Re: [Pki-users] Fwd: [HELP NEEDED] External CA configuration for Dogtag

Hi Thanks for the response.I am inline with what you said, that the clients just need to trust the CA and need not communicate with it. However my clients are physical devices which will need the trust store burnt into them which is why i need to have a constant trust chain. External CA seems like the best way to go. Please let me know if you could figure out why my configuartion won't go through with the data I have provided. Regards Kritee On Fri, Oct 10, 2014 at 6:13 PM, Gaiseric Vandal < gaiseric.vandal(a)gmail.com&gt; wrote: > The CA needs to generate or sign certificates for other servers- e.g. > a web server. Clients of those servers should trust the CA's certificate > as the CA certificate that signs the server certificates. They don't need > to communicate with the CA directly. (The exception might be if the CA > is also an online certificate revocation server - but that is beyond my > experience.) > > You should assume that your CA will eventually crash- or that you might > make a configuration change or an update that you want to roll back. As > with any server, you should back up the critical files. if this is a > virtual machine, it makes backing up the entire machine much easier. > > > I wouldn't imagine that the entire CA configuration and database > directories are very big. > > > > > > > On 10/10/14 07:18, kritee jhawar wrote: > > > Hello, > > I am an engineer from India and I have been struggling with this for the > past 2 weeks. Request you to help me out. > > *USE-CASE: * > > Dogtag is the private CA for multiple services in a cluster. Trust is > established by providing the root certificate of dogtag to all the > services. What happens if dogtag crashes? All the services will have to be > given the root certificate of the new dogatg. > > How can we avoid this? > > Can we bring up multiple instances dogtag with a static certificate every > time? > > The only way I could find is by using the* external CA* option. > > I am following the 2-step pkispawn process with 2 config files > (deployment-1.cfg and deployment-2.cfg) > > In the first step the csr is generated. I take the csr and get a > certificate from the external CA and place it in the required location. The > root certificate of the CA has also been placed in the required location. > Step 2 of pkispawn goes through and the ca_admin cert is generated and > signed. > > However, when i make a REST call to list the certificates, I get 2 > different errors: > > (Please note that I replicated the same steps with same files on 2 setups > and got 2 errors) > > curl -k --request GET https://localhost:9443/ca/rest/certs > > *ERROR 1* > > <?xml version="1.0" encoding="UTF-8" > > > standalone="yes"?><PKIException><ClassName>com.netscape.certsrv.base.PKIException</ClassName><Code>500</Code><Message>Error > listing certs in > CertsResourceService.listCerts!</Message><Attributes/></PKIException> > > > > *ERROR 2* > > With the same steps i also get a NullPointerException as well (Attached > logs - null-pointer-error.txt) > > > > When i see the status of my pki-instance after pkispawn step-2, It says > the Instance is loaded and needs to be configured. (attched logs : > post-pkispawn-2.txt) > However it starts using systemctl without any errors > > > > I suspect I am missing some part in the configuration. > > Any help/pointers would be very helpful! > > Thanks > > Kritee > > *Attached files : * > > deployment-1.txt - config file for pkispawn step 1 > > deployment-2.txt - config file for pkispawn step 2 > > pkispawn-1-log.txt - logs for pkisppawn step 1 > > pkispan-2-log.txt - logs for pkispawn step 2 > > dogtag-cert.txt - root certificate of dogtag generated by external CA > > ca-admin-cert.txt - admin cert signed by dogtag > > null-pointer-error.txt - null pointer exception while making a REST call > to list certs > > post-pkispawn-2.txt - status of pki-instance after pkispawn step 2 > > > > _______________________________________________ > Pki-users mailing listPki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users >