[Pki-devel] [PATCH] PKI Deployment Framework Admin Certificate PKCS12 File
Matthew Harmsen
mharmsen at redhat.com
Thu Jul 19 02:53:06 UTC 2012
This patch documents continued implementation of the PKI Deployment
Framework based upon the revised filesystem layout documented here:
* http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_OCSP_.2F_RA_.2F_TKS_.2F_TPS
This patch must be applied AFTER "[PATCH] PKI Deployment Framework
(20120716)".
The following patch adds/corrects functionality of the existing PKI
Deployment Framework including (but not limited to):
Saved Admin Certificate, imported it into NSS client security
databases, and
exported it to a PKCS #12 file such that it may be imported into a
browser.
TRAC Ticket #221
Dogtag 10: Create a PKCS #12 file containing the Admin Certificate
(https://fedorahosted.org/pki/ticket/221)
To test this patch (presumes a Fedora 17 machine with a pre-installed
directory server and PKI packages with these two patches installed):
As 'root' on 'example.fedora.org':
# (if necessary) pkidestroy -s CA -v -d fedora.org -i foobar
--http_port 8080 --https_port 8443 --ajp_port 8005
# pkispawn -s CA -f /tmp/pki/pkideployment.cfg -vvv -d fedora.org -i
foobar --http_port 8080 --https_port 8443 --ajp_port 8005
# systemctl restart pki-tomcatd at fedora.org-foobar.service
# mkdir -p /tmp/pki
# cp /usr/share/pki/deployment/config/pkideployment.cfg /tmp/pki
# cd /tmp/pki
# Edit pkideployment.cfg and add the desired passwords to the
following variables:
* pki_admin_password=
* pki_backup_password= (THIS CAN BE SKIPPED)
* pki_client_pkcs12_password=
* pki_ds_password=
* pki_pkcs12_password=
* pki_security_domain_password=
If necessary, change the default ports on the directory server to
match the installed version
As 'user' on 'example.fedora.org':
* firefox -ProfileManager -no-remote &
* New Profile: example
* http://example.fedora.org:8080/ca/services
* Launches browser tab entitled 'CA Services'
* Select 'SSL End Users Services' in new tab
* Trust this Connection
* Launches browser tab entitled 'CA End-Entity'
* Select "Retrieval" tab
* Select "Import CA Certificate Chain"
* Select "Import the CA certificate chain into your browser"
* Press Submit
* Check all three Trust checkboxes and press OK
* From the Browser's Menu:
* Select Edit | Preferences
* Highlight the Advanced icon
* Select the Encryption tab
* Press the View Certificates button
* Select the "Your Certificates" tab
* Press the Import button
* Go to File System | tmp | fedora.org-foobar_client
* Highlight ca_admin_cert.p12
* Press the Open button
* Type in the PKCS #12 password
* Dismiss the "Success" pop-up by pressing OK
* Dismiss the Encryption tab by pressing OK
* Close Preferences by pressing Close
* From the 'CA Services' tab, select 'Agent Services' in a new tab
* Select the proper cert from the pulldown menu and press OK
* Launches browser tab entitled 'CA Agent'
* Re-select 'CA End-Entity' tab in browser
* Select 'Enrollment/Renewal' tab
* Select Manual User Dual-Use Certificate Enrollment
* Type test in UID field
* Press Submit button
* Re-select 'CA Agent' tab in browser
* Select 'List Requests' on left-hand menu
* Press Find
* Select the cert (e. g. - '7') from the Request Queue
* Scroll to the bottom and press the submit button
* Select 'List Certificates' on left-hand menu
* Press Find
* The new certificate (e. g. - '7') should be displayed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120718/864d13b3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0010-PKI-Deployment-Scriptlets-Admin-Certificate-PKCS12-File.patch
Type: text/x-patch
Size: 27206 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120718/864d13b3/attachment.bin>
More information about the Pki-devel
mailing list