1:23 p.m.
Hi,
I’ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link
below) and the setup works perfectly fine:
http://man.sourcentral.org/f18/8+pkispawn
I would like to know if DogTag also supports configuring externally acquired private key
and certificate.
In other words, If I generate the private key and CSR using openssl and submit CSR to CA
for certificate.
Once the CA issued the certificate, I would like to setup DogTag using the existing
private key (created using openssl) and certificate.
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual
or entity to which it is addressed, and may contain information that is non-public,
proprietary, privileged, confidential and exempt from disclosure under applicable law or
may be constituted as attorney work product. If you are not the intended recipient, you
are hereby notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this message in error, notify
sender immediately and delete this message immediately.”
11:03 a.m.
On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
Hi,
I've DogTag 10.1.2 setup with externally signed CA (using the steps
outline in the link below) and the setup works perfectly fine:
http://man.sourcentral.org/f18/8+pkispawn
I would like to know if DogTag also supports configuring externally
acquired private key and certificate.
In other words, If I generate the private key and CSR using openssl
and submit CSR to CA for certificate.
Once the CA issued the certificate, I would like to setup DogTag using
the existing private key (created using openssl) and certificate.
Hi, I'm sorry I read your questions a few times and I'm not certain what
you wish to do. What would you like to use this certificate for? For
example, is this an SSL server cert, or CA signing cert? etc. And you
mean in another new Dogtag instance, or are you talking about replacing
certain system cert of the CA you just set up?
Thanks,
Mahendra
"This message (including any attachments) is intended only
for the use of the individual or entity to which it is
addressed, and may contain information that is non-public,
proprietary, privileged, confidential and exempt from
disclosure under applicable law or may be constituted as
attorney work product. If you are not the intended
recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received
this message in error, notify sender immediately and delete
this message immediately."
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
11:22 a.m.
Hi Christina,
Sorry for the confusion. Let me rephrase the steps below if it is supported:
1. Generate private key and CSR for intermediate CA using openssl
2. Submit the CSR to external CA (Ex: Symantec) for signing
3. Receive the signed certificate from CA
4. Setup DogTag with the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
I’m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many
times I need using the existing private key and certificate on any host.
Please let me know if you need further clarification.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Friday, June 26, 2015 at 12:03 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
Hi,
I’ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link
below) and the setup works perfectly fine:
http://man.sourcentral.org/f18/8+pkispawn
I would like to know if DogTag also supports configuring externally acquired private key
and certificate.
In other words, If I generate the private key and CSR using openssl and submit CSR to CA
for certificate.
Once the CA issued the certificate, I would like to setup DogTag using the existing
private key (created using openssl) and certificate.
Hi, I'm sorry I read your questions a few times and I'm not certain what you wish
to do. What would you like to use this certificate for? For example, is this an SSL
server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are
you talking about replacing certain system cert of the CA you just set up?
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual
or entity to which it is addressed, and may contain information that is non-public,
proprietary, privileged, confidential and exempt from disclosure under applicable law or
may be constituted as attorney work product. If you are not the intended recipient, you
are hereby notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this message in error, notify
sender immediately and delete this message immediately.”
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com<mailto:Pki-users@redhat.com>https://www.redhat.com/mailman/listinfo/pki-users
9:32 a.m.
Hi Christina,
Here’s some detailed information:
I’m planning to setup intermediate CA with DogTag and issue SSL server certs.
I’m trying 2 options with DogTag setup:
Option 1: Installing an externally signed CA
I followed the steps outlined in http://man.sourcentral.org/f18/8+pkispawn and this setup
works perfectly fine with no issues.
This option involves following steps:
1. Generate a certificate signing request (CSR) for the signing certificate in DogTag
setup phase 1
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Continue with DogTag setup phase 2
Option 2: Installing an externally signed CA (One time setup of keys/CSR)
The desired steps are as follows:
1. Generate a certificate signing request (CSR) for the signing certificate using
OpenSSL
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Store private key and certificate obtained in above steps in secured media so that
it can be used later
5. Setup DogTag using the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
The desired expectation in option #2 is to perform step 1-3 below once and then setup
DogTag (or recreate VM) as many times I need using private key and certificate obtained
earlier. This will prevent us from regenerating CSR and get it signed with external CA
(Ex: Symantec).
Please let me know if you have any questions.
Thanks,
Mahendra
From: <Jain>, "Jain, Mahendra"
<majain@verisign.com<mailto:majain@verisign.com>>
Date: Friday, June 26, 2015 at 12:22 PM
To: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>,
"pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
Hi Christina,
Sorry for the confusion. Let me rephrase the steps below if it is supported:
1. Generate private key and CSR for intermediate CA using openssl
2. Submit the CSR to external CA (Ex: Symantec) for signing
3. Receive the signed certificate from CA
4. Setup DogTag with the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
I’m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many
times I need using the existing private key and certificate on any host.
Please let me know if you need further clarification.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Friday, June 26, 2015 at 12:03 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
Hi,
I’ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link
below) and the setup works perfectly fine:
http://man.sourcentral.org/f18/8+pkispawn
I would like to know if DogTag also supports configuring externally acquired private key
and certificate.
In other words, If I generate the private key and CSR using openssl and submit CSR to CA
for certificate.
Once the CA issued the certificate, I would like to setup DogTag using the existing
private key (created using openssl) and certificate.
Hi, I'm sorry I read your questions a few times and I'm not certain what you wish
to do. What would you like to use this certificate for? For example, is this an SSL
server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are
you talking about replacing certain system cert of the CA you just set up?
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual
or entity to which it is addressed, and may contain information that is non-public,
proprietary, privileged, confidential and exempt from disclosure under applicable law or
may be constituted as attorney work product. If you are not the intended recipient, you
are hereby notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this message in error, notify
sender immediately and delete this message immediately.”
