The attached patch addresses the following PKI issue:

TRAC Ticket #185 - Dogtag 10: Update PKI Deployment to handle subordinate CA

The following tests were performed on this code where:

cadeployment.cfg --> pki-tomcat (standard CA deployment configuration file with passwords)
subcadeployment.cfg --> pki-sub-tomcat (simple Subordinate CA deployment configuration file with passwords)
sub-subcadeployment.cfg --> pki-sub-sub-tomcat ("complex" Subordinate Subordinate CA deployment configuration file with passwords)

# diff cadeployment.cfg subcadeployment.cfg109c109< pki_ajp_port=8009---> pki_ajp_port=18009119,121c119,121< pki_http_port=8080< pki_https_port=8443< pki_instance_name=pki-tomcat---> pki_http_port=18080> pki_https_port=18443> pki_instance_name=pki-sub-tomcat125c125< pki_tomcat_server_port=8005---> pki_tomcat_server_port=18005162c162< pki_subordinate=False---> pki_subordinate=True# diff subcadeployment.cfg sub-subcadeployment.cfg60c60< pki_issuing_ca=---> pki_issuing_ca=https://server.example.com:18443109c109< pki_ajp_port=18009---> pki_ajp_port=28009119,121c119,121< pki_http_port=18080< pki_https_port=18443< pki_instance_name=pki-sub-tomcat---> pki_http_port=28080> pki_https_port=28443> pki_instance_name=pki-sub-sub-tomcat125c125< pki_tomcat_server_port=18005---> pki_tomcat_server_port=28005148c148< pki_ca_signing_subject_dn=---> pki_ca_signing_subject_dn=CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domainpki-tomcat:# cd /var/lib/pki/pki-tomcat/alias# certutil -d . -LCertificate Nickname                                         Trust Attributes                                                             SSL,S/MIME,JAR/XPIcaSigningCert cert-pki-tomcat CA                             CTu,Cu,CuServer-Cert cert-pki-tomcat                                  u,u,uauditSigningCert cert-pki-tomcat CA                          u,u,PuocspSigningCert cert-pki-tomcat CA                           u,u,usubsystemCert cert-pki-tomcat CA                             u,u,u# certutil -d . -L -n "caSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Signing Certificate,O=example.com Security Domain" . . .# certutil -d . -L -n "subsystemCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Subsystem Certificate,O=example.com Security Domain" . . .# certutil -d . -L -n "Server-Cert cert-pki-tomcat" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . .# certutil -d . -L -n "ocspSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA OCSP Signing Certificate,O=example.com Security Domain" . . .# certutil -d . -L -n "auditSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Audit Signing Certificate,O=example.com Security Domain" . . .

Serial number Status Subject name

0x1 valid
CN=CA Signing Certificate,O=example.com Security Domain

0x2 valid
CN=CA OCSP Signing Certificate,O=example.com Security Domain

0x3 valid
CN=server.example.com,O=example.com Security Domain

0x4 valid
CN=CA Subsystem Certificate,O=example.com Security Domain

0x5 valid
CN=CA Audit Signing Certificate,O=example.com Security Domain

0x6 valid
CN=CA Administrator of Instance pki-tomcat,UID=caadmin,E=caadmin@example.com,O=example.com Security Domain

0x7 valid
CN=SubCA Signing Certificate,O=example.com Security Domain

0x8 valid
CN=SubCA Subsystem Certificate,O=example.com Security Domain

0x9 valid
CN=SubCA Subsystem Certificate,O=example.com Security Domain

0xa valid
UID=test CA

pki-sub-tomcat:# cd /var/lib/pki/pki-sub-tomcat/alias# certutil -d . -LCertificate Nickname                                         Trust Attributes                                                             SSL,S/MIME,JAR/XPICA Signing Certificate - example.com Security Domain         CT,c,caSigningCert cert-pki-sub-tomcat CA                         CTu,Cu,CuocspSigningCert cert-pki-sub-tomcat CA                       u,u,uauditSigningCert cert-pki-sub-tomcat CA                      u,u,PuServer-Cert cert-pki-sub-tomcat                              u,u,usubsystemCert cert-pki-sub-tomcat CA                         u,u,u# certutil -d. -L -n "caSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . .# certutil -d. -L -n "subsystemCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Subsystem Certificate,O=example.com Security Domain" . . .# certutil -d. -L -n "Server-Cert cert-pki-sub-tomcat" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . .# certutil -d. -L -n "ocspSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA OCSP Signing Certificate,O=example.com Security Domain" . . .# certutil -d. -L -n "auditSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Audit Signing Certificate,O=example.com Security Domain" . . .

Serial number Status Subject name

0x1 valid
CN=SubCA OCSP Signing Certificate,O=example.com Security Domain

0x2 valid
CN=server.example.com,O=example.com Security Domain

0x3 valid
CN=SubCA Audit Signing Certificate,O=example.com Security Domain

0x4 valid
CN=CA Administrator of Instance pki-sub-tomcat,UID=caadmin,E=caadmin@example.com,O=example.com Security Domain

0x5 valid
CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain

0x6 valid
UID=test SUBCA

pki-sub-sub-tomcat:# cd /var/lib/pki/pki-sub-sub-tomcat/alias# certutil -d . -LCertificate Nickname                                         Trust Attributes                                                             SSL,S/MIME,JAR/XPICA Signing Certificate - example.com Security Domain         CT,c,SubCA Signing Certificate - example.com Security Domain      c,c,caSigningCert cert-pki-sub-sub-tomcat CA                     CTu,Cu,CuServer-Cert cert-pki-sub-sub-tomcat                          u,u,usubsystemCert cert-pki-sub-sub-tomcat CA                     u,u,uocspSigningCert cert-pki-sub-sub-tomcat CA                   u,u,uauditSigningCert cert-pki-sub-sub-tomcat CA                  u,u,Pu# certutil -d . -L -n "caSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . .# certutil -d . -L -n "subsystemCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Subsystem Certificate,O=example.com Security Domain" . . .# certutil -d . -L -n "Server-Cert cert-pki-sub-sub-tomcat" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . .# certutil -d . -L -n "ocspSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA OCSP Signing Certificate,O=example.com Security Domain" . . .# certutil -d . -L -n "auditSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Audit Signing Certificate,O=example.com Security Domain" . . .

Serial number Status Subject name

0x1 valid
CN=SubCA OCSP Signing Certificate,O=example.com Security Domain

0x2 valid
CN=server.example.com,O=example.com Security Domain

0x3 valid
CN=SubCA Audit Signing Certificate,O=example.com Security Domain

0x4 valid
CN=CA Administrator of Instance pki-sub-sub-tomcat,UID=caadmin,E=caadmin@example.com,O=example.com Security Domain

0x5 valid
UID=test SUB-SUBCA

Serial number	Status	Subject name
0x1	valid	CN=CA Signing Certificate,O=example.com Security Domain
0x2	valid	CN=CA OCSP Signing Certificate,O=example.com Security Domain
0x3	valid	CN=server.example.com,O=example.com Security Domain
0x4	valid	CN=CA Subsystem Certificate,O=example.com Security Domain
0x5	valid	CN=CA Audit Signing Certificate,O=example.com Security Domain
0x6	valid	CN=CA Administrator of Instance pki-tomcat,UID=caadmin,E=caadmin@example.com,O=example.com Security Domain
0x7	valid	CN=SubCA Signing Certificate,O=example.com Security Domain
0x8	valid	CN=SubCA Subsystem Certificate,O=example.com Security Domain
0x9	valid	CN=SubCA Subsystem Certificate,O=example.com Security Domain
0xa	valid	UID=test CA