<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I think you are talking about this:<br>
<a class="moz-txt-link-freetext"
href="https://fedorahosted.org/pki/ticket/456">https://fedorahosted.org/pki/ticket/456</a>
The user have a chance to import own CA certificate with private key<br>
<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 06/30/2015 09:14 AM, Jain, Mahendra
wrote:<br>
</div>
<blockquote cite="mid:D1B83616.61EB%25majain@verisign.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>
<div>Hi Christina,</div>
</div>
<div><br>
</div>
<div>Thanks for taking time to respond.</div>
<div>We already have clone setup using steps outlined in <a
moz-do-not-send="true"
href="http://man.sourcentral.org/f18/8+pkispawn">http://man.sourcentral.org/f18/8+pkispawn</a> and
the setup works perfectly fine with no issues. </div>
<div><br>
</div>
<div>My question is related to Setting up Dogtag using private key
and certificate generated via openSSL command separately (on a
completely different host from Dogtag). </div>
<div>For example, If I delete the complete VM instance where
Dogtag is running and reinstall, I could reuse the private key
and certificate already generated via openSSL command earlier to
setup new Dogtag instance without requiring to generate CSR and
get it signed with external CA (Ex: Symantec).</div>
<div><br>
</div>
<div>Hope this helps.</div>
<div><br>
</div>
<div>
<div>Please let me know if you have any questions.</div>
</div>
<div>Thanks,</div>
<div>Mahendra</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Christina Fu <<a
moz-do-not-send="true" href="mailto:cfu@redhat.com">cfu@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, June 30,
2015 at 11:56 AM<br>
<span style="font-weight:bold">To: </span>"<a
moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>"
<<a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[Pki-users] Configure externally acquired private key and
certificate<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<div class="moz-cite-prefix">On 06/29/2015 07:32 AM, Jain,
Mahendra wrote:<br>
</div>
<blockquote cite="mid:D1B6C4B0.618C%25majain@verisign.com"
type="cite">
<div>Hi Christina,</div>
<div><br>
</div>
<div>Here’s some detailed information:</div>
<div><br>
</div>
<div>I’m planning to setup intermediate CA with DogTag and
issue SSL server certs.</div>
<div><br>
</div>
<div>I’m trying 2 options with DogTag setup:</div>
<div><br>
</div>
<div><b>Option 1: Installing an externally signed CA</b></div>
<div>I followed the steps outlined in <a
moz-do-not-send="true"
href="http://man.sourcentral.org/f18/8+pkispawn">http://man.sourcentral.org/f18/8+pkispawn</a>
and this setup works perfectly fine with no issues. </div>
<div>This option involves following steps:</div>
<ol>
<li>Generate a certificate signing request (CSR) for
the signing certificate in DogTag setup phase 1
</li>
<li>Submit the CSR to the external CA (Ex: Symantec) </li>
<li>Obtain the resulting intermediate certificate and
certificate chain </li>
<li>Continue with DogTag setup phase 2 </li>
</ol>
<div><b>Option 2: Installing an externally signed CA (One
time setup of keys/CSR)</b></div>
<div>
<div><br>
</div>
<div>The desired steps are as follows:</div>
<ol>
<li>Generate a certificate signing request (CSR) for
the signing certificate using
<b>OpenSSL</b> </li>
<li>Submit the CSR to the external CA (Ex: Symantec) </li>
<li>Obtain the resulting intermediate certificate and
certificate chain </li>
<li>Store private key and certificate obtained in
above steps in secured media so that it can be used
later
</li>
<li>Setup DogTag using the private key (generated in
step #1) and intermediate CA certificate (acquired
in step #3)
</li>
</ol>
</div>
<div>
<div>The desired expectation in option #2 is to perform
step 1-3 below once and then setup DogTag (or recreate
VM) as many times I need using private key and
certificate obtained earlier. This will prevent us
from regenerating CSR and get it signed with external
CA (Ex: Symantec).</div>
</div>
</blockquote>
<br>
If I read it correctly, you want to set up multiple CA's
sharing the same singing cert/keys? Dogtag supports
cloning. Did you look into that?<br>
<br>
<blockquote cite="mid:D1B6C4B0.618C%25majain@verisign.com"
type="cite">
<div>
<div><br>
</div>
<div>Please let me know if you have any questions.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Mahendra</div>
</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium
none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in;
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP:
#b5c4df 1pt solid; BORDER-RIGHT: medium none;
PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span><Jain>,
"Jain, Mahendra" <<a moz-do-not-send="true"
href="mailto:majain@verisign.com">majain@verisign.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday,
June 26, 2015 at 12:22 PM<br>
<span style="font-weight:bold">To: </span>Christina
Fu <<a moz-do-not-send="true"
href="mailto:cfu@redhat.com">cfu@redhat.com</a>>,
"<a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>"
<<a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[Pki-users] Configure externally acquired private key
and certificate<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space; color:
rgb(0, 0, 0); font-size: 14px; font-family: Calibri,
sans-serif;">
<div>Hi Christina,</div>
<div><br>
</div>
<div>Sorry for the confusion. Let me rephrase the
steps below if it is supported:</div>
<ol>
<li>Generate private key and CSR for intermediate
CA using <b>openssl</b> </li>
<li>Submit the CSR to external CA (Ex: Symantec)
for signing </li>
<li>Receive the signed certificate from CA </li>
<li>Setup DogTag with the private key (generated
in step #1) and intermediate CA certificate
(acquired in step #3)
</li>
</ol>
<div>I’m hoping this approach allows me to perform
step 1-3 once and then setup DogTag as many times
I need using the existing private key and
certificate on any host.</div>
<div><br>
</div>
<div>Please let me know if you need further
clarification.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Mahendra</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM:
medium none; BORDER-LEFT: medium none;
PADDING-BOTTOM: 0in; PADDING-LEFT: 0in;
PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt
solid; BORDER-RIGHT: medium none; PADDING-TOP:
3pt">
<span style="font-weight:bold">From: </span>Christina
Fu <<a moz-do-not-send="true"
href="mailto:cfu@redhat.com">cfu@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday,
June 26, 2015 at 12:03 PM<br>
<span style="font-weight:bold">To: </span>"<a
moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>"
<<a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[Pki-users] Configure externally acquired
private key and certificate<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<div class="moz-cite-prefix">On 06/25/2015
11:23 AM, Jain, Mahendra wrote:<br>
</div>
<blockquote
cite="mid:D1B1BC42.6046%25majain@verisign.com"
type="cite">
<div style="color: rgb(0, 0, 0); font-size:
14px;"><font face="Verdana">Hi,</font></div>
<span id="OLK_SRC_BODY_SECTION"
style="color: rgb(0, 0, 0); font-size:
14px;">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;
color: rgb(0, 0, 0); font-size: 14px;">
<span id="OLK_SRC_BODY_SECTION">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;">
<div style="color: rgb(0, 0, 0);
font-size: 14px;">
<font face="Verdana"><br>
</font></div>
<div style="color: rgb(0, 0, 0);
font-size: 14px;">
<font face="Verdana">I’ve DogTag
10.1.2 setup with externally
signed CA (using the </font><span
style="font-family: Verdana;">steps
outline in the link below) and
the setup works perfectly fine:</span></div>
</div>
</span></div>
</span>
<div style="color: rgb(0, 0, 0); font-size:
14px;"><br>
</div>
<div style="color: rgb(0, 0, 0); font-size:
14px;"><a moz-do-not-send="true"
href="http://man.sourcentral.org/f18/8+pkispawn"><font
face="Verdana">http://man.sourcentral.org/f18/8+pkispawn</font></a></div>
<span id="OLK_SRC_BODY_SECTION"
style="color: rgb(0, 0, 0); font-size:
14px;">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;
color: rgb(0, 0, 0); font-size: 14px;">
<span id="OLK_SRC_BODY_SECTION">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;">
<div style="color: rgb(0, 0, 0);
font-size: 14px;">
<font face="Verdana"><br>
</font></div>
</div>
</span></div>
</span>
<div style="color: rgb(0, 0, 0); font-size:
14px;"><font face="Verdana">I would like
to know if DogTag also supports
configuring externally acquired private
key and certificate.</font></div>
<div style="color: rgb(0, 0, 0); font-size:
14px;"><font face="Verdana"><br>
</font></div>
<div style="color: rgb(0, 0, 0); font-size:
14px;"><font face="Verdana">In other
words, If I generate the private key and
CSR using openssl and submit CSR to CA
for certificate</font><font
face="Verdana">. </font></div>
<div><font face="Verdana">Once the CA issued
the certificate, I would like to setup
DogTag using the existing private key
(created using </font><span
style="font-family: Verdana; font-size:
14px;">openssl</span><span
style="font-family: Verdana;">) and
certificate.</span></div>
</blockquote>
<br>
Hi, I'm sorry I read your questions a few
times and I'm not certain what you wish to
do. What would you like to use this
certificate for? For example, is this an SSL
server cert, or CA signing cert? etc. And you
mean in another new Dogtag instance, or are
you talking about replacing certain system
cert of the CA you just set up?<br>
<blockquote
cite="mid:D1B1BC42.6046%25majain@verisign.com"
type="cite">
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION"
style="color: rgb(0, 0, 0); font-size:
14px;">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;
color: rgb(0, 0, 0); font-size: 14px;">
<span id="OLK_SRC_BODY_SECTION">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;">
<div style="color: rgb(0, 0, 0);
font-size: 14px;">
<font face="Verdana">Thanks,</font></div>
<div style="color: rgb(0, 0, 0);
font-size: 14px;">
<font face="Verdana">Mahendra</font></div>
</div>
</span></div>
</span>
<h5><font color="gray">“This message
(including any attachments) is intended
only for the use of the individual or
entity to which it is addressed, and may
contain information that is non-public,
proprietary, privileged, confidential
and exempt from disclosure under
applicable law or may be constituted as
attorney work product. If you are not
the intended recipient, you are hereby
notified that any use, dissemination,
distribution, or copying of this
communication is strictly prohibited. If
you have received this message in error,
notify sender immediately and delete
this message immediately.”
</font></h5>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</div>
</div>
</span></div>
</div>
</span></blockquote>
<br>
</div>
</div>
</span>
</blockquote>
<br>
</body>
</html>