[Pki-users] [HELP NEEDED] External CA configuration for Dogtag
Kritee Jhawar
kriteejhawar at gmail.com
Thu Oct 16 01:51:37 UTC 2014
Thanks for the response
I got the setup to work with external CA just yesterday. This time I used a dogtag as the external CA rather than OpenSSL and Microsoft.
I'll have multiple instances of dogtag in my deployment. Ideally I want all of them to come up with these root certificate. Is there some location I can place a public private key pair wich dogtag uses to come up ?
Also what I meant by services not coming up was not other components like KRA and DRM.
I just have the CA subsystem and even though it was getting spawned wo were unable to use it.
Thanks
Kritee
Sent from my iPhone
> On 16-Oct-2014, at 00:44, John Dennis <jdennis at redhat.com> wrote:
>
>> On 10/10/2014 07:14 AM, kritee jhawar wrote:
>> Dogtag is the private CA for multiple services in a cluster. Trust is
>> established by providing the root certificate of dogtag to all the
>> services. What happens if dogtag crashes? All the services will have to
>> be given the root certificate of the new dogatg.
>>
>> How can we avoid this?
>
> Why do you need to re-provision the services with a new root certificate
> if Dogtag crashes? Why not just restart the Dogtag instance with the
> existing certs? It sounds like you're throwing away the old instance and
> creating a new Dogtag instance needlessly.
>
> Also, I don't understand why your services won't run if Dogtag isn't
> currently running (unless you're using OCSP). Dogtag provisions certs, a
> service using a cert issued by Dogtag doesn't need to communicate with
> Dogtag unless you're using OCSP). As long as your services have been
> provisioned with the certs issued by Dogtag they should run fine (or are
> you issuing very short duration certs that need constant refreshing?)
>
> FWIW, what you describe, re-provisioning of a new CA cert is exactly
> identical to handling an expired CA cert. There was documentation
> written up recently on how to handle expiring CA certs but I don't have
> a pointer to it, sorry. But as I mentioned above I don't you need to
> replace the certs, you just need to restart the service.
>
> If the instance is crashing then that's a bug that needs fixing. Please
> file a bug report so the problem can get fixed.
>
> Ade can comment on the specific errors you reported.
>
> --
> John
More information about the Pki-users
mailing list