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com<mailto:Pki-users@redhat.com>https://www.redhat.com/mailman/listinfo/pki-users
10:56 a.m.
On 06/29/2015 07:32 AM, Jain, Mahendra wrote:
Hi Christina,
Here’s some detailed information:
I’m planning to setup intermediate CA with DogTag and issue SSL server
certs.
I’m trying 2 options with DogTag setup:
*Option 1: Installing an externally signed CA*
I followed the steps outlined in
http://man.sourcentral.org/f18/8+pkispawn and this setup works
perfectly fine with no issues.
This option involves following steps:
1. Generate a certificate signing request (CSR) for the signing
certificate in DogTag setup phase 1
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Continue with DogTag setup phase 2
*Option 2: Installing an externally signed CA (One time setup of
keys/CSR)*
The desired steps are as follows:
1. Generate a certificate signing request (CSR) for the signing
certificate using *OpenSSL*
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Store private key and certificate obtained in above steps in
secured media so that it can be used later
5. Setup DogTag using the private key (generated in step #1) and
intermediate CA certificate (acquired in step #3)
The desired expectation in option #2 is to perform step 1-3 below once
and then setup DogTag (or recreate VM) as many times I need using
private key and certificate obtained earlier. This will prevent us
from regenerating CSR and get it signed with external CA (Ex: Symantec).
If I read it correctly, you want to set up multiple CA's sharing the
same singing cert/keys? Dogtag supports cloning. Did you look into that?
Please let me know if you have any questions.
Thanks,
Mahendra
From: <Jain>, "Jain, Mahendra" <majain(a)verisign.com
<mailto:majain@verisign.com>>
Date: Friday, June 26, 2015 at 12:22 PM
To: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>,
"pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
<pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and
certificate
Hi Christina,
Sorry for the confusion. Let me rephrase the steps below if it is
supported:
1. Generate private key and CSR for intermediate CA using *openssl*
2. Submit the CSR to external CA (Ex: Symantec) for signing
3. Receive the signed certificate from CA
4. Setup DogTag with the private key (generated in step #1) and
intermediate CA certificate (acquired in step #3)
I’m hoping this approach allows me to perform step 1-3 once and then
setup DogTag as many times I need using the existing private key and
certificate on any host.
Please let me know if you need further clarification.
Thanks,
Mahendra
From: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>
Date: Friday, June 26, 2015 at 12:03 PM
To: "pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
<pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and
certificate
On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
> Hi,
>
> I’ve DogTag 10.1.2 setup with externally signed CA (using the steps
> outline in the link below) and the setup works perfectly fine:
>
> http://man.sourcentral.org/f18/8+pkispawn
>
> I would like to know if DogTag also supports configuring externally
> acquired private key and certificate.
>
> In other words, If I generate the private key and CSR using openssl
> and submit CSR to CA for certificate.
> Once the CA issued the certificate, I would like to setup DogTag
> using the existing private key (created using openssl) and certificate.
Hi, I'm sorry I read your questions a few times and I'm not certain
what you wish to do. What would you like to use this certificate
for? For example, is this an SSL server cert, or CA signing cert?
etc. And you mean in another new Dogtag instance, or are you talking
about replacing certain system cert of the CA you just set up?
>
> Thanks,
> Mahendra
>
>
> “This message (including any attachments) is intended only
> for the use of the individual or entity to which it is
> addressed, and may contain information that is non-public,
> proprietary, privileged, confidential and exempt from
> disclosure under applicable law or may be constituted as
> attorney work product. If you are not the intended
> recipient, you are hereby notified that any use,
> dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received
> this message in error, notify sender immediately and delete
> this message immediately.”
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
11:14 a.m.
Hi Christina,
Thanks for taking time to respond.
We already have clone setup using steps outlined in
http://man.sourcentral.org/f18/8+pkispawn and the setup works perfectly fine with no
issues.
My question is related to Setting up Dogtag using private key and certificate generated
via openSSL command separately (on a completely different host from Dogtag).
For example, If I delete the complete VM instance where Dogtag is running and reinstall, I
could reuse the private key and certificate already generated via openSSL command earlier
to setup new Dogtag instance without requiring to generate CSR and get it signed with
external CA (Ex: Symantec).
Hope this helps.
Please let me know if you have any questions.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Tuesday, June 30, 2015 at 11:56 AM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/29/2015 07:32 AM, Jain, Mahendra wrote:
Hi Christina,
Here’s some detailed information:
I’m planning to setup intermediate CA with DogTag and issue SSL server certs.
I’m trying 2 options with DogTag setup:
Option 1: Installing an externally signed CA
I followed the steps outlined in http://man.sourcentral.org/f18/8+pkispawn and this setup
works perfectly fine with no issues.
This option involves following steps:
1. Generate a certificate signing request (CSR) for the signing certificate in DogTag
setup phase 1
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Continue with DogTag setup phase 2
Option 2: Installing an externally signed CA (One time setup of keys/CSR)
The desired steps are as follows:
1. Generate a certificate signing request (CSR) for the signing certificate using
OpenSSL
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Store private key and certificate obtained in above steps in secured media so that
it can be used later
5. Setup DogTag using the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
The desired expectation in option #2 is to perform step 1-3 below once and then setup
DogTag (or recreate VM) as many times I need using private key and certificate obtained
earlier. This will prevent us from regenerating CSR and get it signed with external CA
(Ex: Symantec).
If I read it correctly, you want to set up multiple CA's sharing the same singing
cert/keys? Dogtag supports cloning. Did you look into that?
Please let me know if you have any questions.
