[Pki-users] [HELP NEEDED] External CA configuration for Dogtag

Fri Oct 17 17:12:27 UTC 2014

Thanks a lot

All this while I was using a Microsoft external CA.

Another doubt I had:
Do we have a way we're we can just provide a public private key pair in a
particular location and dogtag will always use that as root cert?
Something like providing a static root certificate ?

Regards
Kritee

On Thursday, 16 October 2014, Ade Lee <alee at redhat.com> wrote:

> On Thu, 2014-10-16 at 07:21 +0530, Kritee Jhawar wrote:
> > Thanks for the response
> >
> > I got the setup to work with external CA just yesterday. This time I
> used a dogtag as the external CA rather than OpenSSL and Microsoft.
> >
> OK, I suspected that the cert being used as the external CA cert was the
> problem.  As I recall, there is a current bug being fixed to address
> issues with Microsoft issued CA certs.  If you can use a dogtag cert as
> your external CA, then you'll avoid any issues.
>
> > I'll have multiple instances of dogtag in my deployment. Ideally I want
> all of them to come up with these root certificate. Is there some location
> I can place a public private key pair wich dogtag uses to come up ?
> >
> I don't understand what you are trying to do here.  You have created
> several dogtag CA's that are subordinate to the external CA.  They are
> CA's in their own right, with their own signing certificates.  Why do
> they need access to the root CA?
>
> If you want several CA's with exactly the same signing cert, then you
> want clones.
>
> > Also what I meant by services not coming up was not other components
> like KRA and DRM.
> > I just have the CA subsystem and even though it was getting spawned wo
> were unable to use it.
> >
> > Thanks
> > Kritee
> >
> > Sent from my iPhone
> >
> > > On 16-Oct-2014, at 00:44, John Dennis <jdennis at redhat.com
> <javascript:;>> wrote:
> > >
> > >> On 10/10/2014 07:14 AM, kritee jhawar wrote:
> > >> Dogtag is the private CA for multiple services in a cluster. Trust is
> > >> established by providing the root certificate of dogtag to all the
> > >> services. What happens if dogtag crashes? All the services will have
> to
> > >> be given the root certificate of the new dogatg.
> > >>
> > >> How can we avoid this?
> > >
> > > Why do you need to re-provision the services with a new root
> certificate
> > > if Dogtag crashes? Why not just restart the Dogtag instance with the
> > > existing certs? It sounds like you're throwing away the old instance
> and
> > > creating a new Dogtag instance needlessly.
> > >
> > > Also, I don't understand why your services won't run if Dogtag isn't
> > > currently running (unless you're using OCSP). Dogtag provisions certs,
> a
> > > service using a cert issued by Dogtag doesn't need to communicate with
> > > Dogtag unless you're using OCSP). As long as your services have been
> > > provisioned with the certs issued by Dogtag they should run fine (or
> are
> > > you issuing very short duration certs that need constant refreshing?)
> > >
> > > FWIW, what you describe, re-provisioning of a new CA cert is exactly
> > > identical to handling an expired CA cert. There was documentation
> > > written up recently on how to handle expiring CA certs but I don't have
> > > a pointer to it, sorry. But as I mentioned above I don't you need to
> > > replace the certs, you just need to restart the service.
> > >
> > > If the instance is crashing then that's a bug that needs fixing. Please
> > > file a bug report so the problem can get fixed.
> > >
> > > Ade can comment on the specific errors you reported.
> > >
> > > --
> > > John
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141017/0e1f3dc3/attachment.htm>