[Pki-users] Configure externally acquired private key and certificate

Christina Fu cfu at redhat.com
Tue Jun 30 15:56:38 UTC 2015 

On 06/29/2015 07:32 AM, Jain, Mahendra wrote:
> Hi Christina,
>
> Here’s some detailed information:
>
> I’m planning to setup intermediate CA with DogTag and issue SSL server 
> certs.
>
> I’m trying 2 options with DogTag setup:
>
> *Option 1: Installing an externally signed CA*
> I followed the steps outlined in 
> http://man.sourcentral.org/f18/8+pkispawn and this setup works 
> perfectly fine with no issues.
> This option involves following steps:
>
>  1. Generate a certificate signing request (CSR)  for the signing
>     certificate in DogTag setup phase 1
>  2. Submit the CSR to the external CA (Ex: Symantec)
>  3. Obtain the resulting intermediate certificate and certificate chain
>  4. Continue with DogTag setup phase 2
>
> *Option 2: Installing an externally signed CA (One time setup of 
> keys/CSR)*
>
> The desired steps are as follows:
>
>  1. Generate a certificate signing request (CSR)  for the signing
>     certificate using *OpenSSL*
>  2. Submit the CSR to the external CA (Ex: Symantec)
>  3. Obtain the resulting intermediate certificate and certificate chain
>  4. Store private key and certificate obtained in above steps in
>     secured media so that it can be used later
>  5. Setup DogTag using the private key (generated in step #1) and
>     intermediate CA certificate (acquired in step #3)
>
> The desired expectation in option #2 is to perform step 1-3 below once 
> and then setup DogTag (or recreate VM) as many times I need using 
> private key and certificate obtained earlier. This will prevent us 
> from regenerating CSR and get it signed with external CA (Ex: Symantec).

If I read it correctly, you want to set up multiple CA's sharing the 
same singing cert/keys?  Dogtag supports cloning.  Did you look into that?

>
> Please let me know if you have any questions.
>
> Thanks,
> Mahendra
>
>
> From: <Jain>, "Jain, Mahendra" <majain at verisign.com 
> <mailto:majain at verisign.com>>
> Date: Friday, June 26, 2015 at 12:22 PM
> To: Christina Fu <cfu at redhat.com <mailto:cfu at redhat.com>>, 
> "pki-users at redhat.com <mailto:pki-users at redhat.com>" 
> <pki-users at redhat.com <mailto:pki-users at redhat.com>>
> Subject: Re: [Pki-users] Configure externally acquired private key and 
> certificate
>
> Hi Christina,
>
> Sorry for the confusion. Let me rephrase the steps below if it is 
> supported:
>
>  1. Generate private key and CSR for intermediate CA using *openssl*
>  2. Submit the CSR to external CA (Ex: Symantec) for signing
>  3. Receive the signed certificate from CA
>  4. Setup DogTag with the private key (generated in step #1) and
>     intermediate CA certificate (acquired in step #3)
>
> I’m hoping this approach allows me to perform step 1-3 once and then 
> setup DogTag as many times I need using the existing private key and 
> certificate on any host.
>
> Please let me know if you need further clarification.
>
> Thanks,
> Mahendra
>
>
> From: Christina Fu <cfu at redhat.com <mailto:cfu at redhat.com>>
> Date: Friday, June 26, 2015 at 12:03 PM
> To: "pki-users at redhat.com <mailto:pki-users at redhat.com>" 
> <pki-users at redhat.com <mailto:pki-users at redhat.com>>
> Subject: Re: [Pki-users] Configure externally acquired private key and 
> certificate
>
>
> On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
>> Hi,
>>
>> I’ve DogTag 10.1.2 setup with externally signed CA (using the steps 
>> outline in the link below) and the setup works perfectly fine:
>>
>> http://man.sourcentral.org/f18/8+pkispawn
>>
>> I would like to know if DogTag also supports configuring externally 
>> acquired private key and certificate.
>>
>> In other words, If I generate the private key and CSR using openssl 
>> and submit CSR to CA for certificate.
>> Once the CA issued the certificate, I would like to setup DogTag 
>> using the existing private key (created using openssl) and certificate.
>
> Hi, I'm sorry I read your questions a few times and I'm not certain 
> what you wish to do.  What would you like to use this certificate 
> for?  For example, is this an SSL server cert, or CA signing cert? 
> etc.  And you mean in another new Dogtag instance, or are you talking 
> about replacing certain system cert of the CA you just set up?
>>
>> Thanks,
>> Mahendra
>>
>>
>>           “This message (including any attachments) is intended only
>>           for the use of the individual or entity to which it is
>>           addressed, and may contain information that is non-public,
>>           proprietary, privileged, confidential and exempt from
>>           disclosure under applicable law or may be constituted as
>>           attorney work product. If you are not the intended
>>           recipient, you are hereby notified that any use,
>>           dissemination, distribution, or copying of this
>>           communication is strictly prohibited. If you have received
>>           this message in error, notify sender immediately and delete
>>           this message immediately.”
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150630/47333c43/attachment.htm>

More information about the Pki-users mailing list