[Pki-users] Anybody got dual kay certs and key archiving working with Dogtag?
Aleksander Adamowski
aleksander.adamowski.dogtag at altkom.pl
Fri May 16 10:08:50 UTC 2008
Christina Fu wrote:
> There could be multiple issues.
>
> First thing you want to check is whether your ca is configured
> correctly with connection to KRA. To check this, look into your
> CS.cfg file in <CA install dir>/conf/CS.cfg, and look for
> CA.connector.KRA.enable=true
I've already checked that, it's there. Also, in pkiconsole for the CA
instance, I can see "Data Recovery Manager Connector" in "Certificate
Manager" -> "Connectors".
When I click "Edit", and check its configuration, it corresponds to the
configuration of the pki-kra instance (port number etc.).
>
> If your KRA is set up correctly, then test it out with caDualCert.cfg,
> which will generate a signing cert and an encryption cert for you.
> The encryption cert is the one whose private key will be archived.
OK, this is what I was looking for!
When I use the caDualCert profile, the browser asks me for
confirmation/permisson for the CA to make a backup of my encryption
private key - here's a screenshot of how it looks like:
https://olo.org.pl/files/pki/encryption_key_copy.png
Then I can see that _two_ key generation progress dialogs are displayed
consecutively. So two keys and CSRs are indeed generated, and two
certificate requests are added to the CA's request queue.
The remaining question I have is - can I customise the LDAP-based
enrollment profile (caDirUserCert) to generate dual keys just like
caDualCert does?
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
More information about the Pki-users
mailing list