[Pki-users] Manually Replacing Server Certificates + Profiles

John Magne jmagne at redhat.com
Fri Mar 26 16:55:43 UTC 2010 

Patrick:

I did some quick digging and came up with a bit of info that might help.


It looks like the profiles that actually get used by the configuration wizard to create subsystems are private to that process. You can though, view these profiles in the directory:

/var/lib/pki-ca/conf/*.profile

The differences between these profiles and the regular CA profiles can be compared to possibly explain what you are seeing with the certs that get output.


----- Original Message -----
From: "Patrick Raspante" <Patrick.Raspante at gdc4s.com>
To: pki-users at redhat.com
Sent: Friday, March 26, 2010 4:47:06 AM GMT -08:00 US/Canada Pacific
Subject: [Pki-users] Manually Replacing Server Certificates + Profiles


Manually Replacing Server Certificates + Profiles 


Using CS 8.0, 

I'm interested in replacing (not renewing) all the server certificates for every subsystem (CA,TKS,DRM,TPS). 

The solution I had planned on using was to painstakingly use certutil to generate certificate requests, sign then, and import them back into the subsystem cert db with identical cert nicknames. 

Is there an easier way to do this (other than reinstalling+rerunning the create wizard)? I can attempt to use pkiconsole to replace certificates and automatically send them to the CA's ee page, but that seems to be erroring repeatedly. 

Using the certutil method, I'm unsure of which CA profiles to use when signing some of the server certificates certificates. For example, when replacing the TKS's 'subsystemCert' or 'Server-Cert' using the CA's 'manual server certificate enrollment' profile, I don't a get a cert with identical extensions as the original TKS 'subsytem cert'. Which profile does the CA use at TKS creation-time for these certs? 

Thanks 

Patrick Raspante 
Software Engineer 
General Dynamics C4 Systems 
Work: 781-455-2399 


This message and/or attachments may include information subject to GDC4S O.M. 1.8.6 and GD Corporate Policy 07-105 and is intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message. 

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list