[Pki-users] Pki-users Digest, Vol 110, Issue 1

Rafael Leiva-Ochoa spawn at rloteck.net
Thu Jun 1 21:35:36 UTC 2017 

Thanks for the update Christina. Where does the Dogtag CA store its
certificate for the https://<dogtag_ca_url>:8443/. I checked the
/etc/ssl/certs/
directory, but I found nothing.

Thanks again Christina

Rafael

On Thu, Jun 1, 2017 at 9:00 AM, <pki-users-request at redhat.com> wrote:

> Send Pki-users mailing list submissions to
>         pki-users at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.redhat.com/mailman/listinfo/pki-users
> or, via email, send a message with subject or body 'help' to
>         pki-users-request at redhat.com
>
> You can reach the person managing the list at
>         pki-users-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pki-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Dogtag Cert Lauch Page Renewal (Christina Fu)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 31 May 2017 14:31:31 -0700
> From: Christina Fu <cfu at redhat.com>
> To: pki-users at redhat.com
> Subject: Re: [Pki-users] Dogtag Cert Lauch Page Renewal
> Message-ID: <034773bd-3756-73df-8c77-7dd1ebe93082 at redhat.com>
> Content-Type: text/plain; charset="windows-1252"; Format="flowed"
>
> Hi Rafael,
>
> I think the following should work for you in theory (Note: I have not
> tried  it myself).
>
> If you mean the web server cert, by default it uses the caServerCert
> profile.  So to add SAN you would want to add Subject Alt Name Default
> and possibly constraint to that profile. You can look up how other
> default profiles.
>
> Here is an example policy you could add:
>
> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.9.constraint.name=No Constraint
> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
> policyset.serverCertSet.9.default.name=Subject Alternative Name
> Extension Default
> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
> policyset.serverCertSet.9.default.params.subjAltExtPattern_0=yourServer
> .example.com
> policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
>
> Make sure you add the set id "9" (if unique..you can change it to
> another unique id) to
>
> policyset.serverCertSet.list=
>
> It is important that you add that to the profile before you proceed with
> the renewal instruction (under the assumption that you wish to reuse
> keys), because the instruction I am about to give you will use the same
> profile that the original cert was issued through.  Restart the CA after
> the above config change.
>
> About renewal, if you want to reuse the same keys of the original web
> server certificate, you could try going to the ee page
> Enrollment/Renewal tab.  Where you would find on the last link of the
> page to be
>
> Renewal: Renew certificate to be manually approved by agents.
>
> Enter the current (to be replaced) server cert serial number and
> submit.  Have the CA agent approve the request.  Download and update
> your server cert, restart the intended web server.
>
> If you don't want to reuse keys, then simply enroll through the Manual
> Server Certificate Enrollment, which uses the profile that you just
> modified, but will expect a whole new csr to be the input (rekey).
> Incidentally, if you happen to have the original CSR (hence preserving
> the same keys), you would end up having the same keys with the new
> update profile (with SAN) as well, which would effectively give you the
> same result.
>
> Let us know if that works for you.
>
> Christina
>
>
> On 05/30/2017 06:29 PM, Rafael Leiva-Ochoa wrote:
> > Any takers?
> >
> > Rafael
> >
> > On Sat, May 27, 2017 at 10:29 PM, Rafael Leiva-Ochoa
> > <spawn at rloteck.net <mailto:spawn at rloteck.net>> wrote:
> >
> >     Hi Everyone,
> >
> >          I am was looking through the Dogtag CA documentation, and I
> >     was not able to find the process for renewing the Dogtag Web page
> >     certificate. I wanted to update the cert since all browser now
> >     required a SAN on the cert. Any help would be great.
> >
> >     Thanks,
> >
> >     Rafael
> >
> >
> >
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/pki-users/
> attachments/20170531/7a1c9f30/attachment.html>
>
> ------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
> End of Pki-users Digest, Vol 110, Issue 1
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20170601/97e1919e/attachment.htm>

More information about the Pki-users mailing list