<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 06/29/2015 07:32 AM, Jain, Mahendra
wrote:<br>
</div>
<blockquote cite="mid:D1B6C4B0.618C%25majain@verisign.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>Hi Christina,</div>
<div><br>
</div>
<div>Here’s some detailed information:</div>
<div><br>
</div>
<div>I’m planning to setup intermediate CA with DogTag and issue
SSL server certs.</div>
<div><br>
</div>
<div>I’m trying 2 options with DogTag setup:</div>
<div><br>
</div>
<div><b>Option 1: Installing an externally signed CA</b></div>
<div>I followed the steps outlined in <a moz-do-not-send="true"
href="http://man.sourcentral.org/f18/8+pkispawn">http://man.sourcentral.org/f18/8+pkispawn</a>
and this setup works perfectly fine with no issues. </div>
<div>This option involves following steps:</div>
<ol>
<li>Generate a certificate signing request (CSR) for the
signing certificate in DogTag setup phase 1</li>
<li>Submit the CSR to the external CA (Ex: Symantec)</li>
<li>Obtain the resulting intermediate certificate and
certificate chain</li>
<li>Continue with DogTag setup phase 2 </li>
</ol>
<div><b>Option 2: Installing an externally signed CA (One time
setup of keys/CSR)</b></div>
<div>
<div><br>
</div>
<div>The desired steps are as follows:</div>
<ol>
<li>Generate a certificate signing request (CSR) for the
signing certificate using
<b>OpenSSL</b></li>
<li>Submit the CSR to the external CA (Ex: Symantec)</li>
<li>Obtain the resulting intermediate certificate and
certificate chain</li>
<li>Store private key and certificate obtained in above steps
in secured media so that it can be used later</li>
<li>Setup DogTag using the private key (generated in step #1)
and intermediate CA certificate (acquired in step #3)</li>
</ol>
</div>
<div>
<div>The desired expectation in option #2 is to perform step 1-3
below once and then setup DogTag (or recreate VM) as many
times I need using private key and certificate obtained
earlier. This will prevent us from regenerating CSR and get it
signed with external CA (Ex: Symantec).</div>
</div>
</blockquote>
<br>
If I read it correctly, you want to set up multiple CA's sharing the
same singing cert/keys? Dogtag supports cloning. Did you look into
that?<br>
<br>
<blockquote cite="mid:D1B6C4B0.618C%25majain@verisign.com"
type="cite">
<div>
<div><br>
</div>
<div>Please let me know if you have any questions.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Mahendra</div>
</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span><Jain>,
"Jain, Mahendra" <<a moz-do-not-send="true"
href="mailto:majain@verisign.com">majain@verisign.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday, June 26,
2015 at 12:22 PM<br>
<span style="font-weight:bold">To: </span>Christina Fu <<a
moz-do-not-send="true" href="mailto:cfu@redhat.com">cfu@redhat.com</a>>,
"<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>"
<<a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[Pki-users] Configure externally acquired private key and
certificate<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; color: rgb(0, 0, 0);
font-size: 14px; font-family: Calibri, sans-serif;">
<div>Hi Christina,</div>
<div><br>
</div>
<div>Sorry for the confusion. Let me rephrase the steps
below if it is supported:</div>
<ol>
<li>Generate private key and CSR for intermediate CA using
<b>openssl</b></li>
<li>Submit the CSR to external CA (Ex: Symantec) for
signing</li>
<li>Receive the signed certificate from CA</li>
<li>Setup DogTag with the private key (generated in step
#1) and intermediate CA certificate (acquired in step
#3)</li>
</ol>
<div>I’m hoping this approach allows me to perform step 1-3
once and then setup DogTag as many times I need using the
existing private key and certificate on any host.</div>
<div><br>
</div>
<div>Please let me know if you need further clarification.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Mahendra</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium
none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in;
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP:
#b5c4df 1pt solid; BORDER-RIGHT: medium none;
PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Christina
Fu <<a moz-do-not-send="true"
href="mailto:cfu@redhat.com">cfu@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday,
June 26, 2015 at 12:03 PM<br>
<span style="font-weight:bold">To: </span>"<a
moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>"
<<a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[Pki-users] Configure externally acquired private key
and certificate<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<div class="moz-cite-prefix">On 06/25/2015 11:23 AM,
Jain, Mahendra wrote:<br>
</div>
<blockquote
cite="mid:D1B1BC42.6046%25majain@verisign.com"
type="cite">
<div style="color: rgb(0, 0, 0); font-size: 14px;"><font
face="Verdana">Hi,</font></div>
<span id="OLK_SRC_BODY_SECTION" style="color: rgb(0,
0, 0); font-size: 14px;">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space; color: rgb(0, 0, 0);
font-size: 14px;">
<span id="OLK_SRC_BODY_SECTION">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); font-size:
14px;"><font face="Verdana"><br>
</font></div>
<div style="color: rgb(0, 0, 0); font-size:
14px;"><font face="Verdana">I’ve DogTag
10.1.2 setup with externally signed CA
(using the </font><span
style="font-family: Verdana;">steps
outline in the link below) and the setup
works perfectly fine:</span></div>
</div>
</span></div>
</span>
<div style="color: rgb(0, 0, 0); font-size: 14px;"><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 14px;"><a
moz-do-not-send="true"
href="http://man.sourcentral.org/f18/8+pkispawn"><font
face="Verdana">http://man.sourcentral.org/f18/8+pkispawn</font></a></div>
<span id="OLK_SRC_BODY_SECTION" style="color: rgb(0,
0, 0); font-size: 14px;">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space; color: rgb(0, 0, 0);
font-size: 14px;">
<span id="OLK_SRC_BODY_SECTION">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); font-size:
14px;"><font face="Verdana"><br>
</font></div>
</div>
</span></div>
</span>
<div style="color: rgb(0, 0, 0); font-size: 14px;"><font
face="Verdana">I would like to know if DogTag
also supports configuring externally acquired
private key and certificate.</font></div>
<div style="color: rgb(0, 0, 0); font-size: 14px;"><font
face="Verdana"><br>
</font></div>
<div style="color: rgb(0, 0, 0); font-size: 14px;"><font
face="Verdana">In other words, If I generate
the private key and CSR using openssl and submit
CSR to CA for certificate</font><font
face="Verdana">. </font></div>
<div><font face="Verdana">Once the CA issued the
certificate, I would like to setup DogTag using
the existing private key (created using </font><span
style="font-family: Verdana; font-size: 14px;">openssl</span><span
style="font-family: Verdana;">) and certificate.</span></div>
</blockquote>
<br>
Hi, I'm sorry I read your questions a few times and
I'm not certain what you wish to do. What would you
like to use this certificate for? For example, is
this an SSL server cert, or CA signing cert? etc. And
you mean in another new Dogtag instance, or are you
talking about replacing certain system cert of the CA
you just set up?<br>
<blockquote
cite="mid:D1B1BC42.6046%25majain@verisign.com"
type="cite">
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION" style="color: rgb(0,
0, 0); font-size: 14px;">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space; color: rgb(0, 0, 0);
font-size: 14px;">
<span id="OLK_SRC_BODY_SECTION">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); font-size:
14px;"><font face="Verdana">Thanks,</font></div>
<div style="color: rgb(0, 0, 0); font-size:
14px;"><font face="Verdana">Mahendra</font></div>
</div>
</span></div>
</span>
<h5><font color="gray">“This message (including any
attachments) is intended only for the use of the
individual or entity to which it is addressed,
and may contain information that is non-public,
proprietary, privileged, confidential and exempt
from disclosure under applicable law or may be
constituted as attorney work product. If you are
not the intended recipient, you are hereby
notified that any use, dissemination,
distribution, or copying of this communication
is strictly prohibited. If you have received
this message in error, notify sender immediately
and delete this message immediately.”
</font></h5>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</div>
</div>
</span></div>
</div>
</span>
</blockquote>
<br>
</body>
</html>