Thanks,
Mahendra
From: <Jain>, "Jain, Mahendra"
<majain@verisign.com<mailto:majain@verisign.com>>
Date: Friday, June 26, 2015 at 12:22 PM
To: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>,
"pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
Hi Christina,
Sorry for the confusion. Let me rephrase the steps below if it is supported:
1. Generate private key and CSR for intermediate CA using openssl
2. Submit the CSR to external CA (Ex: Symantec) for signing
3. Receive the signed certificate from CA
4. Setup DogTag with the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
I’m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many
times I need using the existing private key and certificate on any host.
Please let me know if you need further clarification.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Friday, June 26, 2015 at 12:03 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
Hi,
I’ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link
below) and the setup works perfectly fine:
http://man.sourcentral.org/f18/8+pkispawn
I would like to know if DogTag also supports configuring externally acquired private key
and certificate.
In other words, If I generate the private key and CSR using openssl and submit CSR to CA
for certificate.
Once the CA issued the certificate, I would like to setup DogTag using the existing
private key (created using openssl) and certificate.
Hi, I'm sorry I read your questions a few times and I'm not certain what you wish
to do. What would you like to use this certificate for? For example, is this an SSL
server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are
you talking about replacing certain system cert of the CA you just set up?
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual
or entity to which it is addressed, and may contain information that is non-public,
proprietary, privileged, confidential and exempt from disclosure under applicable law or
may be constituted as attorney work product. If you are not the intended recipient, you
are hereby notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this message in error, notify
sender immediately and delete this message immediately.”
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com<mailto:Pki-users@redhat.com>https://www.redhat.com/mailman/listinfo/pki-users
12:48 p.m.
I think you are talking about this:
https://fedorahosted.org/pki/ticket/456 The user have a chance to import
own CA certificate with private key
Christina
On 06/30/2015 09:14 AM, Jain, Mahendra wrote:
Hi Christina,
Thanks for taking time to respond.
We already have clone setup using steps outlined in
http://man.sourcentral.org/f18/8+pkispawn and the setup works
perfectly fine with no issues.
My question is related to Setting up Dogtag using private key
and certificate generated via openSSL command separately (on a
completely different host from Dogtag).
For example, If I delete the complete VM instance where Dogtag is
running and reinstall, I could reuse the private key and certificate
already generated via openSSL command earlier to setup new Dogtag
instance without requiring to generate CSR and get it signed with
external CA (Ex: Symantec).
Hope this helps.
Please let me know if you have any questions.
Thanks,
Mahendra
From: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>
Date: Tuesday, June 30, 2015 at 11:56 AM
To: "pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
<pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and
certificate
On 06/29/2015 07:32 AM, Jain, Mahendra wrote:
> Hi Christina,
>
> Here’s some detailed information:
>
> I’m planning to setup intermediate CA with DogTag and issue SSL
> server certs.
>
> I’m trying 2 options with DogTag setup:
>
> *Option 1: Installing an externally signed CA*
> I followed the steps outlined in
> http://man.sourcentral.org/f18/8+pkispawn and this setup works
> perfectly fine with no issues.
> This option involves following steps:
>
> 1. Generate a certificate signing request (CSR) for the signing
> certificate in DogTag setup phase 1
> 2. Submit the CSR to the external CA (Ex: Symantec)
> 3. Obtain the resulting intermediate certificate and certificate chain
> 4. Continue with DogTag setup phase 2
>
> *Option 2: Installing an externally signed CA (One time setup of
> keys/CSR)*
>
> The desired steps are as follows:
>
> 1. Generate a certificate signing request (CSR) for the signing
> certificate using *OpenSSL*
> 2. Submit the CSR to the external CA (Ex: Symantec)
> 3. Obtain the resulting intermediate certificate and certificate chain
> 4. Store private key and certificate obtained in above steps in
> secured media so that it can be used later
> 5. Setup DogTag using the private key (generated in step #1) and
> intermediate CA certificate (acquired in step #3)
>
> The desired expectation in option #2 is to perform step 1-3 below
> once and then setup DogTag (or recreate VM) as many times I need
> using private key and certificate obtained earlier. This will prevent
> us from regenerating CSR and get it signed with external CA (Ex:
> Symantec).
If I read it correctly, you want to set up multiple CA's sharing the
same singing cert/keys? Dogtag supports cloning. Did you look into that?
>
> Please let me know if you have any questions.
>
> Thanks,
> Mahendra
>
>
> From: <Jain>, "Jain, Mahendra" <majain(a)verisign.com
> <mailto:majain@verisign.com>>
> Date: Friday, June 26, 2015 at 12:22 PM
> To: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>,
> "pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
> <pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
> Subject: Re: [Pki-users] Configure externally acquired private key
> and certificate
>
> Hi Christina,
>
> Sorry for the confusion. Let me rephrase the steps below if it is
> supported:
>
> 1. Generate private key and CSR for intermediate CA using *openssl*
> 2. Submit the CSR to external CA (Ex: Symantec) for signing
> 3. Receive the signed certificate from CA
> 4. Setup DogTag with the private key (generated in step #1) and
> intermediate CA certificate (acquired in step #3)
>
> I’m hoping this approach allows me to perform step 1-3 once and then
> setup DogTag as many times I need using the existing private key and
> certificate on any host.
>
> Please let me know if you need further clarification.
>
> Thanks,
> Mahendra
>
>
> From: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>
> Date: Friday, June 26, 2015 at 12:03 PM
> To: "pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
> <pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
> Subject: Re: [Pki-users] Configure externally acquired private key
> and certificate
>
>
> On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
>> Hi,
>>
>> I’ve DogTag 10.1.2 setup with externally signed CA (using the steps
>> outline in the link below) and the setup works perfectly fine:
>>
>> http://man.sourcentral.org/f18/8+pkispawn
>>
>> I would like to know if DogTag also supports configuring externally
>> acquired private key and certificate.
>>
>> In other words, If I generate the private key and CSR using openssl
>> and submit CSR to CA for certificate.
>> Once the CA issued the certificate, I would like to setup DogTag
>> using the existing private key (created using openssl) and certificate.
>
> Hi, I'm sorry I read your questions a few times and I'm not certain
> what you wish to do. What would you like to use this certificate
> for? For example, is this an SSL server cert, or CA signing cert?
> etc. And you mean in another new Dogtag instance, or are you talking
> about replacing certain system cert of the CA you just set up?
>>
>> Thanks,
>> Mahendra
>>
>>
>> “This message (including any attachments) is intended only
>> for the use of the individual or entity to which it is
>> addressed, and may contain information that is non-public,
>> proprietary, privileged, confidential and exempt from
>> disclosure under applicable law or may be constituted as
>> attorney work product. If you are not the intended
>> recipient, you are hereby notified that any use,
>> dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received
>> this message in error, notify sender immediately and
>> delete this message immediately.”
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
1:02 p.m.
Hi Christina,
Thank you so much. This is exactly I was looking for.
Looking at the ticket details, it seems quite old (the last response posted ~ 7 months
ago).
I’ll give it a try and let you know how it goes.
Thanks again,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Tuesday, June 30, 2015 at 1:48 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
I think you are talking about this:
https://fedorahosted.org/pki/ticket/456 The user have a chance to import own CA
certificate with private key
Christina
On 06/30/2015 09:14 AM, Jain, Mahendra wrote:
Hi Christina,
Thanks for taking time to respond.
We already have clone setup using steps outlined in
http://man.sourcentral.org/f18/8+pkispawn and the setup works perfectly fine with no
issues.
My question is related to Setting up Dogtag using private key and certificate generated
via openSSL command separately (on a completely different host from Dogtag).
For example, If I delete the complete VM instance where Dogtag is running and reinstall, I
could reuse the private key and certificate already generated via openSSL command earlier
to setup new Dogtag instance without requiring to generate CSR and get it signed with
external CA (Ex: Symantec).
Hope this helps.
Please let me know if you have any questions.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Tuesday, June 30, 2015 at 11:56 AM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/29/2015 07:32 AM, Jain, Mahendra wrote:
Hi Christina,
Here’s some detailed information:
I’m planning to setup intermediate CA with DogTag and issue SSL server certs.
I’m trying 2 options with DogTag setup:
Option 1: Installing an externally signed CA
I followed the steps outlined in http://man.sourcentral.org/f18/8+pkispawn and this setup
works perfectly fine with no issues.
This option involves following steps:
1. Generate a certificate signing request (CSR) for the signing certificate in DogTag
setup phase 1
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Continue with DogTag setup phase 2
Option 2: Installing an externally signed CA (One time setup of keys/CSR)
The desired steps are as follows:
1. Generate a certificate signing request (CSR) for the signing certificate using
OpenSSL
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Store private key and certificate obtained in above steps in secured media so that
it can be used later
5. Setup DogTag using the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
The desired expectation in option #2 is to perform step 1-3 below once and then setup
DogTag (or recreate VM) as many times I need using private key and certificate obtained
earlier. This will prevent us from regenerating CSR and get it signed with external CA
(Ex: Symantec).
If I read it correctly, you want to set up multiple CA's sharing the same singing
cert/keys? Dogtag supports cloning. Did you look into that?
Please let me know if you have any questions.
Thanks,
Mahendra
From: <Jain>, "Jain, Mahendra"
<majain@verisign.com<mailto:majain@verisign.com>>
Date: Friday, June 26, 2015 at 12:22 PM
To: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>,
"pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
Hi Christina,
Sorry for the confusion. Let me rephrase the steps below if it is supported:
1. Generate private key and CSR for intermediate CA using openssl
2. Submit the CSR to external CA (Ex: Symantec) for signing
3. Receive the signed certificate from CA
4. Setup DogTag with the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
I’m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many
times I need using the existing private key and certificate on any host.
Please let me know if you need further clarification.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Friday, June 26, 2015 at 12:03 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
Hi,
I’ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link
below) and the setup works perfectly fine:
http://man.sourcentral.org/f18/8+pkispawn
I would like to know if DogTag also supports configuring externally acquired private key
and certificate.
In other words, If I generate the private key and CSR using openssl and submit CSR to CA
for certificate.
Once the CA issued the certificate, I would like to setup DogTag using the existing
private key (created using openssl) and certificate.
Hi, I'm sorry I read your questions a few times and I'm not certain what you wish
to do. What would you like to use this certificate for? For example, is this an SSL
server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are
you talking about replacing certain system cert of the CA you just set up?
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual
or entity to which it is addressed, and may contain information that is non-public,
proprietary, privileged, confidential and exempt from disclosure under applicable law or
may be constituted as attorney work product. If you are not the intended recipient, you
are hereby notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this message in error, notify
sender immediately and delete this message immediately.”
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com<mailto:Pki-users@redhat.com>https://www.redhat.com/mailman/listinfo/pki-users
8:12 a.m.
Hi Christina,
I followed the steps outlined in https://fedorahosted.org/pki/ticket/456.
I was wondering if you could help me with step #3 below about how to specify non-dogtag CA
key (test.key) configuration.
In other words how to import non-dogtag CA key (test.key) generated in step #2.
