[Pki-users] Anybody got dual kay certs and key archiving working with Dogtag?

Christina Fu cfu at redhat.com
Thu May 15 18:46:29 UTC 2008 

There could be multiple issues.

First thing you want to check is whether your ca is configured correctly 
with connection to KRA.  To check this, look into your CS.cfg file in 
<CA install dir>/conf/CS.cfg, and look for
CA.connector.KRA.enable=true

If it's not there, or is false, then you probably did not set it up 
correctly.  There are several other parameters there that were supposed 
to be added automatically during installation, if you had picked the 
right options.  If you missed, you can reinstall again.

If your KRA is set up correctly, then test it out with caDualCert.cfg, 
which will generate a signing cert and an encryption cert for you.  The 
encryption cert is the one whose private key will be archived.

hope this helps,
Christina

Aleksander Adamowski wrote:
> Hi!
>
> I've set up pki-ca, pki-ocsp, pki-ra and pki-kra.
>
> However, it seems that pki-kra doesn't archive any keys.
>
> I've tested it with the following profiles when issuing certificates:
>
> Using the CA instance:
> * caUserCert (Manual User Dual-Use Certificate Enrollment) - I know, 
> it won't work, it's Dual-Use, not Dual-Key. However, the protocol used 
> is CRMF.
> * caDirUserCert (Directory-Authenticated User Dual-Use Certificate 
> Enrollment) - another Dual-Use, not Dual-Key. But CRMF-based.
> * caDualRAuserCert (RA Agent-Authenticated User Certificate 
> Enrollment) - they don't write what "Dual" means here. Is it Dual-Use 
> too?
>
> Using the RA instance:
> * caDualRAuserCert (RA Agent-Authenticated User Certificate 
> Enrollment) - it has "Dual" in its name...
>
>
> So it seems that there's potential confusion over which "Dual" is 
> implied in the profile names (does it correspond to key usage, or the 
> amount of keys?).
>
> Based on my experiments, either all those profiles are single key, or 
> my client doesn't support dual key generation (it's Firefox 3 nightly 
> build).
>
>
>
> So the question is - what combination of certificate profiles and 
> client (web browser) versions allows for generating dual key 
> certificates whose keys will be correctly archived by KRA/DRM?
>
>
>

More information about the Pki-users mailing list