Thanks for the response
I got the setup to work with external CA just yesterday. This time I used a dogtag as the
external CA rather than OpenSSL and Microsoft.
I'll have multiple instances of dogtag in my deployment. Ideally I want all of them to
come up with these root certificate. Is there some location I can place a public private
key pair wich dogtag uses to come up ?
Also what I meant by services not coming up was not other components like KRA and DRM.
I just have the CA subsystem and even though it was getting spawned wo were unable to use
it.
Thanks
Kritee
Sent from my iPhone
On 16-Oct-2014, at 00:44, John Dennis <jdennis(a)redhat.com>
wrote:
> On 10/10/2014 07:14 AM, kritee jhawar wrote:
> Dogtag is the private CA for multiple services in a cluster. Trust is
> established by providing the root certificate of dogtag to all the
> services. What happens if dogtag crashes? All the services will have to
> be given the root certificate of the new dogatg.
>
> How can we avoid this?
Why do you need to re-provision the services with a new root certificate
if Dogtag crashes? Why not just restart the Dogtag instance with the
existing certs? It sounds like you're throwing away the old instance and
creating a new Dogtag instance needlessly.
Also, I don't understand why your services won't run if Dogtag isn't
currently running (unless you're using OCSP). Dogtag provisions certs, a
service using a cert issued by Dogtag doesn't need to communicate with
Dogtag unless you're using OCSP). As long as your services have been
provisioned with the certs issued by Dogtag they should run fine (or are
you issuing very short duration certs that need constant refreshing?)
FWIW, what you describe, re-provisioning of a new CA cert is exactly
identical to handling an expired CA cert. There was documentation
written up recently on how to handle expiring CA certs but I don't have
a pointer to it, sorry. But as I mentioned above I don't you need to
replace the certs, you just need to restart the service.
If the instance is crashing then that's a bug that needs fixing. Please
file a bug report so the problem can get fixed.
Ade can comment on the specific errors you reported.
--
John