[Pki-users] Intermediate CA

[Endi Sukma Dewata]

On 6/29/2016 5:10 AM, Carlos Barrabes wrote:
> Hello,
>
> Im trying to create an intermediate CA so I can issue certificates with
> a trust path pointing to our RootCA but I'm facing some issues while
> following the documentation in the project's site.
>
> Once I'm done  with step two, you import the external and ca-signing
> certificates into a users NSS db and then the wiki says you have to
> import the CA admin certificate and key but the problem is there is no
> such thing after starting the instance via custom config file or I
> simply cannot find them.
>
> Any suggestions?
>
> Thanks for your time!
>
> I am running Dogtag 10.2.6-12 on a Fedora 22 server machine and the
> prodecure Im following is this one:
> http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate

Hi,

At the end of the PKI server installation the admin certificate and key 
will be stored in a PKCS #12 file and the location should be displayed 
in the final installation message. Usually it is stored in this location:

   /root/.dogtag/pki-tomcat/ca_admin_cert.p12

But that could change depending on your deployment configuration that 
you supplied to pkispawn.

After the PKI server installation you can set up the PKI client to 
manage CA services. First initialize the client:

$ pki -c Secret123 client-init

Then import the root CA certificate:

$ pki -c Secret123 client-cert-import "Root CA Certificate" --ca-cert 
root-ca.crt

Then import the PKI CA certificate:

$ pki -c Secret123 client-cert-import "PKI CA Certificate" --ca-cert 
ca_signing.crt

Then import the CA admin certificate & key:

$ pki -c Secret123 client-cert-import caadmin --pkcs12 
/root/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password-file 
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf

Then you should be able to access CA services as the admin, for example:

$ pki -c Secret123 -n caadmin ca-user-find

Just let me know if you have any question.

-- 
Endi S. Dewata