[Pki-devel] [PATCH] Enable Subordinate CA
Ade Lee
alee at redhat.com
Thu Nov 8 05:58:07 UTC 2012
ACK
On Tue, 2012-11-06 at 19:36 -0800, Matthew Harmsen wrote:
> The attached patch addresses the following PKI issue:
> * TRAC Ticket #185 - Dogtag 10: Update PKI Deployment to handle
> subordinate CA
> The following tests were performed on this code where:
> * cadeployment.cfg --> pki-tomcat (standard CA deployment
> configuration file with passwords)
> * subcadeployment.cfg --> pki-sub-tomcat (simple Subordinate CA
> deployment configuration file with passwords)
> * sub-subcadeployment.cfg --> pki-sub-sub-tomcat ("complex"
> Subordinate Subordinate CA deployment configuration file with
> passwords)
> # diff cadeployment.cfg subcadeployment.cfg
> 109c109
> < pki_ajp_port=8009
> ---
> > pki_ajp_port=18009
> 119,121c119,121
> < pki_http_port=8080
> < pki_https_port=8443
> < pki_instance_name=pki-tomcat
> ---
> > pki_http_port=18080
> > pki_https_port=18443
> > pki_instance_name=pki-sub-tomcat
> 125c125
> < pki_tomcat_server_port=8005
> ---
> > pki_tomcat_server_port=18005
> 162c162
> < pki_subordinate=False
> ---
> > pki_subordinate=True
>
>
>
> # diff subcadeployment.cfg sub-subcadeployment.cfg
> 60c60
> < pki_issuing_ca=
> ---
> > pki_issuing_ca=https://server.example.com:18443
> 109c109
> < pki_ajp_port=18009
> ---
> > pki_ajp_port=28009
> 119,121c119,121
> < pki_http_port=18080
> < pki_https_port=18443
> < pki_instance_name=pki-sub-tomcat
> ---
> > pki_http_port=28080
> > pki_https_port=28443
> > pki_instance_name=pki-sub-sub-tomcat
> 125c125
> < pki_tomcat_server_port=18005
> ---
> > pki_tomcat_server_port=28005
> 148c148
> < pki_ca_signing_subject_dn=
> ---
> > pki_ca_signing_subject_dn=CN=Sub-SubCA Subsystem
> Certificate,O=example.com Security Domain
>
>
>
> pki-tomcat:
>
> # cd /var/lib/pki/pki-tomcat/alias
> # certutil -d . -L
>
> Certificate Nickname
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> caSigningCert cert-pki-tomcat CA
> CTu,Cu,Cu
> Server-Cert cert-pki-tomcat
> u,u,u
> auditSigningCert cert-pki-tomcat CA
> u,u,Pu
> ocspSigningCert cert-pki-tomcat CA
> u,u,u
> subsystemCert cert-pki-tomcat CA
> u,u,u
>
> # certutil -d . -L -n "caSigningCert cert-pki-tomcat CA" |
> more
> . . .
> Issuer: "CN=CA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=CA Signing Certificate,O=example.com Security
> Domain"
> . . .
>
> # certutil -d . -L -n "subsystemCert cert-pki-tomcat CA" |
> more
> . . .
> Issuer: "CN=CA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=CA Subsystem Certificate,O=example.com Security
> Domain"
> . . .
>
> # certutil -d . -L -n "Server-Cert cert-pki-tomcat" | more
> . . .
> Issuer: "CN=CA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=server.example.com,O=example.com Security
> Domain"
> . . .
>
> # certutil -d . -L -n "ocspSigningCert cert-pki-tomcat CA" |
> more
> . . .
> Issuer: "CN=CA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=CA OCSP Signing Certificate,O=example.com
> Security Domain"
> . . .
>
> # certutil -d . -L -n "auditSigningCert cert-pki-tomcat CA" |
> more
> . . .
> Issuer: "CN=CA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=CA Audit Signing Certificate,O=example.com
> Security Domain"
> . . .
>
> Serial number
> Status
> Subject name
> 0x1
> valid
> CN=CA Signing
> Certificate,O=example.com Security Domain
> 0x2
> valid
> CN=CA OCSP Signing
> Certificate,O=example.com Security Domain
> 0x3
> valid
> CN=server.example.com,O=example.com Security Domain
> 0x4
> valid
> CN=CA Subsystem
> Certificate,O=example.com Security Domain
> 0x5
> valid
> CN=CA Audit Signing
> Certificate,O=example.com Security Domain
> 0x6
> valid
> CN=CA Administrator
> of Instance
> pki-tomcat,UID=caadmin,E=caadmin at example.com,O=example.com Security Domain
> 0x7
> valid
> CN=SubCA Signing
> Certificate,O=example.com Security Domain
> 0x8
> valid
> CN=SubCA Subsystem
> Certificate,O=example.com Security Domain
> 0x9
> valid
> CN=SubCA Subsystem
> Certificate,O=example.com Security Domain
> 0xa
> valid
> UID=test CA
>
>
>
> pki-sub-tomcat:
>
> # cd /var/lib/pki/pki-sub-tomcat/alias
> # certutil -d . -L
> Certificate Nickname
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CA Signing Certificate - example.com Security Domain
> CT,c,
> caSigningCert cert-pki-sub-tomcat CA
> CTu,Cu,Cu
> ocspSigningCert cert-pki-sub-tomcat CA
> u,u,u
> auditSigningCert cert-pki-sub-tomcat CA
> u,u,Pu
> Server-Cert cert-pki-sub-tomcat
> u,u,u
> subsystemCert cert-pki-sub-tomcat CA
> u,u,u
>
> # certutil -d. -L -n "caSigningCert cert-pki-sub-tomcat CA" |
> more
> . . .
