[Pki-users] Anybody got dual kay certs and key archiving working with Dogtag?
Marc Sauton
msauton at redhat.com
Fri May 16 17:09:49 UTC 2008
Aleksander Adamowski wrote:
> Christina Fu wrote:
>> There could be multiple issues.
>>
>> First thing you want to check is whether your ca is configured
>> correctly with connection to KRA. To check this, look into your
>> CS.cfg file in <CA install dir>/conf/CS.cfg, and look for
>> CA.connector.KRA.enable=true
> I've already checked that, it's there. Also, in pkiconsole for the CA
> instance, I can see "Data Recovery Manager Connector" in "Certificate
> Manager" -> "Connectors".
>
> When I click "Edit", and check its configuration, it corresponds to
> the configuration of the pki-kra instance (port number etc.).
>
>>
>> If your KRA is set up correctly, then test it out with
>> caDualCert.cfg, which will generate a signing cert and an encryption
>> cert for you. The encryption cert is the one whose private key will
>> be archived.
> OK, this is what I was looking for!
>
> When I use the caDualCert profile, the browser asks me for
> confirmation/permisson for the CA to make a backup of my encryption
> private key - here's a screenshot of how it looks like:
> https://olo.org.pl/files/pki/encryption_key_copy.png
>
> Then I can see that _two_ key generation progress dialogs are
> displayed consecutively. So two keys and CSRs are indeed generated,
> and two certificate requests are added to the CA's request queue.
>
That's correct.
> The remaining question I have is - can I customise the LDAP-based
> enrollment profile (caDirUserCert) to generate dual keys just like
> caDualCert does?
>
Yes, all the pages are customizable, with templates, see for example:
/var/lib/pki-<ca-instance-name>/webapps/ca/ee/ca/
and
DirUserEnroll.html
Also:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Setting_up_Certificate_Profiles-Customizing_the_Enrollment_Form.html
M.
More information about the Pki-users
mailing list