Any suggestions?
Thanks you,
Mahendra
From: <Jain>, "Jain, Mahendra"
<majain@verisign.com<mailto:majain@verisign.com>>
Date: Monday, June 29, 2015 at 10:32 AM
To: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>,
"pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
Hi Christina,
Here’s some detailed information:
I’m planning to setup intermediate CA with DogTag and issue SSL server certs.
I’m trying 2 options with DogTag setup:
Option 1: Installing an externally signed CA
I followed the steps outlined in
http://man.sourcentral.org/f18/8+pkispawn and this setup
works perfectly fine with no issues.
This option involves following steps:
1. Generate a certificate signing request (CSR) for the signing certificate in DogTag
setup phase 1
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Continue with DogTag setup phase 2
Option 2: Installing an externally signed CA (One time setup of keys/CSR)
The desired steps are as follows:
1. Generate a certificate signing request (CSR) for the signing certificate using
OpenSSL
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Store private key and certificate obtained in above steps in secured media so that
it can be used later
5. Setup DogTag using the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
The desired expectation in option #2 is to perform step 1-3 below once and then setup
DogTag (or recreate VM) as many times I need using private key and certificate obtained
earlier. This will prevent us from regenerating CSR and get it signed with external CA
(Ex: Symantec).
Please let me know if you have any questions.
Thanks,
Mahendra
From: <Jain>, "Jain, Mahendra"
<majain@verisign.com<mailto:majain@verisign.com>>
Date: Friday, June 26, 2015 at 12:22 PM
To: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>,
"pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
Hi Christina,
Sorry for the confusion. Let me rephrase the steps below if it is supported:
1. Generate private key and CSR for intermediate CA using openssl
2. Submit the CSR to external CA (Ex: Symantec) for signing
3. Receive the signed certificate from CA
4. Setup DogTag with the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
I’m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many
times I need using the existing private key and certificate on any host.
Please let me know if you need further clarification.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Friday, June 26, 2015 at 12:03 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
Hi,
I’ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link
below) and the setup works perfectly fine:
http://man.sourcentral.org/f18/8+pkispawn
I would like to know if DogTag also supports configuring externally acquired private key
and certificate.
In other words, If I generate the private key and CSR using openssl and submit CSR to CA
for certificate.
Once the CA issued the certificate, I would like to setup DogTag using the existing
private key (created using openssl) and certificate.
Hi, I'm sorry I read your questions a few times and I'm not certain what you wish
to do. What would you like to use this certificate for? For example, is this an SSL
server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are
you talking about replacing certain system cert of the CA you just set up?
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual
or entity to which it is addressed, and may contain information that is non-public,
proprietary, privileged, confidential and exempt from disclosure under applicable law or
may be constituted as attorney work product. If you are not the intended recipient, you
are hereby notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this message in error, notify
sender immediately and delete this message immediately.”
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com<mailto:Pki-users@redhat.com>https://www.redhat.com/mailman/listinfo/pki-users