ok,

find my howto at
http://pki.fedoraproject.org/wiki/Fix_clone*.privkey.id_entries_in_CS.cfg_to_reenable_cloning

Mit freundlichen Grüßen,

Alexander Jung

2011/9/13 Andrew Wnuk <awnuk@redhat.com>

Hi Alexander,

Would be kind enough to add your solution to Dogtag's "How Tos"?
http://pki.fedoraproject.org/wiki/PKI_How_To

Thank you,
Andrew

On 09/13/2011 08:39 AM, Alexander Jung wrote:

Hello,

in the meantime i got it working. The problem was the master CA setup: after instantating the ca the certs have been replaced by the certs from another instance - but the entires clone*.privkey.id had not been updated.

After recognizing this I only had to match the (unsigned) output of certutil -K with the (signed) params in CS.cfg. I did this by inserting some "System.out.println" into com.netscape.cmsutil.crypto.CryptoUtil  findPrivateKeyFromID() and patching the new .class-File into the .jar-file. Watching the catalina.out while trying to clone the ca gave then all needed infos.

Another fresh install after that completed without problems.

Yours,

Alexander Jung

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users