[Pki-users] [HELP NEEDED] External CA configuration for Dogtag

Ade Lee alee at redhat.com
Thu Oct 16 14:05:02 UTC 2014 

On Thu, 2014-10-16 at 07:21 +0530, Kritee Jhawar wrote:
> Thanks for the response 
> 
> I got the setup to work with external CA just yesterday. This time I used a dogtag as the external CA rather than OpenSSL and Microsoft. 
> 
OK, I suspected that the cert being used as the external CA cert was the
problem.  As I recall, there is a current bug being fixed to address
issues with Microsoft issued CA certs.  If you can use a dogtag cert as
your external CA, then you'll avoid any issues.

> I'll have multiple instances of dogtag in my deployment. Ideally I want all of them to come up with these root certificate. Is there some location I can place a public private key pair wich dogtag uses to come up ? 
> 
I don't understand what you are trying to do here.  You have created
several dogtag CA's that are subordinate to the external CA.  They are
CA's in their own right, with their own signing certificates.  Why do
they need access to the root CA?

If you want several CA's with exactly the same signing cert, then you
want clones.
 
> Also what I meant by services not coming up was not other components like KRA and DRM. 
> I just have the CA subsystem and even though it was getting spawned wo were unable to use it.
> 
> Thanks 
> Kritee
> 
> Sent from my iPhone
> 
> > On 16-Oct-2014, at 00:44, John Dennis <jdennis at redhat.com> wrote:
> > 
> >> On 10/10/2014 07:14 AM, kritee jhawar wrote:
> >> Dogtag is the private CA for multiple services in a cluster. Trust is
> >> established by providing the root certificate of dogtag to all the
> >> services. What happens if dogtag crashes? All the services will have to
> >> be given the root certificate of the new dogatg.
> >> 
> >> How can we avoid this?
> > 
> > Why do you need to re-provision the services with a new root certificate
> > if Dogtag crashes? Why not just restart the Dogtag instance with the
> > existing certs? It sounds like you're throwing away the old instance and
> > creating a new Dogtag instance needlessly.
> > 
> > Also, I don't understand why your services won't run if Dogtag isn't
> > currently running (unless you're using OCSP). Dogtag provisions certs, a
> > service using a cert issued by Dogtag doesn't need to communicate with
> > Dogtag unless you're using OCSP). As long as your services have been
> > provisioned with the certs issued by Dogtag they should run fine (or are
> > you issuing very short duration certs that need constant refreshing?)
> > 
> > FWIW, what you describe, re-provisioning of a new CA cert is exactly
> > identical to handling an expired CA cert. There was documentation
> > written up recently on how to handle expiring CA certs but I don't have
> > a pointer to it, sorry. But as I mentioned above I don't you need to
> > replace the certs, you just need to restart the service.
> > 
> > If the instance is crashing then that's a bug that needs fixing. Please
> > file a bug report so the problem can get fixed.
> > 
> > Ade can comment on the specific errors you reported.
> > 
> > -- 
> > John

More information about the Pki-users mailing list