This patch documents continued implementation of the PKI Deployment Framework based upon the revised filesystem layout documented here:
 This patch must be applied AFTER "[PATCH] PKI Deployment Framework (20120716)".

The following patch adds/corrects functionality of the existing PKI Deployment Framework including (but not limited to):

    Saved Admin Certificate, imported it into NSS client security databases, and
    exported it to a PKCS #12 file such that it may be imported into a browser.
   
    TRAC Ticket #221
    Dogtag 10: Create a PKCS #12 file containing the Admin Certificate
    (https://fedorahosted.org/pki/ticket/221)

To test this patch (presumes a Fedora 17 machine with a pre-installed directory server and PKI packages with these two patches installed):
As 'root' on 'example.fedora.org':
# (if necessary) pkidestroy -s CA -v -d fedora.org -i foobar --http_port 8080 --https_port 8443 --ajp_port 8005
# pkispawn -s CA -f /tmp/pki/pkideployment.cfg -vvv -d fedora.org -i foobar --http_port 8080 --https_port 8443 --ajp_port 8005
# systemctl restart pki-tomcatd@fedora.org-foobar.service
# mkdir -p /tmp/pki
# cp /usr/share/pki/deployment/config/pkideployment.cfg /tmp/pki
# cd /tmp/pki
# Edit pkideployment.cfg and add the desired passwords to the following variables:
  * pki_admin_password=
  * pki_backup_password= (THIS CAN BE SKIPPED)
  * pki_client_pkcs12_password=
  * pki_ds_password=
  * pki_pkcs12_password=
  * pki_security_domain_password=
  If necessary, change the default ports on the directory server to match the installed version


As 'user' on 'example.fedora.org':
* firefox -ProfileManager -no-remote &
* New Profile:  example
* http://example.fedora.org:8080/ca/services
  * Launches browser tab entitled 'CA Services'
* Select 'SSL End Users Services' in new tab
  * Trust this Connection
  * Launches browser tab entitled 'CA End-Entity'
  * Select "Retrieval" tab
  * Select "Import CA Certificate Chain"
    * Select "Import the CA certificate chain into your browser"
      * Press Submit
      * Check all three Trust checkboxes and press OK
  * From the Browser's Menu:
    * Select Edit | Preferences
      * Highlight the Advanced icon
        * Select the Encryption tab
          * Press the View Certificates button
            * Select the "Your Certificates" tab
              * Press the Import button
                * Go to File System | tmp | fedora.org-foobar_client
                  * Highlight ca_admin_cert.p12
                    * Press the Open button
                      * Type in the PKCS #12 password
                      * Dismiss the "Success" pop-up by pressing OK
        * Dismiss the Encryption tab by pressing OK
    * Close Preferences by pressing Close
* From the 'CA Services' tab, select 'Agent Services' in a new tab
  * Select the proper cert from the pulldown menu and press OK
  * Launches browser tab entitled 'CA Agent'
* Re-select 'CA End-Entity' tab in browser
  * Select 'Enrollment/Renewal' tab
    * Select Manual User Dual-Use Certificate Enrollment
      * Type test in UID field
      * Press Submit button
* Re-select 'CA Agent' tab in browser
  * Select 'List Requests' on left-hand menu
    * Press Find
    * Select the cert (e. g. - '7') from the Request Queue
      * Scroll to the bottom and press the submit button
  * Select 'List Certificates' on left-hand menu
    * Press Find
      * The new certificate (e. g. - '7') should be displayed