Here’s what I have done so far:
1. Run "external CA" step one with pkispawn:
$ vi step_one.config
[DEFAULT]
pki_admin_password=password123
pki_backup_password=password123
pki_client_pkcs12_password=password123
pki_ds_password=password123
pki_security_domain_password=password123
pki_backup_keys=True
[CA]
pki_external=True
pki_external_csr_path=/tmp/ca.csr
pki_ca_signing_subject_dn=cn=Test Root CA
pki_admin_nickname=Test Root CA %(pki_dns_domainname)s
pki_admin_subject_dn=cn=CA Admin User,o=%(pki_security_domain_name)s
$ pkispawn -s CA -f step_one.config
2. Generate non-dogtag cert using openssl:
- Generate private key (test.key) and CSR (test.csr) using OpenSSL utility
- Submit CSR to external CA (Ex: Symantec) for signing
- Obtain signed cert from external CA
- Save CA issued cert and CA root cert in ca.cert and ca_chain.cert files respectively
3. Put the non-dogtag ca b64 cert (ca.cert) as well as the pkcs7 chain (ca_chain.cert) in
the proper places:
$ vi step_two.config
[DEFAULT]
pki_admin_password=password123
pki_backup_password=password123
pki_client_pkcs12_password=password123
pki_ds_password=password123
pki_security_domain_password=password123
pki_backup_keys=True
[CA]
pki_external=True
pki_external_ca_cert_chain_path=/tmp/ca_chain.cert
pki_external_ca_cert_path=/tmp/ca.cert
pki_external_step_two=True
pki_ca_signing_subject_dn=cn=Test Root CA
pki_admin_nickname=Test Root CA %(pki_dns_domainname)s
pki_admin_subject_dn=cn=CA Admin User,o=%(pki_security_domain_name)s
4. Run "external CA" step two with pkispawn:
$ pkispawn -s CA -f step_two.config
I appreciate your help.
Thanks,
Mahendra
From: <Jain>, "Jain, Mahendra"
<majain@verisign.com<mailto:majain@verisign.com>>
Date: Tuesday, June 30, 2015 at 2:02 PM
To: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>,
"pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
Hi Christina,
Thank you so much. This is exactly I was looking for.
Looking at the ticket details, it seems quite old (the last response posted ~ 7 months
ago).
I’ll give it a try and let you know how it goes.
Thanks again,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Tuesday, June 30, 2015 at 1:48 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
I think you are talking about this:
https://fedorahosted.org/pki/ticket/456 The user have a chance to import own CA
certificate with private key
Christina
On 06/30/2015 09:14 AM, Jain, Mahendra wrote:
Hi Christina,
Thanks for taking time to respond.
We already have clone setup using steps outlined in
http://man.sourcentral.org/f18/8+pkispawn and the setup works perfectly fine with no
issues.
My question is related to Setting up Dogtag using private key and certificate generated
via openSSL command separately (on a completely different host from Dogtag).
For example, If I delete the complete VM instance where Dogtag is running and reinstall, I
could reuse the private key and certificate already generated via openSSL command earlier
to setup new Dogtag instance without requiring to generate CSR and get it signed with
external CA (Ex: Symantec).
Hope this helps.
Please let me know if you have any questions.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Tuesday, June 30, 2015 at 11:56 AM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/29/2015 07:32 AM, Jain, Mahendra wrote:
Hi Christina,
Here’s some detailed information:
I’m planning to setup intermediate CA with DogTag and issue SSL server certs.
I’m trying 2 options with DogTag setup:
Option 1: Installing an externally signed CA
I followed the steps outlined in http://man.sourcentral.org/f18/8+pkispawn and this setup
works perfectly fine with no issues.
This option involves following steps:
1. Generate a certificate signing request (CSR) for the signing certificate in DogTag
setup phase 1
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Continue with DogTag setup phase 2
Option 2: Installing an externally signed CA (One time setup of keys/CSR)
The desired steps are as follows:
1. Generate a certificate signing request (CSR) for the signing certificate using
OpenSSL
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Store private key and certificate obtained in above steps in secured media so that
it can be used later
5. Setup DogTag using the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
The desired expectation in option #2 is to perform step 1-3 below once and then setup
DogTag (or recreate VM) as many times I need using private key and certificate obtained
earlier. This will prevent us from regenerating CSR and get it signed with external CA
(Ex: Symantec).
If I read it correctly, you want to set up multiple CA's sharing the same singing
cert/keys? Dogtag supports cloning. Did you look into that?
Please let me know if you have any questions.
Thanks,
Mahendra
From: <Jain>, "Jain, Mahendra"
<majain@verisign.com<mailto:majain@verisign.com>>
Date: Friday, June 26, 2015 at 12:22 PM
To: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>,
"pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
Hi Christina,
Sorry for the confusion. Let me rephrase the steps below if it is supported:
1. Generate private key and CSR for intermediate CA using openssl
2. Submit the CSR to external CA (Ex: Symantec) for signing
3. Receive the signed certificate from CA
4. Setup DogTag with the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
I’m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many
times I need using the existing private key and certificate on any host.
Please let me know if you need further clarification.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Friday, June 26, 2015 at 12:03 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
Hi,
I’ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link
below) and the setup works perfectly fine:
http://man.sourcentral.org/f18/8+pkispawn
I would like to know if DogTag also supports configuring externally acquired private key
and certificate.
In other words, If I generate the private key and CSR using openssl and submit CSR to CA
for certificate.
Once the CA issued the certificate, I would like to setup DogTag using the existing
private key (created using openssl) and certificate.
Hi, I'm sorry I read your questions a few times and I'm not certain what you wish
to do. What would you like to use this certificate for? For example, is this an SSL
server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are
you talking about replacing certain system cert of the CA you just set up?
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual
or entity to which it is addressed, and may contain information that is non-public,
proprietary, privileged, confidential and exempt from disclosure under applicable law or
may be constituted as attorney work product. If you are not the intended recipient, you
are hereby notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this message in error, notify
sender immediately and delete this message immediately.”
