[Pki-users] [HELP NEEDED] External CA configuration for Dogtag

Kritee Jhawar kriteejhawar at gmail.com
Thu Oct 16 01:51:37 UTC 2014 

Thanks for the response 

I got the setup to work with external CA just yesterday. This time I used a dogtag as the external CA rather than OpenSSL and Microsoft. 

I'll have multiple instances of dogtag in my deployment. Ideally I want all of them to come up with these root certificate. Is there some location I can place a public private key pair wich dogtag uses to come up ? 

Also what I meant by services not coming up was not other components like KRA and DRM. 
I just have the CA subsystem and even though it was getting spawned wo were unable to use it.

Thanks 
Kritee

Sent from my iPhone

> On 16-Oct-2014, at 00:44, John Dennis <jdennis at redhat.com> wrote:
> 
>> On 10/10/2014 07:14 AM, kritee jhawar wrote:
>> Dogtag is the private CA for multiple services in a cluster. Trust is
>> established by providing the root certificate of dogtag to all the
>> services. What happens if dogtag crashes? All the services will have to
>> be given the root certificate of the new dogatg.
>> 
>> How can we avoid this?
> 
> Why do you need to re-provision the services with a new root certificate
> if Dogtag crashes? Why not just restart the Dogtag instance with the
> existing certs? It sounds like you're throwing away the old instance and
> creating a new Dogtag instance needlessly.
> 
> Also, I don't understand why your services won't run if Dogtag isn't
> currently running (unless you're using OCSP). Dogtag provisions certs, a
> service using a cert issued by Dogtag doesn't need to communicate with
> Dogtag unless you're using OCSP). As long as your services have been
> provisioned with the certs issued by Dogtag they should run fine (or are
> you issuing very short duration certs that need constant refreshing?)
> 
> FWIW, what you describe, re-provisioning of a new CA cert is exactly
> identical to handling an expired CA cert. There was documentation
> written up recently on how to handle expiring CA certs but I don't have
> a pointer to it, sorry. But as I mentioned above I don't you need to
> replace the certs, you just need to restart the service.
> 
> If the instance is crashing then that's a bug that needs fixing. Please
> file a bug report so the problem can get fixed.
> 
> Ade can comment on the specific errors you reported.
> 
> -- 
> John

More information about the Pki-users mailing list