> Issuer: "CN=CA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=SubCA Signing Certificate,O=example.com
> Security Domain"
> . . .
>
> # certutil -d. -L -n "subsystemCert cert-pki-sub-tomcat CA" |
> more
> . . .
> Issuer: "CN=CA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=SubCA Subsystem Certificate,O=example.com
> Security Domain"
> . . .
>
> # certutil -d. -L -n "Server-Cert cert-pki-sub-tomcat" | more
> . . .
> Issuer: "CN=SubCA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=server.example.com,O=example.com Security
> Domain"
> . . .
>
> # certutil -d. -L -n "ocspSigningCert cert-pki-sub-tomcat CA"
> | more
> . . .
> Issuer: "CN=SubCA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=SubCA OCSP Signing Certificate,O=example.com
> Security Domain"
> . . .
>
> # certutil -d. -L -n "auditSigningCert cert-pki-sub-tomcat CA"
> | more
> . . .
> Issuer: "CN=SubCA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=SubCA Audit Signing Certificate,O=example.com
> Security Domain"
> . . .
>
> Serial number
> Status
> Subject name
> 0x1
> valid
> CN=SubCA OCSP
> Signing
> Certificate,O=example.com Security Domain
> 0x2
> valid
> CN=server.example.com,O=example.com Security Domain
> 0x3
> valid
> CN=SubCA Audit
> Signing
> Certificate,O=example.com Security Domain
> 0x4
> valid
> CN=CA Administrator
> of Instance
> pki-sub-tomcat,UID=caadmin,E=caadmin at example.com,O=example.com Security Domain
> 0x5
> valid
> CN=Sub-SubCA
> Subsystem
> Certificate,O=example.com Security Domain
> 0x6
> valid
> UID=test SUBCA
>
>
>
> pki-sub-sub-tomcat:
>
> # cd /var/lib/pki/pki-sub-sub-tomcat/alias
> # certutil -d . -L
> Certificate Nickname
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CA Signing Certificate - example.com Security Domain
> CT,c,
> SubCA Signing Certificate - example.com Security Domain
> c,c,
> caSigningCert cert-pki-sub-sub-tomcat CA
> CTu,Cu,Cu
> Server-Cert cert-pki-sub-sub-tomcat
> u,u,u
> subsystemCert cert-pki-sub-sub-tomcat CA
> u,u,u
> ocspSigningCert cert-pki-sub-sub-tomcat CA
> u,u,u
> auditSigningCert cert-pki-sub-sub-tomcat CA
> u,u,Pu
>
> # certutil -d . -L -n "caSigningCert cert-pki-sub-sub-tomcat
> CA" | more
> . . .
> Issuer: "CN=SubCA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=Sub-SubCA Subsystem Certificate,O=example.com
> Security Domain"
> . . .
>
> # certutil -d . -L -n "subsystemCert cert-pki-sub-sub-tomcat
> CA" | more
> . . .
> Issuer: "CN=CA Signing Certificate,O=example.com Security
> Domain"
> . . .
> Subject: "CN=SubCA Subsystem Certificate,O=example.com
> Security Domain"
> . . .
>
> # certutil -d . -L -n "Server-Cert cert-pki-sub-sub-tomcat" |
> more
> . . .
> Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com
> Security Domain"
> . . .
> Subject: "CN=server.example.com,O=example.com Security
> Domain"
> . . .
>
> # certutil -d . -L -n "ocspSigningCert cert-pki-sub-sub-tomcat
> CA" | more
> . . .
> Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com
> Security Domain"
> . . .
> Subject: "CN=SubCA OCSP Signing Certificate,O=example.com
> Security Domain"
> . . .
>
> # certutil -d . -L -n "auditSigningCert
> cert-pki-sub-sub-tomcat CA" | more
> . . .
> Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com
> Security Domain"
> . . .
> Subject: "CN=SubCA Audit Signing Certificate,O=example.com
> Security Domain"
> . . .
>
> Serial number
> Status
> Subject name
> 0x1
> valid
> CN=SubCA OCSP
> Signing
> Certificate,O=example.com Security Domain
> 0x2
> valid
> CN=server.example.com,O=example.com Security Domain
> 0x3
> valid
> CN=SubCA Audit
> Signing
> Certificate,O=example.com Security Domain
> 0x4
> valid
> CN=CA Administrator
> of Instance
> pki-sub-sub-tomcat,UID=caadmin,E=caadmin at example.com,O=example.com Security Domain
> 0x5
> valid
> UID=test SUB-SUBCA
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list