[Pki-users] [HELP NEEDED] External CA configuration for Dogtag

[John Dennis]

On 10/10/2014 07:14 AM, kritee jhawar wrote:
> Dogtag is the private CA for multiple services in a cluster. Trust is
> established by providing the root certificate of dogtag to all the
> services. What happens if dogtag crashes? All the services will have to
> be given the root certificate of the new dogatg.
> 
> How can we avoid this?

Why do you need to re-provision the services with a new root certificate
if Dogtag crashes? Why not just restart the Dogtag instance with the
existing certs? It sounds like you're throwing away the old instance and
creating a new Dogtag instance needlessly.

Also, I don't understand why your services won't run if Dogtag isn't
currently running (unless you're using OCSP). Dogtag provisions certs, a
service using a cert issued by Dogtag doesn't need to communicate with
Dogtag unless you're using OCSP). As long as your services have been
provisioned with the certs issued by Dogtag they should run fine (or are
you issuing very short duration certs that need constant refreshing?)

FWIW, what you describe, re-provisioning of a new CA cert is exactly
identical to handling an expired CA cert. There was documentation
written up recently on how to handle expiring CA certs but I don't have
a pointer to it, sorry. But as I mentioned above I don't you need to
replace the certs, you just need to restart the service.

If the instance is crashing then that's a bug that needs fixing. Please
file a bug report so the problem can get fixed.

Ade can comment on the specific errors you reported.

-- 
John