Re: [Pki-devel] [PATCH] Implemented ability to use an external CA

Wednesday, 5 December 2012

Comments:
1. In pkiparser, you add:
 if not len(config.pki_master_dict['pki_security_domain_name']):
     config.pki_master_dict['pki_security_domain_name'] =\
     "External CA Security Domain"

We no longer distinguish security domains like this. The default as
defined by interpolation is fine.

2. I think we can remove the comment:
  # always set 'pki_skip_installation' true using a 'string'
in initialization.py

3. In pkijython.py, you do:
        elif config.str2bool(self.master['pki_external']) and\
             config.str2bool(self.master['pki_external_step_two']):
            # always remove pki_external DS data from external CA step 1
            data.setRemoveData("true")

This means that we'll set up the database and then blow it away and set
it up again in step 2.  Even more troubling, the request for the CA cert
is probably stored in the database during step 1 and is blown away in
step 2.  

The better way to do this would be to modify the configuration servlet
to skip database population if we are doing external CA step 2.

4. In pkijython.py, you extract the pin from CS.cfg and overwrite the
existing pin.  But perhaps a better thing to do would be to move this
code to pkiparser where the original pin is generated.

Ade

On Tue, 2012-12-04 at 22:31 -0800, Matthew Harmsen wrote:
...
 The attached patch addresses the following PKI issues:
       * TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to handle
         external CA
 This code has been successfully tested on a slightly earlier version
 of the source tree, although the attached patch has been re-based to
 the 'master'.

 To test this code, the following procedure was followed on an x86_64
 machine running 64-bit Fedora 18:
       * First, a standard CA was created to be used as an "External
         CA" using the following command and file ('# mv typescript
         typescript.external' once finished):
               * script -c 'pkispawn -s CA -f /tmp/pki/external.cfg
                 -vvv'

                 # cat external.cfg 
                 [Common]
                 pki_admin_password=<password>
                 pki_backup_password=<password>
                 pki_client_pkcs12_password=<password>
                 pki_ds_password=<password>
                 pki_security_domain_password=<password>
                 [Tomcat]
                 pki_ajp_port=18009
                 pki_http_port=18080
                 pki_https_port=18443
                 pki_instance_name=pki-external-tomcat
                 pki_tomcat_server_port=18005

       * Next, Step 1 for a CA which depended upon this External CA was
         created using the following command and file ('# mv typescript
         typescript.step_1' once finished):
               * script -c 'pkispawn -s CA -f /tmp/pki/ca_1.cfg -vvv'

                 # cat ca_1.cfg 
                 [Common]
                 pki_admin_password=<password>
                 pki_backup_password=<password>
                 pki_client_pkcs12_password=<password>
                 pki_ds_password=<password>
                 pki_security_domain_password=<password>
                 [CA]
                 pki_external=True
                 pki_external_csr_path=/tmp/pki/ca_signing.csr

       * Next, the CSR contained in the file '/tmp/pki/ca_signing.csr'
         was utilzed to create a certificate using the "External CA"
         using the following procedure:
               * External CA:

                 EE:     Enrollment/Renewal Tab
                         * Use 'Manual Certificate Manager Signing
                 Certificate Enrollment'

                 AGENT:  Approve request by pressing 'submit'

                 EE:     Retrieval Tab
                         * Use 'Check Request Status' to obtain the
                 base 64 encoded certificate
                         * Store this blob into the file specified by
                 the value of 'pki_external_ca_cert_path' in ca_2.cfg

                 EE:     Retrieval Tab
                         * Use 'Import CA Certificate Chain' and select
                 the radio button entitled 'Display certificates in the
                 CA certificate chain for
                           importing individually into a server' to
                 obtain the base 64 encoded certificate chain
                         * Store this blob into the file specified by
                 the value of 'pki_external_ca_cert_chain_path' in
                 ca_2.cfg

       * Finally, Step 2 for a CA which depended upon this External CA
         was created using the following command and file ('# mv
         typescript typescript.step_2' once finished):
               * script -c 'pkispawn -s CA -f /tmp/pki/ca_2.cfg -vvv'

                 # cat ca_2.cfg 
                 [Common]
                 pki_admin_password=<password>
                 pki_backup_password=<password>
                 pki_client_pkcs12_password=<password>
                 pki_ds_password=<password>
                 pki_security_domain_password=<password>
                 [CA]
                 pki_external=True
                 pki_external_ca_cert_chain_path=/tmp/pki/ca_signing_chain.cert
                 pki_external_ca_cert_path=/tmp/pki/ca_signing.cert
                 pki_external_step_two=True

 _______________________________________________
 Pki-devel mailing list
 Pki-devel(a)redhat.com
 https://www.redhat.com/mailman/listinfo/pki-devel 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Re: [Pki-devel] [PATCH] Implemented ability to use an external CA