[Pki-devel] Enterprise CA Architecture

orrious at yahoo.com orrious at yahoo.com
Fri Aug 30 00:26:39 UTC 2013 

Thanks Jack,

That did it.  I'll add some "Lessons Learned" as well.

1.) You must first disable the profile you want to edit in CA Agent.  Then open pkiconsole to edit the actual Certificate Profile.  

    -This step is easily missed!

2.) If you don't know what profile you're trying to edit, from CA Agent -> List Requests -> Show all requests.
    -Since I'm working with SCEP, I needed to find out what profile was being used, so I could modify it with the correct OCSP URI.


For the remaining questions:

Q1. Q2.Q3, and Q6 are not valid.  I had incorrectly assumed that the OCSP relayed requests or pulled the CRL, thus being the initiator.  This is not the case.  When the OCSP registers with the CA, the CA creates a OCSPPublisher that is setup to publish the CRL to the OCSP.  ***Note:  Each OCSP you register over writes the prior.  If all of your OCSPs are cloned from a single instance, this does not cause an issue.  If they are clones of a single OCSP instance, LDAP handles the replication for the group.  If you have multiple OCSP clusters, this causes an issue though.  You will need to manually go into pkiconsole and create a new OCSPPublisher and Publishing Rule for the previous OCSP.

Example:  

OCSP1 registers Master with CA1  ->  OCSPPublisher=OCSP1
OCSP2 Clone of OCSP1 registers with CA1  ->  OCSPPublisher=OCSP2  (Still works because OCSP1 and OCSP2 have LDAP replication.)
OCSP3 registers Master with CA1  ->  OCSPPublisher=OCSP3  (OCSP1 and 2 no longer get CRL.  OCSP3 gets it.)

OCSP4 Clone of OCSP3 registers with CA1  ->  OCSPPublisher=OCSP4  (OCSP1 and 2 no longer get CRL.  OCSP4 gets it and LDAP replicates it to OCSP3.)

Solution:
Register OCSPPublisher1 as a new Publisher and create a Publishing Rule for it.


Ensure you have 1 OCSPPublisher for each cluster of OCSPs.


Solution Enhancement:  
Automatically name the OCSPPublisher the name of the OCSP Server, if it's not a Clone of an existing OCSP instance and create the appropriate Publishing Rule.


Thank you
Paul




----- Original Message -----
From: John Magne <jmagne at redhat.com>
To: orrious at yahoo.com
Cc: pki-users at redhat.com; pki-devel at redhat.com
Sent: Wednesday, August 28, 2013 1:37 PM
Subject: Re: [Pki-devel] Enterprise CA Architecture


As for your OCSP query, try this:

Use the console to edit the certificate profile you are using.

I'm assuming it is caUserCert

You can also do this with config files if you want.
Look in /var/lib/pki-ca/profiles/ca/caUserCert.cfg


Anyway, there is an entry of the AIA extension that looks like this in the file:

policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.userCertSet.5.default.name=AIA Extension Default
policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.userCertSet.5.default.params.authInfoAccessCritical=false
policyset.userCertSet.5.default.params.authInfoAccessNumADs=1


Either using editor or the console, put something in there for this setting:

policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=blah-url

Restart the server and try to issue a cert with this profile.

Also, when the agent approves the cert request, it has the chance to change this setting on that page as well.


For your load balancer issue. Just as a quick test you might venture into your OCSP's conf/CS.cfg file and observe the entries that are pointing you to the CA.
I haven't not tried this but it might be possible to change one of those settings to your LB and see what happens. If there is a more elegant way to do this, others can chime in.

thanks,
jack








----- Original Message -----
> From: orrious at yahoo.com
> To: pki-users at redhat.com, pki-devel at redhat.com
> Sent: Tuesday, August 27, 2013 3:31:59 PM
> Subject: [Pki-devel] Enterprise CA Architecture
> 
> Hi Everyone,
> 
> 
> I am setting up a Dogtag 9.0.3 CA PoC and have a couple deployment questions.
>   My goal is to have a secure and redundant CA and subsystems.  The RA is
> external, redundant, and outside the scope of the discussion (for now).
>   OCSP services will more than likely be distributed in multiple Server/LB
> pairs behind a single GTM VIP.
> 
> 
> I am documenting each step of the install and will happily provide it so
> others don't have to ask the same questions.
> 
> 
> Thank you for taking the time to read and provide feedback.
> 
> 
> 
> Scenario:
> 
> I have successfully deployed CA1 and cloned CA2 from CA1.  The VIP: CA.lab
> load balances all incoming ports to both servers, during testing.
> 
> 
> Q1.) When I configure OCSP1, it will not allow me to configure it to the VIP:
> CA.lab.  Instead I must select either CA1.lab or CA2.lab.  Is there a way to
> configure the OCSP to connect to the VIP rather than a specific CA server?
> 
> 
> Q2.) If I am unable to configure OCSP against a VIP, should I configure
> OCSP1->CA1 and OCSP2->CA2?
> 
> Q3.) If Q2 is True and one of the CA's is down will OCSP failover to the
> other CA or will it just not answer a request.
> 
> Q4.) For the Dogtag Web pages, how do I change the server name in the URI to
> the VIP, rather than the actual host name of the server?  i.e, I go to
> https://ca.lab:9445/ca/services.  Depending on the server I am load balanced
> to, the URLs for "Dogtag Certificate System", 'SSL End Users Services", and
> "Agent Services" all go to CA1.lab:944x/ca.. rather than
> https://ca.lab:944x/ca This also pertains to OCSP pages.
> 
> Q5.) Certificates issues by default contain the OCSP service of the CA server
> that issued the Certificate.  i.e.  http://ca1.lab:9180/ca/ocsp.  Can this
> URI be changed to the LB VIP: http://ca.lab:9180/ca/ocsp or can the VIP only
> be added to the certificate?  If it can only be added, can the priority be
> changed so the VIP is queried first, as the CA would be firewalled in
> production and inaccessible.
> 
> 
> Q6.) Should the OCSP services become unavailable, I would also like to
> publish the CRL in the certificates.  What is the best performance for large
> CRLs, say 100K entries; a web page or LDAP?
> 
> 
> 
> 
>  
> 
> Kind Regards,
> Paul
> 
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>

More information about the Pki-devel mailing list