Your idea should be quite simple to achieve. The domain for the CA service does not have to be related to the certificates you issue. I do this currently on test machine (inside vmware) with the key ports forward from the host to the dogtag system. People connect remotely to the public and changing IP address specified by a DynDNS fully qualified host name.<br>
<br>So for your install machine use a dynamic DNS host name. DynDNS offer a great service both the free and paid service. You could also use your own organisation&#39;s DNS, however DynDNS is quick and easy.<br><br>At each new site you simply login to DynDNS, change the related IP addresses and away you go.<br>
<br>For your own convenience, you also want the /etc/hosts file to resolve the host name to 127.0.0.1, so it always works even when not on a network...<br><br>I do wonder about the security of your laptop, access control, whether you might like to use some sort of hardware token (smart card/HSM) to at least protect the CA key when on the road. It would be a shame to go to all the trouble and have the laptop stolen and/or compromised.<br>
<br><div class="gmail_quote">On Wed, Jan 14, 2009 at 1:20 AM,  <span dir="ltr">&lt;<a href="mailto:lambam80@hotmail.com">lambam80@hotmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">




<div>
Hello everybody:<br>
&nbsp;<br>
Firstly, is this the primary Email-list for Dogtag/Red Hat Certificate System ?<br>
&nbsp;<br>
Naturally, I&#39;ve looked through all the archives, found here, for an answer:<br>
&nbsp;&nbsp;&nbsp;&nbsp; <a href="https://www.redhat.com/archives/pki-users/" target="_blank">https://www.redhat.com/archives/pki-users/</a><br>
&nbsp;<br>
We&#39;re using the DOGTAG CMS system found here:<br>
&nbsp;&nbsp;&nbsp;&nbsp; <a href="http://pki.fedoraproject.org/wiki/PKI_Main_Page" target="_blank">http://pki.fedoraproject.org/wiki/PKI_Main_Page</a><br>
&nbsp;<br>
We&#39;d like to create a &#39;portable&#39; CMS on a laptop running, say, Fedora release 8 (Werewolf).<br>We&#39;ll then use this machine at different client sites where the machine&#39;s DNS name and IP <br>address will change to issue certificates.<br>

&nbsp;<br>
Is this possible ?<br>
&nbsp;<br>
Firstly, I know that the console has the directory server&#39;s DNS name within the schema itself.<br>My work-around is to leave an alias in /etc/hosts with the old hostname.<br>
&nbsp;<br>
I expect the following URLs to cause an &#39;exception&#39; in the Browser because <br>hostname in DN does NOT equal hostname for the machine:<br>
<a href="https://dogtag.org:9443/ca/agent/ca/" target="_blank">https://dogtag.org:9443/ca/agent/ca/</a><br><a href="https://dogtag.org:10443/kra/agent/kra/" target="_blank">https://dogtag.org:10443/kra/agent/kra/</a><br>
<a href="https://dogtag.org:12889/" target="_blank">https://dogtag.org:12889/</a><br>
<br>I&nbsp;reckon this can be over-ridden by simply accepting the &#39;exception&#39; when presented <br>
with the warning dialogue-box in&nbsp;Mozilla.<br>
&nbsp;<br>
Q1. Any other considerations or obstacles ?<br>
&nbsp;<br>
Cdlt,<br><br><br><hr> <a></a></div>
<br>_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
<br></blockquote></div><br>