Re: [Pki-users] Anybody got dual kay certs and key archiving working with Dogtag?
Christina Fu wrote:
There could be multiple issues.
First thing you want to check is whether your ca is configured
correctly with connection to KRA. To check this, look into your
CS.cfg file in <CA install dir>/conf/CS.cfg, and look for
CA.connector.KRA.enable=true
I've already checked that, it's there. Also,
in pkiconsole for the CA
instance, I can see "Data Recovery Manager Connector" in "Certificate
Manager" -> "Connectors".
When I click "Edit", and check its configuration, it corresponds to the
configuration of the pki-kra instance (port number etc.).
If your KRA is set up correctly, then test it out with caDualCert.cfg,
which will generate a signing cert and an encryption cert for you.
The encryption cert is the one whose private key will be archived.
OK, this is what
I was looking for!
When I use the caDualCert profile, the browser asks me for
confirmation/permisson for the CA to make a backup of my encryption
private key - here's a screenshot of how it looks like:
https://olo.org.pl/files/pki/encryption_key_copy.png
Then I can see that _two_ key generation progress dialogs are displayed
consecutively. So two keys and CSRs are indeed generated, and two
certificate requests are added to the CA's request queue.
The remaining question I have is - can I customise the LDAP-based
enrollment profile (caDirUserCert) to generate dual keys just like
caDualCert does?
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
