated. I take the csr and get a certificate from the
external CA and place
it in the required location. The root certificate of the
CA has also been
placed in the required location. Step 2 of pkispawn goes
through and the
ca_admin cert is generated and signed. </span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">However,
when i make a REST call to list the certificates, I get
</span><span style="color:rgb(31,73,125)">2 different
errors:</span><span style="color:black"></span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:rgb(31,73,125)">(Please
note that I replicated the same steps with same files on
2 setups and got 2
errors)</span><span style="color:black"><br>
</span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">
</span><span><span
style="color:rgb(204,0,0);background:none repeat
scroll 0% 0% white">curl -k
--request GET <a moz-do-not-send="true"
href="https://localhost:9443/ca/rest/certs"
target="_blank">https://localhost:9443/ca/rest/certs</a></span></span><span
style="color:black"><br>
</span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><b><u><span
style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">ERROR
1</span></u></b><span style="color:black"></span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span><span
style="color:rgb(204,0,0)"><?xml version="1.0"
encoding="UTF-8"</span></span><span
style="color:rgb(204,0,0)"><br>
<span>>
standalone="yes"?><PKIException><ClassName>com.netscape.certsrv.base.PKIException</ClassName><Code>500</Code><Message>Error
listing
certs in
CertsResourceService.listCerts!</Message><Attributes/></PKIException></span></span><span
style="color:black"></span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:rgb(31,73,125)"> </span><span
style="color:black"></span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><b><u><span
style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">ERROR
2</span></u></b><span style="color:black"></span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:rgb(204,0,0)">With
the same steps i also get a NullPointerException as well
(Attached logs - null-pointer-error.txt)</span><span
style="color:black"><br>
<br>
<br>
<br>
</span></p>
<p class="MsoNormal"><span style="color:black">When i see
the status of my
pki-instance after pkispawn step-2, It says the Instance
is loaded and needs to
be configured. (attched logs : post-pkispawn-2.txt)<br>
However it starts using systemctl without any errors</span></p>
<p class="MsoNormal"><span style="color:black"> </span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">I suspect
I am missing some part in the configuration.</span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">Any
help/pointers would be very helpful!</span></p>
<p class="MsoNormal"><span style="color:black">Thanks</span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">Kritee
</span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><b><span
style="color:black">Attached
files : </span></b><span style="color:black"></span></p>
<p class="MsoNormal"><span style="color:black">deployment-1.txt
- config
file for pkispawn step 1</span></p>
<p class="MsoNormal"><span style="color:black">deployment-2.txt
- config file for
pkispawn step 2</span></p>
<p class="MsoNormal"><span style="color:black">pkispawn-1-log.txt
- logs for
pkisppawn step 1</span></p>
<p class="MsoNormal"><span style="color:black">pkispan-2-log.txt
- logs for
pkispawn step 2</span></p>
<p class="MsoNormal"><span style="color:black">dogtag-cert.txt
- root certificate
of dogtag generated by external CA</span></p>
<p class="MsoNormal"><span style="color:black">ca-admin-cert.txt
- admin cert
signed by dogtag</span></p>
<p class="MsoNormal"><span style="color:black">null-pointer-error</span><span
style="color:rgb(31,73,125)">.txt</span><span
style="color:black"> - null pointer
exception while making a REST call to list certs</span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="color:black">post-pkispawn-2.txt
- status of pki-instance after pkispawn step 2</span></p>
</div>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</body>
</html>