[Pki-users] Configure externally acquired private key and certificate

Christina Fu cfu at redhat.com
Tue Jun 30 17:48:04 UTC 2015 

I think you are talking about this:
https://fedorahosted.org/pki/ticket/456 The user have a chance to import 
own CA certificate with private key

Christina

On 06/30/2015 09:14 AM, Jain, Mahendra wrote:
> Hi Christina,
>
> Thanks for taking time to respond.
> We already have clone setup using steps outlined in 
> http://man.sourcentral.org/f18/8+pkispawn and the setup works 
> perfectly fine with no issues.
>
> My question is related to Setting up Dogtag using private key 
> and certificate generated via openSSL command separately (on a 
> completely different host from Dogtag).
> For example, If I delete the complete VM instance where Dogtag is 
> running and reinstall, I could reuse the private key and certificate 
> already generated via openSSL command earlier to setup new Dogtag 
> instance without requiring to generate CSR and get it signed with 
> external CA (Ex: Symantec).
>
> Hope this helps.
>
> Please let me know if you have any questions.
> Thanks,
> Mahendra
>
>
> From: Christina Fu <cfu at redhat.com <mailto:cfu at redhat.com>>
> Date: Tuesday, June 30, 2015 at 11:56 AM
> To: "pki-users at redhat.com <mailto:pki-users at redhat.com>" 
> <pki-users at redhat.com <mailto:pki-users at redhat.com>>
> Subject: Re: [Pki-users] Configure externally acquired private key and 
> certificate
>
>
> On 06/29/2015 07:32 AM, Jain, Mahendra wrote:
>> Hi Christina,
>>
>> Here’s some detailed information:
>>
>> I’m planning to setup intermediate CA with DogTag and issue SSL 
>> server certs.
>>
>> I’m trying 2 options with DogTag setup:
>>
>> *Option 1: Installing an externally signed CA*
>> I followed the steps outlined in 
>> http://man.sourcentral.org/f18/8+pkispawn and this setup works 
>> perfectly fine with no issues.
>> This option involves following steps:
>>
>>  1. Generate a certificate signing request (CSR)  for the signing
>>     certificate in DogTag setup phase 1
>>  2. Submit the CSR to the external CA (Ex: Symantec)
>>  3. Obtain the resulting intermediate certificate and certificate chain
>>  4. Continue with DogTag setup phase 2
>>
>> *Option 2: Installing an externally signed CA (One time setup of 
>> keys/CSR)*
>>
>> The desired steps are as follows:
>>
>>  1. Generate a certificate signing request (CSR)  for the signing
>>     certificate using *OpenSSL*
>>  2. Submit the CSR to the external CA (Ex: Symantec)
>>  3. Obtain the resulting intermediate certificate and certificate chain
>>  4. Store private key and certificate obtained in above steps in
>>     secured media so that it can be used later
>>  5. Setup DogTag using the private key (generated in step #1) and
>>     intermediate CA certificate (acquired in step #3)
>>
>> The desired expectation in option #2 is to perform step 1-3 below 
>> once and then setup DogTag (or recreate VM) as many times I need 
>> using private key and certificate obtained earlier. This will prevent 
>> us from regenerating CSR and get it signed with external CA (Ex: 
>> Symantec).
>
> If I read it correctly, you want to set up multiple CA's sharing the 
> same singing cert/keys?  Dogtag supports cloning.  Did you look into that?
>
>>
>> Please let me know if you have any questions.
>>
>> Thanks,
>> Mahendra
>>
>>
>> From: <Jain>, "Jain, Mahendra" <majain at verisign.com 
>> <mailto:majain at verisign.com>>
>> Date: Friday, June 26, 2015 at 12:22 PM
>> To: Christina Fu <cfu at redhat.com <mailto:cfu at redhat.com>>, 
>> "pki-users at redhat.com <mailto:pki-users at redhat.com>" 
>> <pki-users at redhat.com <mailto:pki-users at redhat.com>>
>> Subject: Re: [Pki-users] Configure externally acquired private key 
>> and certificate
>>
>> Hi Christina,
>>
>> Sorry for the confusion. Let me rephrase the steps below if it is 
>> supported:
>>
>>  1. Generate private key and CSR for intermediate CA using *openssl*
>>  2. Submit the CSR to external CA (Ex: Symantec) for signing
>>  3. Receive the signed certificate from CA
>>  4. Setup DogTag with the private key (generated in step #1) and
>>     intermediate CA certificate (acquired in step #3)
>>
>> I’m hoping this approach allows me to perform step 1-3 once and then 
>> setup DogTag as many times I need using the existing private key and 
>> certificate on any host.
>>
>> Please let me know if you need further clarification.
>>
>> Thanks,
>> Mahendra
>>
>>
>> From: Christina Fu <cfu at redhat.com <mailto:cfu at redhat.com>>
>> Date: Friday, June 26, 2015 at 12:03 PM
>> To: "pki-users at redhat.com <mailto:pki-users at redhat.com>" 
>> <pki-users at redhat.com <mailto:pki-users at redhat.com>>
>> Subject: Re: [Pki-users] Configure externally acquired private key 
>> and certificate
>>
>>
>> On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
>>> Hi,
>>>
>>> I’ve DogTag 10.1.2 setup with externally signed CA (using the steps 
>>> outline in the link below) and the setup works perfectly fine:
>>>
>>> http://man.sourcentral.org/f18/8+pkispawn
>>>
>>> I would like to know if DogTag also supports configuring externally 
>>> acquired private key and certificate.
>>>
>>> In other words, If I generate the private key and CSR using openssl 
>>> and submit CSR to CA for certificate.
>>> Once the CA issued the certificate, I would like to setup DogTag 
>>> using the existing private key (created using openssl) and certificate.
>>
>> Hi, I'm sorry I read your questions a few times and I'm not certain 
>> what you wish to do.  What would you like to use this certificate 
>> for?  For example, is this an SSL server cert, or CA signing cert? 
>> etc.  And you mean in another new Dogtag instance, or are you talking 
>> about replacing certain system cert of the CA you just set up?
>>>
>>> Thanks,
>>> Mahendra
>>>
>>>
>>>           “This message (including any attachments) is intended only
>>>           for the use of the individual or entity to which it is
>>>           addressed, and may contain information that is non-public,
>>>           proprietary, privileged, confidential and exempt from
>>>           disclosure under applicable law or may be constituted as
>>>           attorney work product. If you are not the intended
>>>           recipient, you are hereby notified that any use,
>>>           dissemination, distribution, or copying of this
>>>           communication is strictly prohibited. If you have received
>>>           this message in error, notify sender immediately and
>>>           delete this message immediately.”
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150630/daa1f226/attachment.htm>

More information about the Pki-users mailing list