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com<mailto:Pki-users@redhat.com>https://www.redhat.com/mailman/listinfo/pki-users
1:32 p.m.
I think you can look up openssl the option to create pkcs#12 using cert
and key pem's. Once you have the pkcs#12, you can import cert/keys into
nssdb using pk12util.
You can also look up option in openssl to create pkcs#7 cert chain.
Although I am not sure if you can get past "Step 2" of the external CA
as it expects to import the CA cert, which you would have already
imported via the pk12util from above. It might bomb out.
But let's see how far you get. If all it takes is to make pkispawn not
to bomb out when trying to import the ca cert, I might be able to move
up the ticket priority for you.
Christina
On 07/01/2015 06:12 AM, Jain, Mahendra wrote:
Hi Christina,
I followed the steps outlined in https://fedorahosted.org/pki/ticket/456.
I was wondering if you could help me with step #3 below about how to
specify non-dogtag CA key (test.key) configuration.
In other words how to import non-dogtag CA key (test.key) generated in
step #2.
Here’s what I have done so far:
*1. Run "external CA" step one with pkispawn:*
$ vi step_one.config
[DEFAULT]
pki_admin_password=password123
pki_backup_password=password123
pki_client_pkcs12_password=password123
pki_ds_password=password123
pki_security_domain_password=password123
pki_backup_keys=True
[CA]
pki_external=True
pki_external_csr_path=/tmp/ca.csr
pki_ca_signing_subject_dn=cn=Test Root CA
pki_admin_nickname=Test Root CA %(pki_dns_domainname)s
pki_admin_subject_dn=cn=CA Admin User,o=%(pki_security_domain_name)s
$ pkispawn -s CA -f step_one.config
*2. Generate non-dogtag cert using openssl:*
- Generate private key (*test.key*) and CSR (test.csr) using *OpenSSL*
utility
- Submit CSR to external CA (Ex: Symantec) for signing
- Obtain signed cert from external CA
- Save CA issued cert and CA root cert in ca.cert and ca_chain.cert
files respectively
*3. Put the non-dogtag ca b64 cert (ca.cert) as well as the pkcs7
chain (ca_chain.cert) in the proper places:*
$ vi step_two.config
[DEFAULT]
pki_admin_password=password123
pki_backup_password=password123
pki_client_pkcs12_password=password123
pki_ds_password=password123
pki_security_domain_password=password123
pki_backup_keys=True
[CA]
pki_external=True
*pki_external_ca_cert_chain_path=/tmp/ca_chain.cert*
*pki_external_ca_cert_path=/tmp/ca.cert*
pki_external_step_two=True
pki_ca_signing_subject_dn=cn=Test Root CA
pki_admin_nickname=Test Root CA %(pki_dns_domainname)s
pki_admin_subject_dn=cn=CA Admin User,o=%(pki_security_domain_name)s
*4.* *Run "external CA" step two with pkispawn:*
*
*
$ pkispawn -s CA -f step_two.config
I appreciate your help.
Thanks,
Mahendra
From: <Jain>, "Jain, Mahendra" <majain(a)verisign.com
<mailto:majain@verisign.com>>
Date: Tuesday, June 30, 2015 at 2:02 PM
To: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>,
"pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
<pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and
certificate
Hi Christina,
Thank you so much. This is exactly I was looking for.
Looking at the ticket details, it seems quite old (the last response
posted ~ 7 months ago).
I’ll give it a try and let you know how it goes.
Thanks again,
Mahendra
From: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>
Date: Tuesday, June 30, 2015 at 1:48 PM
To: "pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
<pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and
certificate
I think you are talking about this:
https://fedorahosted.org/pki/ticket/456 The user have a chance to
import own CA certificate with private key
Christina
On 06/30/2015 09:14 AM, Jain, Mahendra wrote:
> Hi Christina,
>
> Thanks for taking time to respond.
> We already have clone setup using steps outlined in
> http://man.sourcentral.org/f18/8+pkispawn and the setup works
> perfectly fine with no issues.
>
> My question is related to Setting up Dogtag using private key
> and certificate generated via openSSL command separately (on a
> completely different host from Dogtag).
> For example, If I delete the complete VM instance where Dogtag is
> running and reinstall, I could reuse the private key and certificate
> already generated via openSSL command earlier to setup new Dogtag
> instance without requiring to generate CSR and get it signed with
> external CA (Ex: Symantec).
>
> Hope this helps.
>
> Please let me know if you have any questions.
> Thanks,
> Mahendra
>
>
> From: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>
> Date: Tuesday, June 30, 2015 at 11:56 AM
> To: "pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
> <pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
> Subject: Re: [Pki-users] Configure externally acquired private key
> and certificate
>
>
> On 06/29/2015 07:32 AM, Jain, Mahendra wrote:
>> Hi Christina,
>>
>> Here’s some detailed information:
>>
>> I’m planning to setup intermediate CA with DogTag and issue SSL
>> server certs.
>>
>> I’m trying 2 options with DogTag setup:
>>
>> *Option 1: Installing an externally signed CA*
>> I followed the steps outlined in
>> http://man.sourcentral.org/f18/8+pkispawn and this setup works
>> perfectly fine with no issues.
