Currently JSS is unable to import CA certificates while preserving
their nicknames. As a workaround, the pki pkcs12-import has been
modified such that it exports individual CA certificates from PKCS
The remaining user certificates will continue to be imported using
JSS.
A new pki pkcs12-cert-export command has been added to export
individual certificates from PKCS #12 file into PEM files.
The pki pkcs12-import has been modified to take a list of nicknames
of the certificates to be imported into NSS database.
https://fedorahosted.org/pki/ticket/1742
Note:
This patch depends on patch #690 and #691.
This patch completes the fix of this ticket as described in the
following page except for the third-party certificate handling (see
discussion below):
http://pki.fedoraproject.org/wiki/Exporting_System_Certificates
To test this patch, install a CA with externally signed CA:
http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_...
Then clone the CA:
http://pki.fedoraproject.org/wiki/Installing_CA_Clone
Verify that the certificates on the master and replica are identical
including their nicknames.
To handle proxy certificate for IPA, we can either implement the
cs.thirdparty.cert properties as described in the above page, but IPA
would have to add the properties during the installation. Also IPA would
have to add the properties to all existing installations. Then IPA needs
to call pki-server ca-clone-prepare to export the certificates for
cloning. If the properties exist, the command will need to export the
third-party certificates into the PKCS #12 file along with other CA
certs. Then IPA will need to add the same properties into the clone.
Or, IPA can manage the proxy certificate themselves. Since IPA has
already added the proxy cert into master, IPA can also add the proxy
cert into the PKCS #12 file generated by pki-server ca-clone-prepare
using this command:
pki -d /var/lib/pki/pki-tomcat/alias -C nssdb-password.txt \
pkcs12-cert-add "subsystemCert cert-pki-tomcat" \
--pkcs12 pki-server.p12 \
--pkcs12-password-file password.txt
With the second option there's no further changes required in PKI.
--
Endi S. Dewata