Thanks for the update Christina. Where does the Dogtag CA store its certificate for the https://<dogtag_ca_url>:8443/. I checked the /etc/ssl/certs/ directory, but I found nothing. 

Thanks again Christina

Rafael

On Thu, Jun 1, 2017 at 9:00 AM, <pki-users-request@redhat.com> wrote:
Send Pki-users mailing list submissions to
        pki-users@redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.redhat.com/mailman/listinfo/pki-users
or, via email, send a message with subject or body 'help' to
        pki-users-request@redhat.com

You can reach the person managing the list at
        pki-users-owner@redhat.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Pki-users digest..."


Today's Topics:

   1. Re: Dogtag Cert Lauch Page Renewal (Christina Fu)


----------------------------------------------------------------------

Message: 1
Date: Wed, 31 May 2017 14:31:31 -0700
From: Christina Fu <cfu@redhat.com>
To: pki-users@redhat.com
Subject: Re: [Pki-users] Dogtag Cert Lauch Page Renewal
Message-ID: <034773bd-3756-73df-8c77-7dd1ebe93082@redhat.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"

Hi Rafael,

I think the following should work for you in theory (Note: I have not
tried  it myself).

If you mean the web server cert, by default it uses the caServerCert
profile.  So to add SAN you would want to add Subject Alt Name Default
and possibly constraint to that profile. You can look up how other
default profiles.

Here is an example policy you could add:

policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.9.default.name=Subject Alternative Name
Extension Default
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_0=yourServer.example.com
policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1

Make sure you add the set id "9" (if unique..you can change it to
another unique id) to

policyset.serverCertSet.list=

It is important that you add that to the profile before you proceed with
the renewal instruction (under the assumption that you wish to reuse
keys), because the instruction I am about to give you will use the same
profile that the original cert was issued through.  Restart the CA after
the above config change.

About renewal, if you want to reuse the same keys of the original web
server certificate, you could try going to the ee page
Enrollment/Renewal tab.  Where you would find on the last link of the
page to be

Renewal: Renew certificate to be manually approved by agents.

Enter the current (to be replaced) server cert serial number and
submit.  Have the CA agent approve the request.  Download and update
your server cert, restart the intended web server.

If you don't want to reuse keys, then simply enroll through the Manual
Server Certificate Enrollment, which uses the profile that you just
modified, but will expect a whole new csr to be the input (rekey).
Incidentally, if you happen to have the original CSR (hence preserving
the same keys), you would end up having the same keys with the new
update profile (with SAN) as well, which would effectively give you the
same result.

Let us know if that works for you.

Christina


On 05/30/2017 06:29 PM, Rafael Leiva-Ochoa wrote:
> Any takers?
>
> Rafael
>
> On Sat, May 27, 2017 at 10:29 PM, Rafael Leiva-Ochoa
> <spawn@rloteck.net <mailto:spawn@rloteck.net>> wrote:
>
>     Hi Everyone,
>
>          I am was looking through the Dogtag CA documentation, and I
>     was not able to find the process for renewing the Dogtag Web page
>     certificate. I wanted to update the cert since all browser now
>     required a SAN on the cert. Any help would be great.
>
>     Thanks,
>
>     Rafael
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/pki-users/attachments/20170531/7a1c9f30/attachment.html>

------------------------------

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

End of Pki-users Digest, Vol 110, Issue 1
*****************************************