[Pki-devel] [PATCH] Enable Subordinate CA
Matthew Harmsen
mharmsen at redhat.com
Wed Nov 7 03:36:11 UTC 2012
The attached patch addresses the following PKI issue:
* TRAC Ticket #185 - Dogtag 10: Update PKI Deployment to handle
subordinate CA
The following tests were performed on this code where:
* *cadeployment.cfg --> pki-tomcat (standard CA deployment
configuration file with passwords)*
* *subcadeployment.cfg --> pki-sub-tomcat (simple Subordinate CA
deployment configuration file with passwords)*
* *sub-subcadeployment.cfg --> pki-sub-sub-tomcat ("complex"
Subordinate Subordinate CA deployment configuration file with
passwords)***
# diff cadeployment.cfg subcadeployment.cfg
109c109
< pki_ajp_port=8009
---
> pki_ajp_port=18009
119,121c119,121
< pki_http_port=8080
< pki_https_port=8443
< pki_instance_name=pki-tomcat
---
> pki_http_port=18080
> pki_https_port=18443
> pki_instance_name=pki-sub-tomcat
125c125
< pki_tomcat_server_port=8005
---
> pki_tomcat_server_port=18005
162c162
< pki_subordinate=False
---
> pki_subordinate=True
# diff subcadeployment.cfg sub-subcadeployment.cfg
60c60
< pki_issuing_ca=
---
> pki_issuing_ca=https://server.example.com:18443
109c109
< pki_ajp_port=18009
---
> pki_ajp_port=28009
119,121c119,121
< pki_http_port=18080
< pki_https_port=18443
< pki_instance_name=pki-sub-tomcat
---
> pki_http_port=28080
> pki_https_port=28443
> pki_instance_name=pki-sub-sub-tomcat
125c125
< pki_tomcat_server_port=18005
---
> pki_tomcat_server_port=28005
148c148
< pki_ca_signing_subject_dn=
---
> pki_ca_signing_subject_dn=CN=Sub-SubCA Subsystem
Certificate,O=example.com Security Domain
*pki-tomcat:
*# cd /var/lib/pki/pki-tomcat/alias
# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-tomcat CA CTu,Cu,Cu
Server-Cert cert-pki-tomcat u,u,u
auditSigningCert cert-pki-tomcat CA u,u,Pu
ocspSigningCert cert-pki-tomcat CA u,u,u
subsystemCert cert-pki-tomcat CA u,u,u
# certutil -d . -L -n "caSigningCert cert-pki-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
# certutil -d . -L -n "subsystemCert cert-pki-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=CA Subsystem Certificate,O=example.com Security Domain"
. . .
# certutil -d . -L -n "Server-Cert cert-pki-tomcat" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=server.example.com,O=example.com Security Domain"
. . .
# certutil -d . -L -n "ocspSigningCert cert-pki-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=CA OCSP Signing Certificate,O=example.com Security
Domain"
. . .
# certutil -d . -L -n "auditSigningCert cert-pki-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=CA Audit Signing Certificate,O=example.com Security
Domain"
. . .
Serial number Status Subject name
0x1 valid
CN=CA Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x1>
0x2 valid
CN=CA OCSP Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x2>
0x3 valid
CN=server.example.com,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3>
0x4 valid
CN=CA Subsystem Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x4>
0x5 valid
CN=CA Audit Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x5>
0x6 valid
CN=CA Administrator of Instance
pki-tomcat,UID=caadmin,E=caadmin at example.com,O=example.com Security
Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x6>
0x7 valid
CN=SubCA Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x7>
0x8 valid
CN=SubCA Subsystem Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x8>
0x9 valid
CN=SubCA Subsystem Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x9>
0xa valid
UID=test CA
<https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0xa>
*pki-sub-tomcat:**
*
# cd /var/lib/pki/pki-sub-tomcat/alias
# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - example.com Security Domain CT,c,
caSigningCert cert-pki-sub-tomcat CA CTu,Cu,Cu
ocspSigningCert cert-pki-sub-tomcat CA u,u,u
auditSigningCert cert-pki-sub-tomcat CA u,u,Pu
Server-Cert cert-pki-sub-tomcat u,u,u
subsystemCert cert-pki-sub-tomcat CA u,u,u
# certutil -d. -L -n "caSigningCert cert-pki-sub-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=SubCA Signing Certificate,O=example.com Security Domain"
. . .
