[Pki-users] Certificate System Want to change hostname/IP address after installation
Robert
veryaware at gmail.com
Fri Jan 16 06:36:35 UTC 2009
Your idea should be quite simple to achieve. The domain for the CA service
does not have to be related to the certificates you issue. I do this
currently on test machine (inside vmware) with the key ports forward from
the host to the dogtag system. People connect remotely to the public and
changing IP address specified by a DynDNS fully qualified host name.
So for your install machine use a dynamic DNS host name. DynDNS offer a
great service both the free and paid service. You could also use your own
organisation's DNS, however DynDNS is quick and easy.
At each new site you simply login to DynDNS, change the related IP addresses
and away you go.
For your own convenience, you also want the /etc/hosts file to resolve the
host name to 127.0.0.1, so it always works even when not on a network...
I do wonder about the security of your laptop, access control, whether you
might like to use some sort of hardware token (smart card/HSM) to at least
protect the CA key when on the road. It would be a shame to go to all the
trouble and have the laptop stolen and/or compromised.
On Wed, Jan 14, 2009 at 1:20 AM, <lambam80 at hotmail.com> wrote:
> Hello everybody:
>
> Firstly, is this the primary Email-list for Dogtag/Red Hat Certificate
> System ?
>
> Naturally, I've looked through all the archives, found here, for an answer:
> https://www.redhat.com/archives/pki-users/
>
> We're using the DOGTAG CMS system found here:
> http://pki.fedoraproject.org/wiki/PKI_Main_Page
>
> We'd like to create a 'portable' CMS on a laptop running, say, Fedora
> release 8 (Werewolf).
> We'll then use this machine at different client sites where the machine's
> DNS name and IP
> address will change to issue certificates.
>
> Is this possible ?
>
> Firstly, I know that the console has the directory server's DNS name within
> the schema itself.
> My work-around is to leave an alias in /etc/hosts with the old hostname.
>
> I expect the following URLs to cause an 'exception' in the Browser because
> hostname in DN does NOT equal hostname for the machine:
> https://dogtag.org:9443/ca/agent/ca/
> https://dogtag.org:10443/kra/agent/kra/
> https://dogtag.org:12889/
>
> I reckon this can be over-ridden by simply accepting the 'exception' when
> presented
> with the warning dialogue-box in Mozilla.
>
> Q1. Any other considerations or obstacles ?
>
> Cdlt,
>
>
> ------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20090116/7904410a/attachment.htm>
More information about the Pki-users
mailing list