[Pki-devel] [PATCH] Implemented ability to use an external CA

The attached patch addresses the following PKI issues: * TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to handle external CA This code has been successfully tested on a slightly earlier version of the source tree, although the attached patch has been re-based to the 'master'. To test this code, the following procedure was followed on an x86_64 machine running 64-bit Fedora 18: * First, a standard CA was created to be used as an "External CA" using the following command and file ('# mv typescript typescript.external' once finished): o script -c 'pkispawn -s CA -f /tmp/pki/external.cfg -vvv' # cat external.cfg [Common] pki_admin_password=<password> pki_backup_password=<password> pki_client_pkcs12_password=<password> pki_ds_password=<password> pki_security_domain_password=<password> [Tomcat] pki_ajp_port=18009 pki_http_port=18080 pki_https_port=18443 pki_instance_name=pki-external-tomcat pki_tomcat_server_port=18005 * Next, Step 1 for a CA which depended upon this External CA was created using the following command and file('# mv typescript typescript.step_1' once finished): o script -c 'pkispawn -s CA -f /tmp/pki/ca_1.cfg -vvv' # cat ca_1.cfg [Common] pki_admin_password=<password> pki_backup_password=<password> pki_client_pkcs12_password=<password> pki_ds_password=<password> pki_security_domain_password=<password> [CA] pki_external=True pki_external_csr_path=/tmp/pki/ca_signing.csr * Next, the CSR contained in the file '/tmp/pki/ca_signing.csr' was utilzed to create a certificate using the "External CA" using the following procedure: o External CA: EE: Enrollment/Renewal Tab * Use 'Manual Certificate Manager Signing Certificate Enrollment' AGENT: Approve request by pressing 'submit' EE: Retrieval Tab * Use 'Check Request Status' to obtain the base 64 encoded certificate * Store this blob into the file specified by the value of 'pki_external_ca_cert_path'in ca_2.cfg EE: Retrieval Tab * Use 'Import CA Certificate Chain' and select the radio button entitled 'Display certificates in the CA certificate chain for importing individually into a server' to obtain the base 64 encoded certificate chain * Store this blob into the file specified by the value of 'pki_external_ca_cert_chain_path'in ca_2.cfg * Finally, Step 2 for a CA which depended upon this External CA was created using the following command and file('# mv typescript typescript.step_2' once finished): o script -c 'pkispawn -s CA -f /tmp/pki/ca_2.cfg -vvv' # cat ca_2.cfg [Common] pki_admin_password=<password> pki_backup_password=<password> pki_client_pkcs12_password=<password> pki_ds_password=<password> pki_security_domain_password=<password> [CA] pki_external=True pki_external_ca_cert_chain_path=/tmp/pki/ca_signing_chain.cert pki_external_ca_cert_path=/tmp/pki/ca_signing.cert pki_external_step_two=True