One of my customers has an existing root key pair and CA cert that
exists outside of Dogtag. I want to create a CA immediately subordinate
to that root CA and use Dogtag for it.
After numerous attempts to adopt Dogtag to an external CA, I admit to
defeat. I've tried this with and without a PKCS7 chain, I've tried
various extensions and formats for the new CA cert, etc.
The CA system comes up, looks good, but looking at the SSL hand shake
with "openssl s_client" shows that the server isn't providing the entire
chain, only the certificate for the server itself.
Taking all of the certs in the chain from root through server and
running them through the Java cert path checking routines seems to
indicate the certs are fine.
If I build a system from scratch - with a new root cert and key pair in
one CA and then build a subordinate CA under that in the same domain it
Has anyone else tried this? If so, can you give me a step-by-step please?