>> This option involves following steps:
>>
>> 1. Generate a certificate signing request (CSR) for the signing
>> certificate in DogTag setup phase 1
>> 2. Submit the CSR to the external CA (Ex: Symantec)
>> 3. Obtain the resulting intermediate certificate and certificate chain
>> 4. Continue with DogTag setup phase 2
>>
>> *Option 2: Installing an externally signed CA (One time setup of
>> keys/CSR)*
>>
>> The desired steps are as follows:
>>
>> 1. Generate a certificate signing request (CSR) for the signing
>> certificate using *OpenSSL*
>> 2. Submit the CSR to the external CA (Ex: Symantec)
>> 3. Obtain the resulting intermediate certificate and certificate chain
>> 4. Store private key and certificate obtained in above steps in
>> secured media so that it can be used later
>> 5. Setup DogTag using the private key (generated in step #1) and
>> intermediate CA certificate (acquired in step #3)
>>
>> The desired expectation in option #2 is to perform step 1-3 below
>> once and then setup DogTag (or recreate VM) as many times I need
>> using private key and certificate obtained earlier. This will
>> prevent us from regenerating CSR and get it signed with external
>> CA (Ex: Symantec).
>
> If I read it correctly, you want to set up multiple CA's sharing the
> same singing cert/keys? Dogtag supports cloning. Did you look into
> that?
>
>>
>> Please let me know if you have any questions.
>>
>> Thanks,
>> Mahendra
>>
>>
>> From: <Jain>, "Jain, Mahendra" <majain(a)verisign.com
>> <mailto:majain@verisign.com>>
>> Date: Friday, June 26, 2015 at 12:22 PM
>> To: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>,
>> "pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
>> <pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
>> Subject: Re: [Pki-users] Configure externally acquired private key
>> and certificate
>>
>> Hi Christina,
>>
>> Sorry for the confusion. Let me rephrase the steps below if it is
>> supported:
>>
>> 1. Generate private key and CSR for intermediate CA using *openssl*
>> 2. Submit the CSR to external CA (Ex: Symantec) for signing
>> 3. Receive the signed certificate from CA
>> 4. Setup DogTag with the private key (generated in step #1) and
>> intermediate CA certificate (acquired in step #3)
>>
>> I’m hoping this approach allows me to perform step 1-3 once and then
>> setup DogTag as many times I need using the existing private key and
>> certificate on any host.
>>
>> Please let me know if you need further clarification.
>>
>> Thanks,
>> Mahendra
>>
>>
>> From: Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>
>> Date: Friday, June 26, 2015 at 12:03 PM
>> To: "pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
>> <pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
>> Subject: Re: [Pki-users] Configure externally acquired private key
>> and certificate
>>
>>
>> On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
>>> Hi,
>>>
>>> I’ve DogTag 10.1.2 setup with externally signed CA (using the steps
>>> outline in the link below) and the setup works perfectly fine:
>>>
>>> http://man.sourcentral.org/f18/8+pkispawn
>>>
>>> I would like to know if DogTag also supports configuring externally
>>> acquired private key and certificate.
>>>
>>> In other words, If I generate the private key and CSR using openssl
>>> and submit CSR to CA for certificate.
>>> Once the CA issued the certificate, I would like to setup DogTag
>>> using the existing private key (created using openssl) and certificate.
>>
>> Hi, I'm sorry I read your questions a few times and I'm not certain
>> what you wish to do. What would you like to use this certificate
>> for? For example, is this an SSL server cert, or CA signing cert?
>> etc. And you mean in another new Dogtag instance, or are you talking
>> about replacing certain system cert of the CA you just set up?
>>>
>>> Thanks,
>>> Mahendra
>>>
>>>
>>> “This message (including any attachments) is intended
>>> only for the use of the individual or entity to which it
>>> is addressed, and may contain information that is
>>> non-public, proprietary, privileged, confidential and
>>> exempt from disclosure under applicable law or may be
>>> constituted as attorney work product. If you are not the
>>> intended recipient, you are hereby notified that any use,
>>> dissemination, distribution, or copying of this
>>> communication is strictly prohibited. If you have
>>> received this message in error, notify sender immediately
>>> and delete this message immediately.”
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>
>
4:01 p.m.
Thanks. I will surely give it a try and let you know.
- Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Wednesday, July 1, 2015 at 2:32 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
I think you can look up openssl the option to create pkcs#12 using cert and key pem's.
Once you have the pkcs#12, you can import cert/keys into nssdb using pk12util.
You can also look up option in openssl to create pkcs#7 cert chain.
Although I am not sure if you can get past "Step 2" of the external CA as it
expects to import the CA cert, which you would have already imported via the pk12util from
above. It might bomb out.
But let's see how far you get. If all it takes is to make pkispawn not to bomb out
when trying to import the ca cert, I might be able to move up the ticket priority for
you.
Christina
On 07/01/2015 06:12 AM, Jain, Mahendra wrote:
Hi Christina,
I followed the steps outlined in https://fedorahosted.org/pki/ticket/456.
I was wondering if you could help me with step #3 below about how to specify non-dogtag CA
key (test.key) configuration.
In other words how to import non-dogtag CA key (test.key) generated in step #2.
Here’s what I have done so far:
1. Run "external CA" step one with pkispawn:
$ vi step_one.config
[DEFAULT]
pki_admin_password=password123
pki_backup_password=password123
pki_client_pkcs12_password=password123
pki_ds_password=password123
pki_security_domain_password=password123
pki_backup_keys=True
[CA]
pki_external=True
pki_external_csr_path=/tmp/ca.csr
pki_ca_signing_subject_dn=cn=Test Root CA
pki_admin_nickname=Test Root CA %(pki_dns_domainname)s
pki_admin_subject_dn=cn=CA Admin User,o=%(pki_security_domain_name)s
$ pkispawn -s CA -f step_one.config
2. Generate non-dogtag cert using openssl:
- Generate private key (test.key) and CSR (test.csr) using OpenSSL utility
- Submit CSR to external CA (Ex: Symantec) for signing
- Obtain signed cert from external CA
- Save CA issued cert and CA root cert in ca.cert and ca_chain.cert files respectively
3. Put the non-dogtag ca b64 cert (ca.cert) as well as the pkcs7 chain (ca_chain.cert) in
the proper places:
$ vi step_two.config
[DEFAULT]
pki_admin_password=password123
pki_backup_password=password123
pki_client_pkcs12_password=password123
pki_ds_password=password123
pki_security_domain_password=password123
pki_backup_keys=True
[CA]
pki_external=True
pki_external_ca_cert_chain_path=/tmp/ca_chain.cert
pki_external_ca_cert_path=/tmp/ca.cert
pki_external_step_two=True
pki_ca_signing_subject_dn=cn=Test Root CA
pki_admin_nickname=Test Root CA %(pki_dns_domainname)s
pki_admin_subject_dn=cn=CA Admin User,o=%(pki_security_domain_name)s
4. Run "external CA" step two with pkispawn:
$ pkispawn -s CA -f step_two.config
I appreciate your help.
