<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
the cert chain you provide in the file specified under<br>
pki_external_ca_cert_chain_path<br>
should be just pkcs7 without header/footer.<br>
<br>
I don't know why it would not talk to the DS (did you turn on ssl
for the ds?).<br>
Not sure if you build your Dogtag from the master, if you do, I'd
suggest you get the most updated so you get fixes from the tickets I
provided previously which would address at least two issues relating
to external CA.<br>
<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 10/27/2014 07:55 PM, kritee jhawar
wrote:<br>
</div>
<blockquote
cite="mid:CAGJVne28=CdqLz0vDu72POWYZszJgNDT0Y3jyP13t3jeiKgQcg@mail.gmail.com"
type="cite">Hi Christina
<div><br>
</div>
<div>I was undertaking this activity last month where Microsoft CA
didn't work out but Dogtag as external CA did. </div>
<div><br>
</div>
<div>While using Microsoft CA or OpenSSL CA, pki spawn goes
through without any error but dogtag stops communications to
389ds. Upon calling the rest Api /ca/rest/certs I get a
"PKIException error listing the certs". </div>
<div><br>
</div>
<div>Is there a particular format for the ca cert chain that we
need to provide ? I was trying to reverse engineer the chain
provided by dogtag. </div>
<div><br>
</div>
<div>Thanks </div>
<div>Kritee<span></span></div>
<div><br>
</div>
<div><br>
<br>
On Monday, 27 October 2014, Christina Fu <<a
moz-do-not-send="true" href="mailto:cfu@redhat.com">cfu@redhat.com</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> If you meant the
following two:<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/pki/ticket/1190"
target="_blank">https://fedorahosted.org/pki/ticket/1190</a>
CA: issuer DN encoding not preserved at issuance with
signing cert signed by an external CA <br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/pki/ticket/1110"
target="_blank">https://fedorahosted.org/pki/ticket/1110</a>
- pkispawn (configuration) does not provide CA extensions in
subordinate certificate signing requests (CSR) <br>
<br>
They have just recently been fixed upstream so I imagine you
could use Microsoft CA now. Theoretically any other CA can
be used as an external CA, but if you run into issues,
please feel free to report.<br>
<br>
Christina<br>
<br>
<br>
<div>On 10/27/2014 12:15 AM, kritee jhawar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi
<div><br>
</div>
<div>In my recent thread i read that there is a bug due
to which Microsoft CA can't work as external CA for
dogtag.</div>
<div>Can OpenSSL be used ? </div>
<div><br>
</div>
<div>Thanks</div>
<div>Kritee</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true" href="javascript:_e(%7B%7D,'cvml','Pki-users@redhat.com');" target="_blank">Pki-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>