[Pki-users] Configure externally acquired private key and certificate
Christina Fu
cfu at redhat.com
Tue Jun 30 17:48:04 UTC 2015
I think you are talking about this:
https://fedorahosted.org/pki/ticket/456 The user have a chance to import
own CA certificate with private key
Christina
On 06/30/2015 09:14 AM, Jain, Mahendra wrote:
> Hi Christina,
>
> Thanks for taking time to respond.
> We already have clone setup using steps outlined in
> http://man.sourcentral.org/f18/8+pkispawn and the setup works
> perfectly fine with no issues.
>
> My question is related to Setting up Dogtag using private key
> and certificate generated via openSSL command separately (on a
> completely different host from Dogtag).
> For example, If I delete the complete VM instance where Dogtag is
> running and reinstall, I could reuse the private key and certificate
> already generated via openSSL command earlier to setup new Dogtag
> instance without requiring to generate CSR and get it signed with
> external CA (Ex: Symantec).
>
> Hope this helps.
>
> Please let me know if you have any questions.
> Thanks,
> Mahendra
>
>
> From: Christina Fu <cfu at redhat.com <mailto:cfu at redhat.com>>
> Date: Tuesday, June 30, 2015 at 11:56 AM
> To: "pki-users at redhat.com <mailto:pki-users at redhat.com>"
> <pki-users at redhat.com <mailto:pki-users at redhat.com>>
> Subject: Re: [Pki-users] Configure externally acquired private key and
> certificate
>
>
> On 06/29/2015 07:32 AM, Jain, Mahendra wrote:
>> Hi Christina,
>>
>> Here’s some detailed information:
>>
>> I’m planning to setup intermediate CA with DogTag and issue SSL
>> server certs.
>>
>> I’m trying 2 options with DogTag setup:
>>
>> *Option 1: Installing an externally signed CA*
>> I followed the steps outlined in
>> http://man.sourcentral.org/f18/8+pkispawn and this setup works
>> perfectly fine with no issues.
>> This option involves following steps:
>>
>> 1. Generate a certificate signing request (CSR) for the signing
>> certificate in DogTag setup phase 1
>> 2. Submit the CSR to the external CA (Ex: Symantec)
>> 3. Obtain the resulting intermediate certificate and certificate chain
>> 4. Continue with DogTag setup phase 2
>>
>> *Option 2: Installing an externally signed CA (One time setup of
>> keys/CSR)*
>>
>> The desired steps are as follows:
>>
>> 1. Generate a certificate signing request (CSR) for the signing
>> certificate using *OpenSSL*
>> 2. Submit the CSR to the external CA (Ex: Symantec)
>> 3. Obtain the resulting intermediate certificate and certificate chain
>> 4. Store private key and certificate obtained in above steps in
>> secured media so that it can be used later
>> 5. Setup DogTag using the private key (generated in step #1) and
>> intermediate CA certificate (acquired in step #3)
>>
>> The desired expectation in option #2 is to perform step 1-3 below
>> once and then setup DogTag (or recreate VM) as many times I need
>> using private key and certificate obtained earlier. This will prevent
>> us from regenerating CSR and get it signed with external CA (Ex:
>> Symantec).
>
> If I read it correctly, you want to set up multiple CA's sharing the
> same singing cert/keys? Dogtag supports cloning. Did you look into that?
>
>>
>> Please let me know if you have any questions.
>>
>> Thanks,
>> Mahendra
>>
>>
>> From: <Jain>, "Jain, Mahendra" <majain at verisign.com
>> <mailto:majain at verisign.com>>
>> Date: Friday, June 26, 2015 at 12:22 PM
>> To: Christina Fu <cfu at redhat.com <mailto:cfu at redhat.com>>,
>> "pki-users at redhat.com <mailto:pki-users at redhat.com>"
>> <pki-users at redhat.com <mailto:pki-users at redhat.com>>
>> Subject: Re: [Pki-users] Configure externally acquired private key
>> and certificate
>>
>> Hi Christina,
>>
>> Sorry for the confusion. Let me rephrase the steps below if it is
>> supported:
>>
>> 1. Generate private key and CSR for intermediate CA using *openssl*
>> 2. Submit the CSR to external CA (Ex: Symantec) for signing
>> 3. Receive the signed certificate from CA
>> 4. Setup DogTag with the private key (generated in step #1) and
>> intermediate CA certificate (acquired in step #3)
>>
>> I’m hoping this approach allows me to perform step 1-3 once and then
>> setup DogTag as many times I need using the existing private key and
>> certificate on any host.
>>
>> Please let me know if you need further clarification.
>>
>> Thanks,
>> Mahendra
>>
>>
>> From: Christina Fu <cfu at redhat.com <mailto:cfu at redhat.com>>
>> Date: Friday, June 26, 2015 at 12:03 PM
>> To: "pki-users at redhat.com <mailto:pki-users at redhat.com>"
>> <pki-users at redhat.com <mailto:pki-users at redhat.com>>
>> Subject: Re: [Pki-users] Configure externally acquired private key
>> and certificate
>>
>>
>> On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
>>> Hi,
>>>
>>> I’ve DogTag 10.1.2 setup with externally signed CA (using the steps
>>> outline in the link below) and the setup works perfectly fine:
>>>
>>> http://man.sourcentral.org/f18/8+pkispawn
>>>
>>> I would like to know if DogTag also supports configuring externally
>>> acquired private key and certificate.
>>>
>>> In other words, If I generate the private key and CSR using openssl
>>> and submit CSR to CA for certificate.
>>> Once the CA issued the certificate, I would like to setup DogTag
>>> using the existing private key (created using openssl) and certificate.
>>
>> Hi, I'm sorry I read your questions a few times and I'm not certain
>> what you wish to do. What would you like to use this certificate
>> for? For example, is this an SSL server cert, or CA signing cert?
>> etc. And you mean in another new Dogtag instance, or are you talking
>> about replacing certain system cert of the CA you just set up?
>>>
>>> Thanks,
>>> Mahendra
>>>
>>>
>>> “This message (including any attachments) is intended only
>>> for the use of the individual or entity to which it is
>>> addressed, and may contain information that is non-public,
>>> proprietary, privileged, confidential and exempt from
>>> disclosure under applicable law or may be constituted as
>>> attorney work product. If you are not the intended
>>> recipient, you are hereby notified that any use,
>>> dissemination, distribution, or copying of this
>>> communication is strictly prohibited. If you have received
>>> this message in error, notify sender immediately and
>>> delete this message immediately.”
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150630/daa1f226/attachment.htm>
More information about the Pki-users
mailing list