Thanks,
Mahendra
From: <Jain>, "Jain, Mahendra"
<majain@verisign.com<mailto:majain@verisign.com>>
Date: Tuesday, June 30, 2015 at 2:02 PM
To: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>,
"pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
Hi Christina,
Thank you so much. This is exactly I was looking for.
Looking at the ticket details, it seems quite old (the last response posted ~ 7 months
ago).
I’ll give it a try and let you know how it goes.
Thanks again,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Tuesday, June 30, 2015 at 1:48 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
I think you are talking about this:
https://fedorahosted.org/pki/ticket/456 The user have a chance to import own CA
certificate with private key
Christina
On 06/30/2015 09:14 AM, Jain, Mahendra wrote:
Hi Christina,
Thanks for taking time to respond.
We already have clone setup using steps outlined in
http://man.sourcentral.org/f18/8+pkispawn and the setup works perfectly fine with no
issues.
My question is related to Setting up Dogtag using private key and certificate generated
via openSSL command separately (on a completely different host from Dogtag).
For example, If I delete the complete VM instance where Dogtag is running and reinstall, I
could reuse the private key and certificate already generated via openSSL command earlier
to setup new Dogtag instance without requiring to generate CSR and get it signed with
external CA (Ex: Symantec).
Hope this helps.
Please let me know if you have any questions.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Tuesday, June 30, 2015 at 11:56 AM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/29/2015 07:32 AM, Jain, Mahendra wrote:
Hi Christina,
Here’s some detailed information:
I’m planning to setup intermediate CA with DogTag and issue SSL server certs.
I’m trying 2 options with DogTag setup:
Option 1: Installing an externally signed CA
I followed the steps outlined in http://man.sourcentral.org/f18/8+pkispawn and this setup
works perfectly fine with no issues.
This option involves following steps:
1. Generate a certificate signing request (CSR) for the signing certificate in DogTag
setup phase 1
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Continue with DogTag setup phase 2
Option 2: Installing an externally signed CA (One time setup of keys/CSR)
The desired steps are as follows:
1. Generate a certificate signing request (CSR) for the signing certificate using
OpenSSL
2. Submit the CSR to the external CA (Ex: Symantec)
3. Obtain the resulting intermediate certificate and certificate chain
4. Store private key and certificate obtained in above steps in secured media so that
it can be used later
5. Setup DogTag using the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
The desired expectation in option #2 is to perform step 1-3 below once and then setup
DogTag (or recreate VM) as many times I need using private key and certificate obtained
earlier. This will prevent us from regenerating CSR and get it signed with external CA
(Ex: Symantec).
If I read it correctly, you want to set up multiple CA's sharing the same singing
cert/keys? Dogtag supports cloning. Did you look into that?
Please let me know if you have any questions.
Thanks,
Mahendra
From: <Jain>, "Jain, Mahendra"
<majain@verisign.com<mailto:majain@verisign.com>>
Date: Friday, June 26, 2015 at 12:22 PM
To: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>,
"pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
Hi Christina,
Sorry for the confusion. Let me rephrase the steps below if it is supported:
1. Generate private key and CSR for intermediate CA using openssl
2. Submit the CSR to external CA (Ex: Symantec) for signing
3. Receive the signed certificate from CA
4. Setup DogTag with the private key (generated in step #1) and intermediate CA
certificate (acquired in step #3)
I’m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many
times I need using the existing private key and certificate on any host.
Please let me know if you need further clarification.
Thanks,
Mahendra
From: Christina Fu <cfu@redhat.com<mailto:cfu@redhat.com>>
Date: Friday, June 26, 2015 at 12:03 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: Re: [Pki-users] Configure externally acquired private key and certificate
On 06/25/2015 11:23 AM, Jain, Mahendra wrote:
Hi,
I’ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link
below) and the setup works perfectly fine:
http://man.sourcentral.org/f18/8+pkispawn
I would like to know if DogTag also supports configuring externally acquired private key
and certificate.
In other words, If I generate the private key and CSR using openssl and submit CSR to CA
for certificate.
Once the CA issued the certificate, I would like to setup DogTag using the existing
private key (created using openssl) and certificate.
Hi, I'm sorry I read your questions a few times and I'm not certain what you wish
to do. What would you like to use this certificate for? For example, is this an SSL
server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are
you talking about replacing certain system cert of the CA you just set up?
Thanks,
Mahendra
“This message (including any attachments) is intended only for the use of the individual
or entity to which it is addressed, and may contain information that is non-public,
proprietary, privileged, confidential and exempt from disclosure under applicable law or
may be constituted as attorney work product. If you are not the intended recipient, you
are hereby notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this message in error, notify
sender immediately and delete this message immediately.”
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com<mailto:Pki-users@redhat.com>https://www.redhat.com/mailman/listinfo/pki-users
3461
days inactive
3467
days old
10 comments
2 participants
participants (2)
-
Christina Fu -
Jain, Mahendra