Your idea should be quite simple to achieve. The domain for the CA service
does not have to be related to the certificates you issue. I do this
currently on test machine (inside vmware) with the key ports forward from
the host to the dogtag system. People connect remotely to the public and
changing IP address specified by a DynDNS fully qualified host name.
So for your install machine use a dynamic DNS host name. DynDNS offer a
great service both the free and paid service. You could also use your own
organisation's DNS, however DynDNS is quick and easy.
At each new site you simply login to DynDNS, change the related IP addresses
and away you go.
For your own convenience, you also want the /etc/hosts file to resolve the
host name to 127.0.0.1, so it always works even when not on a network...
I do wonder about the security of your laptop, access control, whether you
might like to use some sort of hardware token (smart card/HSM) to at least
protect the CA key when on the road. It would be a shame to go to all the
trouble and have the laptop stolen and/or compromised.
On Wed, Jan 14, 2009 at 1:20 AM, <lambam80(a)hotmail.com> wrote:
Hello everybody:
Firstly, is this the primary Email-list for Dogtag/Red Hat Certificate
System ?
Naturally, I've looked through all the archives, found here, for an answer:
https://www.redhat.com/archives/pki-users/
We're using the DOGTAG CMS system found here:
http://pki.fedoraproject.org/wiki/PKI_Main_Page
We'd like to create a 'portable' CMS on a laptop running, say, Fedora
release 8 (Werewolf).
We'll then use this machine at different client sites where the machine's
DNS name and IP
address will change to issue certificates.
Is this possible ?
Firstly, I know that the console has the directory server's DNS name within
the schema itself.
My work-around is to leave an alias in /etc/hosts with the old hostname.
I expect the following URLs to cause an 'exception' in the Browser because
hostname in DN does NOT equal hostname for the machine:
https://dogtag.org:9443/ca/agent/ca/
https://dogtag.org:10443/kra/agent/kra/
https://dogtag.org:12889/
I reckon this can be over-ridden by simply accepting the 'exception' when
presented
with the warning dialogue-box in Mozilla.
Q1. Any other considerations or obstacles ?
Cdlt,
------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users