[Pki-users] Anybody got dual kay certs and key archiving working with Dogtag?

[Aleksander Adamowski]

Christina Fu wrote:
> There could be multiple issues.
>
> First thing you want to check is whether your ca is configured 
> correctly with connection to KRA.  To check this, look into your 
> CS.cfg file in <CA install dir>/conf/CS.cfg, and look for
> CA.connector.KRA.enable=true
I've already checked that, it's there. Also, in pkiconsole for the CA 
instance, I can see "Data Recovery Manager Connector" in "Certificate 
Manager" -> "Connectors".

When I click "Edit", and check its configuration, it corresponds to the 
configuration of the pki-kra instance (port number etc.).

>
> If your KRA is set up correctly, then test it out with caDualCert.cfg, 
> which will generate a signing cert and an encryption cert for you.  
> The encryption cert is the one whose private key will be archived.
OK, this is what I was looking for!

When I use the caDualCert profile, the browser asks me for 
confirmation/permisson for the CA to make a backup of my encryption 
private key - here's a screenshot of how it looks like:
https://olo.org.pl/files/pki/encryption_key_copy.png

Then I can see that _two_ key generation progress dialogs are displayed 
consecutively. So two keys and CSRs are indeed generated, and two 
certificate requests are added to the CA's request queue.

The remaining question I have is - can I customise the LDAP-based 
enrollment profile (caDirUserCert) to generate dual keys just like 
caDualCert does?

-- 
Best Regards,
    Aleksander Adamowski
        GG#: 274614
        ICQ UIN: 19780575 
	http://olo.org.pl