# certutil -d. -L -n "subsystemCert cert-pki-sub-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=SubCA Subsystem Certificate,O=example.com Security
Domain"
. . .
# certutil -d. -L -n "Server-Cert cert-pki-sub-tomcat" | more
. . .
Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=server.example.com,O=example.com Security Domain"
. . .
# certutil -d. -L -n "ocspSigningCert cert-pki-sub-tomcat CA" | more
. . .
Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=SubCA OCSP Signing Certificate,O=example.com
Security Domain"
. . .
# certutil -d. -L -n "auditSigningCert cert-pki-sub-tomcat CA" | more
. . .
Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=SubCA Audit Signing Certificate,O=example.com
Security Domain"
. . .
Serial number Status Subject name
0x1 valid
CN=SubCA OCSP Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x1>
0x2 valid
CN=server.example.com,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x2>
0x3 valid
CN=SubCA Audit Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3>
0x4 valid
CN=CA Administrator of Instance
pki-sub-tomcat,UID=caadmin,E=caadmin at example.com,O=example.com
Security Domain
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x4>
0x5 valid
CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x5>
0x6 valid
UID=test SUBCA
<https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x6>
*pki-sub-sub-tomcat:**
*
# cd /var/lib/pki/pki-sub-sub-tomcat/alias
# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - example.com Security Domain CT,c,
SubCA Signing Certificate - example.com Security Domain c,c,
caSigningCert cert-pki-sub-sub-tomcat CA CTu,Cu,Cu
Server-Cert cert-pki-sub-sub-tomcat u,u,u
subsystemCert cert-pki-sub-sub-tomcat CA u,u,u
ocspSigningCert cert-pki-sub-sub-tomcat CA u,u,u
auditSigningCert cert-pki-sub-sub-tomcat CA u,u,Pu
# certutil -d . -L -n "caSigningCert cert-pki-sub-sub-tomcat CA" | more
. . .
Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=Sub-SubCA Subsystem Certificate,O=example.com
Security Domain"
. . .
# certutil -d . -L -n "subsystemCert cert-pki-sub-sub-tomcat CA" | more
. . .
Issuer: "CN=CA Signing Certificate,O=example.com Security Domain"
. . .
Subject: "CN=SubCA Subsystem Certificate,O=example.com Security
Domain"
. . .
# certutil -d . -L -n "Server-Cert cert-pki-sub-sub-tomcat" | more
. . .
Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com
Security Domain"
. . .
Subject: "CN=server.example.com,O=example.com Security Domain"
. . .
# certutil -d . -L -n "ocspSigningCert cert-pki-sub-sub-tomcat CA" |
more
. . .
Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com
Security Domain"
. . .
Subject: "CN=SubCA OCSP Signing Certificate,O=example.com
Security Domain"
. . .
# certutil -d . -L -n "auditSigningCert cert-pki-sub-sub-tomcat CA"
| more
. . .
Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com
Security Domain"
. . .
Subject: "CN=SubCA Audit Signing Certificate,O=example.com
Security Domain"
. . .
Serial number Status Subject name
0x1 valid
CN=SubCA OCSP Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x1>
0x2 valid
CN=server.example.com,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x2>
0x3 valid
CN=SubCA Audit Signing Certificate,O=example.com Security Domain
<https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3>
0x4 valid
CN=CA Administrator of Instance
pki-sub-sub-tomcat,UID=caadmin,E=caadmin at example.com,O=example.com
Security Domain
<https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x4>
0x5 valid
UID=test SUB-SUBCA
<https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x5>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20121106/057aeb68/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20121106-Enable-Subordinate-CA.patch
Type: text/x-patch
Size: 6215 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20121106/057aeb68/attachment.bin>
More information about the Pki-devel
mailing list