[Pki-users] Can OpensSSL be used as external CA ?

Christina Fu cfu at redhat.com
Tue Oct 28 19:52:59 UTC 2014 

the cert chain you provide in the file specified under
pki_external_ca_cert_chain_path
should be just pkcs7 without header/footer.

I don't know why it would not talk to the DS (did you turn on ssl for 
the ds?).
Not sure if you build your Dogtag from the master, if you do, I'd 
suggest you get the most updated so you get fixes from the tickets I 
provided previously which would address at least two issues relating to 
external CA.

Christina

On 10/27/2014 07:55 PM, kritee jhawar wrote:
> Hi Christina
>
> I was undertaking this activity last month where Microsoft CA didn't 
> work out but Dogtag as external CA did.
>
> While using Microsoft CA or OpenSSL CA, pki spawn goes through 
> without any error but dogtag stops communications to 389ds. Upon 
> calling the rest Api /ca/rest/certs I get a "PKIException error 
> listing the certs".
>
> Is there a particular format for the ca cert chain that we need to 
> provide ? I was trying to reverse engineer the chain provided by dogtag.
>
> Thanks
> Kritee
>
>
>
> On Monday, 27 October 2014, Christina Fu <cfu at redhat.com 
> <mailto:cfu at redhat.com>> wrote:
>
>     If you meant the following two:
>     https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding
>     not preserved at issuance with signing cert signed by an external CA
>     https://fedorahosted.org/pki/ticket/1110 - pkispawn
>     (configuration) does not provide CA extensions in subordinate
>     certificate signing requests (CSR)
>
>     They have just recently been fixed upstream so I imagine you could
>     use Microsoft CA now.  Theoretically any other CA can be used as
>     an external CA, but if you run into issues, please feel free to
>     report.
>
>     Christina
>
>
>     On 10/27/2014 12:15 AM, kritee jhawar wrote:
>>     Hi
>>
>>     In my recent thread i read that there is a bug due to which
>>     Microsoft CA can't work as external CA for dogtag.
>>     Can OpenSSL be used ?
>>
>>     Thanks
>>     Kritee
>>
>>
>>     _______________________________________________
>>     Pki-users mailing list
>>     Pki-users at redhat.com  <javascript:_e(%7B%7D,'cvml','Pki-users at redhat.com');>
>>     https://www.redhat.com/mailman/listinfo/pki-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141028/a967f843/attachment.htm>

More information about the Pki-users mailing list