[Pki-users] Intermediate CA

Carlos Barrabes cbarrabes at systemonenoc.com
Thu Jul 7 14:14:39 UTC 2016


Hello,

it turns out that something was wrong with my test environment because I 
was receiving random errors when launching the instance and everything 
has been working great after moving to a new, clean virtual machine. 
Also, your response pointed me to look at the config file and I realized 
there was no default admin certificate path defined so I added the 
following line:

     pki_client_admin_cert = /tmp/ca_admin.cert

However, regardless of the path I define there it always gets saved to 
the default /root/.dogtag/intca/ca_admin.cert so I'm not sure to be 
using the option properly. Its not a big deal, but I think it worth 
metioning anyway.

Other than that everything has been working great so far so thanks again 
for pointing me in the right direction.

Regards!


On 07/01/2016 04:47 AM, Endi Sukma Dewata wrote:
> On 6/29/2016 5:10 AM, Carlos Barrabes wrote:
>> Hello,
>>
>> Im trying to create an intermediate CA so I can issue certificates with
>> a trust path pointing to our RootCA but I'm facing some issues while
>> following the documentation in the project's site.
>>
>> Once I'm done  with step two, you import the external and ca-signing
>> certificates into a users NSS db and then the wiki says you have to
>> import the CA admin certificate and key but the problem is there is no
>> such thing after starting the instance via custom config file or I
>> simply cannot find them.
>>
>> Any suggestions?
>>
>> Thanks for your time!
>>
>> I am running Dogtag 10.2.6-12 on a Fedora 22 server machine and the
>> prodecure Im following is this one:
>> http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate 
>>
>
> Hi,
>
> At the end of the PKI server installation the admin certificate and 
> key will be stored in a PKCS #12 file and the location should be 
> displayed in the final installation message. Usually it is stored in 
> this location:
>
>   /root/.dogtag/pki-tomcat/ca_admin_cert.p12
>
> But that could change depending on your deployment configuration that 
> you supplied to pkispawn.
>
> After the PKI server installation you can set up the PKI client to 
> manage CA services. First initialize the client:
>
> $ pki -c Secret123 client-init
>
> Then import the root CA certificate:
>
> $ pki -c Secret123 client-cert-import "Root CA Certificate" --ca-cert 
> root-ca.crt
>
> Then import the PKI CA certificate:
>
> $ pki -c Secret123 client-cert-import "PKI CA Certificate" --ca-cert 
> ca_signing.crt
>
> Then import the CA admin certificate & key:
>
> $ pki -c Secret123 client-cert-import caadmin --pkcs12 
> /root/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password-file 
> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>
> Then you should be able to access CA services as the admin, for example:
>
> $ pki -c Secret123 -n caadmin ca-user-find
>
> Just let me know if you have any question.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160707/a749fd05/attachment.htm>


More information about the Pki-users mailing list