Re: [Pki-users] Anybody got dual kay certs and key archiving working with Dogtag?

Christina Fu wrote: > There could be multiple issues. > > First thing you want to check is whether your ca is configured > correctly with connection to KRA. To check this, look into your > CS.cfg file in <CA install dir>/conf/CS.cfg, and look for > CA.connector.KRA.enable=true I've already checked that, it's there. Also, in pkiconsole for the CA instance, I can see "Data Recovery Manager Connector" in "Certificate Manager" -> "Connectors". When I click "Edit", and check its configuration, it corresponds to the configuration of the pki-kra instance (port number etc.). > > If your KRA is set up correctly, then test it out with > caDualCert.cfg, which will generate a signing cert and an encryption > cert for you. The encryption cert is the one whose private key will > be archived. OK, this is what I was looking for! When I use the caDualCert profile, the browser asks me for confirmation/permisson for the CA to make a backup of my encryption private key - here's a screenshot of how it looks like: https://olo.org.pl/files/pki/encryption_key_copy.png Then I can see that _two_ key generation progress dialogs are displayed consecutively. So two keys and CSRs are indeed generated, and two certificate requests are added to the CA's request queue.

The remaining question I have is - can I customise the LDAP-based enrollment profile (caDirUserCert) to generate dual keys just like caDualCert does?