As for your OCSP query, try this:
Use the console to edit the certificate profile you are using.
I'm assuming it is caUserCert
You can also do this with config files if you want.
Look in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
Anyway, there is an entry of the AIA extension that looks like this in the file:
policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.userCertSet.5.default.name=AIA Extension Default
policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.userCertSet.5.default.params.authInfoAccessCritical=false
policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
Either using editor or the console, put something in there for this setting:
policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=blah-url
Restart the server and try to issue a cert with this profile.
Also, when the agent approves the cert request, it has the chance to change this setting
on that page as well.
For your load balancer issue. Just as a quick test you might venture into your OCSP's
conf/CS.cfg file and observe the entries that are pointing you to the CA.
I haven't not tried this but it might be possible to change one of those settings to
your LB and see what happens. If there is a more elegant way to do this, others can chime
in.
thanks,
jack
----- Original Message -----
From: orrious(a)yahoo.com
To: pki-users(a)redhat.com, pki-devel(a)redhat.com
Sent: Tuesday, August 27, 2013 3:31:59 PM
Subject: [Pki-devel] Enterprise CA Architecture
Hi Everyone,
I am setting up a Dogtag 9.0.3 CA PoC and have a couple deployment questions.
My goal is to have a secure and redundant CA and subsystems. The RA is
external, redundant, and outside the scope of the discussion (for now).
OCSP services will more than likely be distributed in multiple Server/LB
pairs behind a single GTM VIP.
I am documenting each step of the install and will happily provide it so
others don't have to ask the same questions.
Thank you for taking the time to read and provide feedback.
Scenario:
I have successfully deployed CA1 and cloned CA2 from CA1. The VIP: CA.lab
load balances all incoming ports to both servers, during testing.
Q1.) When I configure OCSP1, it will not allow me to configure it to the VIP:
CA.lab. Instead I must select either CA1.lab or CA2.lab. Is there a way to
configure the OCSP to connect to the VIP rather than a specific CA server?
Q2.) If I am unable to configure OCSP against a VIP, should I configure
OCSP1->CA1 and OCSP2->CA2?
Q3.) If Q2 is True and one of the CA's is down will OCSP failover to the
other CA or will it just not answer a request.
Q4.) For the Dogtag Web pages, how do I change the server name in the URI to
the VIP, rather than the actual host name of the server? i.e, I go to
https://ca.lab:9445/ca/services. Depending on the server I am load balanced
to, the URLs for "Dogtag Certificate System", 'SSL End Users
Services", and
"Agent Services" all go to CA1.lab:944x/ca.. rather than
https://ca.lab:944x/ca This also pertains to OCSP pages.
Q5.) Certificates issues by default contain the OCSP service of the CA server
that issued the Certificate. i.e.
http://ca1.lab:9180/ca/ocsp. Can this
URI be changed to the LB VIP:
http://ca.lab:9180/ca/ocsp or can the VIP only
be added to the certificate? If it can only be added, can the priority be
changed so the VIP is queried first, as the CA would be firewalled in
production and inaccessible.
Q6.) Should the OCSP services become unavailable, I would also like to
publish the CRL in the certificates. What is the best performance for large
CRLs, say 100K entries; a web page or LDAP?
Kind Regards,
Paul
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel