Re: [Pki-devel] [PATCH] Enable Subordinate CA

The attached patch addresses the following PKI issue: * TRAC Ticket #185 - Dogtag 10: Update PKI Deployment to handle subordinate CA The following tests were performed on this code where: * cadeployment.cfg --> pki-tomcat (standard CA deployment configuration file with passwords) * subcadeployment.cfg --> pki-sub-tomcat (simple Subordinate CA deployment configuration file with passwords) * sub-subcadeployment.cfg --> pki-sub-sub-tomcat ("complex" Subordinate Subordinate CA deployment configuration file with passwords) # diff cadeployment.cfg subcadeployment.cfg 109c109 < pki_ajp_port=8009 --- > pki_ajp_port=18009 119,121c119,121 < pki_http_port=8080 < pki_https_port=8443 < pki_instance_name=pki-tomcat --- > pki_http_port=18080 > pki_https_port=18443 > pki_instance_name=pki-sub-tomcat 125c125 < pki_tomcat_server_port=8005 --- > pki_tomcat_server_port=18005 162c162 < pki_subordinate=False --- > pki_subordinate=True # diff subcadeployment.cfg sub-subcadeployment.cfg 60c60 < pki_issuing_ca= --- > pki_issuing_ca=https://server.example.com:18443 109c109 < pki_ajp_port=18009 --- > pki_ajp_port=28009 119,121c119,121 < pki_http_port=18080 < pki_https_port=18443 < pki_instance_name=pki-sub-tomcat --- > pki_http_port=28080 > pki_https_port=28443 > pki_instance_name=pki-sub-sub-tomcat 125c125 < pki_tomcat_server_port=18005 --- > pki_tomcat_server_port=28005 148c148 < pki_ca_signing_subject_dn= --- > pki_ca_signing_subject_dn=CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain pki-tomcat: # cd /var/lib/pki/pki-tomcat/alias # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-tomcat CA CTu,Cu,Cu Server-Cert cert-pki-tomcat u,u,u auditSigningCert cert-pki-tomcat CA u,u,Pu ocspSigningCert cert-pki-tomcat CA u,u,u subsystemCert cert-pki-tomcat CA u,u,u # certutil -d . -L -n "caSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Signing Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "subsystemCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "Server-Cert cert-pki-tomcat" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . . # certutil -d . -L -n "ocspSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA OCSP Signing Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "auditSigningCert cert-pki-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=CA Audit Signing Certificate,O=example.com Security Domain" . . . Serial number Status Subject name 0x1 valid CN=CA Signing Certificate,O=example.com Security Domain 0x2 valid CN=CA OCSP Signing Certificate,O=example.com Security Domain 0x3 valid CN=server.example.com,O=example.com Security Domain 0x4 valid CN=CA Subsystem Certificate,O=example.com Security Domain 0x5 valid CN=CA Audit Signing Certificate,O=example.com Security Domain 0x6 valid CN=CA Administrator of Instance pki-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com Security Domain 0x7 valid CN=SubCA Signing Certificate,O=example.com Security Domain 0x8 valid CN=SubCA Subsystem Certificate,O=example.com Security Domain 0x9 valid CN=SubCA Subsystem Certificate,O=example.com Security Domain 0xa valid UID=test CA pki-sub-tomcat: # cd /var/lib/pki/pki-sub-tomcat/alias # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - example.com Security Domain CT,c, caSigningCert cert-pki-sub-tomcat CA CTu,Cu,Cu ocspSigningCert cert-pki-sub-tomcat CA u,u,u auditSigningCert cert-pki-sub-tomcat CA u,u,Pu Server-Cert cert-pki-sub-tomcat u,u,u subsystemCert cert-pki-sub-tomcat CA u,u,u # certutil -d. -L -n "caSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . # certutil -d. -L -n "subsystemCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d. -L -n "Server-Cert cert-pki-sub-tomcat" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . . # certutil -d. -L -n "ocspSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA OCSP Signing Certificate,O=example.com Security Domain" . . . # certutil -d. -L -n "auditSigningCert cert-pki-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Audit Signing Certificate,O=example.com Security Domain" . . . Serial number Status Subject name 0x1 valid CN=SubCA OCSP Signing Certificate,O=example.com Security Domain 0x2 valid CN=server.example.com,O=example.com Security Domain 0x3 valid CN=SubCA Audit Signing Certificate,O=example.com Security Domain 0x4 valid CN=CA Administrator of Instance pki-sub-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com Security Domain 0x5 valid CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain 0x6 valid UID=test SUBCA pki-sub-sub-tomcat: # cd /var/lib/pki/pki-sub-sub-tomcat/alias # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - example.com Security Domain CT,c, SubCA Signing Certificate - example.com Security Domain c,c, caSigningCert cert-pki-sub-sub-tomcat CA CTu,Cu,Cu Server-Cert cert-pki-sub-sub-tomcat u,u,u subsystemCert cert-pki-sub-sub-tomcat CA u,u,u ocspSigningCert cert-pki-sub-sub-tomcat CA u,u,u auditSigningCert cert-pki-sub-sub-tomcat CA u,u,Pu # certutil -d . -L -n "caSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=SubCA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "subsystemCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=CA Signing Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Subsystem Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "Server-Cert cert-pki-sub-sub-tomcat" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=server.example.com,O=example.com Security Domain" . . . # certutil -d . -L -n "ocspSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA OCSP Signing Certificate,O=example.com Security Domain" . . . # certutil -d . -L -n "auditSigningCert cert-pki-sub-sub-tomcat CA" | more . . . Issuer: "CN=Sub-SubCA Subsystem Certificate,O=example.com Security Domain" . . . Subject: "CN=SubCA Audit Signing Certificate,O=example.com Security Domain" . . . Serial number Status Subject name 0x1 valid CN=SubCA OCSP Signing Certificate,O=example.com Security Domain 0x2 valid CN=server.example.com,O=example.com Security Domain 0x3 valid CN=SubCA Audit Signing Certificate,O=example.com Security Domain 0x4 valid CN=CA Administrator of Instance pki-sub-sub-tomcat,UID=caadmin,E=caadmin(a)example.com,O=example.com Security Domain 0x5 valid UID=test SUB-SUBCA _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel