[Pki-devel] [PATCH] Enable Subordinate CA

The attached patch addresses the following PKI issue: * TRAC Ticket #185 - Dogtag 10: Update PKI Deployment to handle subordinate CA The following tests were performed on this code where: * *cadeployment.cfg --> pki-tomcat (standard CA deployment configuration file with passwords)* * *subcadeployment.cfg --> pki-sub-tomcat (simple Subordinate CA deployment configuration file with passwords)* * *sub-subcadeployment.cfg --> pki-sub-sub-tomcat ("complex" Subordinate Subordinate CA deployment configuration file with passwords)*** # diff cadeployment.cfg subcadeployment.cfg 109c109 < pki_ajp_port=8009 --- 119,121c119,121 < pki_http_port=8080 < pki_https_port=8443 < pki_instance_name=pki-tomcat --- 125c125 < pki_tomcat_server_port=8005 --- 162c162 < pki_subordinate=False --- # diff subcadeployment.cfg sub-subcadeployment.cfg 60c60 < pki_issuing_ca= --- 109c109 < pki_ajp_port=18009 --- 119,121c119,121 < pki_http_port=18080 < pki_https_port=18443 < pki_instance_name=pki-sub-tomcat --- 125c125 < pki_tomcat_server_port=18005 --- 148c148 < pki_ca_signing_subject_dn= --- Certificate,O=example.com Security Domain *pki-tomcat: *# cd /var/lib/pki/pki-tomcat/alias # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-tomcat CA CTu,Cu,Cu Server-Cert cert-pki-tomcat u,u,u auditSigningCert cert-pki-tomcat CA u,u,Pu ocspSigningCert cert-pki-tomcat CA u,u,u subsystemCert cert-pki-tomcat CA u,u,u # certutil -d . -L -n "caSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Signing Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "subsystemCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "Server-Cert cert-pki-tomcat" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . . # certutil -d . -L -n "ocspSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA OCSP Signing Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "auditSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Audit Signing Certificate,O=example.com Security Domain" . . . Serial number Status Subject name 0x1 valid CN=CA Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d... 0x2 valid CN=CA OCSP Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d... 0x3 valid CN=server.example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d... 0x4 valid CN=CA Subsystem Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d... 0x5 valid CN=CA Audit Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d... 0x6 valid CN=CA Administrator of Instance pki-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d... 0x7 valid CN=SubCA Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d... 0x8 valid CN=SubCA Subsystem Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d... 0x9 valid CN=SubCA Subsystem Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d... 0xa valid UID=test CA <https://dogtag18.usersys.redhat.com:8443/ca/agent/ca/displayBySerial?op=d... *pki-sub-tomcat:** * # cd /var/lib/pki/pki-sub-tomcat/alias # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - example.com Security Domain CT,c, caSigningCert cert-pki-sub-tomcat CA CTu,Cu,Cu ocspSigningCert cert-pki-sub-tomcat CA u,u,u auditSigningCert cert-pki-sub-tomcat CA u,u,Pu Server-Cert cert-pki-sub-tomcat u,u,u subsystemCert cert-pki-sub-tomcat CA u,u,u # certutil -d. -L -n "caSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . # certutil -d. -L -n "subsystemCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d. -L -n "Server-Cert cert-pki-sub-tomcat" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . . # certutil -d. -L -n "ocspSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA OCSP Signing Certificate,O=example.com Security Domain" . . . # certutil -d. -L -n "auditSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Audit Signing Certificate,O=example.com Security Domain" . . . Serial number Status Subject name 0x1 valid CN=SubCA OCSP Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=... 0x2 valid CN=server.example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=... 0x3 valid CN=SubCA Audit Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=... 0x4 valid CN=CA Administrator of Instance pki-sub-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=... 0x5 valid CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=... 0x6 valid UID=test SUBCA <https://dogtag18.usersys.redhat.com:18443/ca/agent/ca/displayBySerial?op=... *pki-sub-sub-tomcat:** * # cd /var/lib/pki/pki-sub-sub-tomcat/alias # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - example.com Security Domain CT,c, SubCA Signing Certificate - example.com Security Domain c,c, caSigningCert cert-pki-sub-sub-tomcat CA CTu,Cu,Cu Server-Cert cert-pki-sub-sub-tomcat u,u,u subsystemCert cert-pki-sub-sub-tomcat CA u,u,u ocspSigningCert cert-pki-sub-sub-tomcat CA u,u,u auditSigningCert cert-pki-sub-sub-tomcat CA u,u,Pu # certutil -d . -L -n "caSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "subsystemCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "Server-Cert cert-pki-sub-sub-tomcat" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . . # certutil -d . -L -n "ocspSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA OCSP Signing Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "auditSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Audit Signing Certificate,O=example.com Security Domain" . . . Serial number Status Subject name 0x1 valid CN=SubCA OCSP Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=... 0x2 valid CN=server.example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=... 0x3 valid CN=SubCA Audit Signing Certificate,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=... 0x4 valid CN=CA Administrator of Instance pki-sub-sub-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com Security Domain <https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=... 0x5 valid UID=test SUB-SUBCA <https://dogtag18.usersys.redhat.com:28443/ca/agent/ca/displayBySerial?op=...