6:47 a.m.
Using CS 8.0,
I'm interested in replacing (not renewing) all the server certificates
for every subsystem (CA,TKS,DRM,TPS).
The solution I had planned on using was to painstakingly use certutil to
generate certificate requests, sign then, and import them back into the
subsystem cert db with identical cert nicknames.
Is there an easier way to do this (other than reinstalling+rerunning the
create wizard)? I can attempt to use pkiconsole to replace certificates
and automatically send them to the CA's ee page, but that seems to be
erroring repeatedly.
Using the certutil method, I'm unsure of which CA profiles to use when
signing some of the server certificates certificates. For example, when
replacing the TKS's 'subsystemCert' or 'Server-Cert' using the
CA's
'manual server certificate enrollment' profile, I don't a get a cert
with identical extensions as the original TKS 'subsytem cert'. Which
profile does the CA use at TKS creation-time for these certs?
Thanks
Patrick Raspante
Software Engineer
General Dynamics C4 Systems
Work: 781-455-2399
This message and/or attachments may include information subject to GDC4S
O.M. 1.8.6 and GD Corporate Policy 07-105 and is intended to be accessed
only by authorized recipients. Use, storage and transmission are
governed by General Dynamics and its policies. Contractual restrictions
apply to third parties. Recipients should refer to the policies or
contract to determine proper handling. Unauthorized review, use,
disclosure or distribution is prohibited. If you are not an intended
recipient, please contact the sender and destroy all copies of the
original message.
11:55 a.m.
Patrick:
I did some quick digging and came up with a bit of info that might help.
It looks like the profiles that actually get used by the configuration wizard to create
subsystems are private to that process. You can though, view these profiles in the
directory:
/var/lib/pki-ca/conf/*.profile
The differences between these profiles and the regular CA profiles can be compared to
possibly explain what you are seeing with the certs that get output.
----- Original Message -----
From: "Patrick Raspante" <Patrick.Raspante(a)gdc4s.com>
To: pki-users(a)redhat.com
Sent: Friday, March 26, 2010 4:47:06 AM GMT -08:00 US/Canada Pacific
Subject: [Pki-users] Manually Replacing Server Certificates + Profiles
Manually Replacing Server Certificates + Profiles
Using CS 8.0,
I'm interested in replacing (not renewing) all the server certificates for every
subsystem (CA,TKS,DRM,TPS).
The solution I had planned on using was to painstakingly use certutil to generate
certificate requests, sign then, and import them back into the subsystem cert db with
identical cert nicknames.
Is there an easier way to do this (other than reinstalling+rerunning the create wizard)? I
can attempt to use pkiconsole to replace certificates and automatically send them to the
CA's ee page, but that seems to be erroring repeatedly.
Using the certutil method, I'm unsure of which CA profiles to use when signing some of
the server certificates certificates. For example, when replacing the TKS's
'subsystemCert' or 'Server-Cert' using the CA's 'manual server
certificate enrollment' profile, I don't a get a cert with identical extensions as
the original TKS 'subsytem cert'. Which profile does the CA use at TKS
creation-time for these certs?
Thanks
Patrick Raspante
Software Engineer
General Dynamics C4 Systems
Work: 781-455-2399
This message and/or attachments may include information subject to GDC4S O.M. 1.8.6 and GD
Corporate Policy 07-105 and is intended to be accessed only by authorized recipients. Use,
storage and transmission are governed by General Dynamics and its policies. Contractual
restrictions apply to third parties. Recipients should refer to the policies or contract
to determine proper handling. Unauthorized review, use, disclosure or distribution is
prohibited. If you are not an intended recipient, please contact the sender and destroy
all copies of the original message.
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
12:14 p.m.
Hi
That does help.
Thanks
Sean
-----Original Message-----
From: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com]
On Behalf Of John Magne
Sent: Friday, March 26, 2010 12:56 PM
To: Raspante, Patrick
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Manually Replacing Server Certificates +
Profiles
Patrick:
I did some quick digging and came up with a bit of info that might help.
It looks like the profiles that actually get used by the configuration
wizard to create subsystems are private to that process. You can though,
view these profiles in the directory:
/var/lib/pki-ca/conf/*.profile
The differences between these profiles and the regular CA profiles can
be compared to possibly explain what you are seeing with the certs that
get output.
----- Original Message -----
From: "Patrick Raspante" <Patrick.Raspante(a)gdc4s.com>
To: pki-users(a)redhat.com
Sent: Friday, March 26, 2010 4:47:06 AM GMT -08:00 US/Canada Pacific
Subject: [Pki-users] Manually Replacing Server Certificates + Profiles
Manually Replacing Server Certificates + Profiles
Using CS 8.0,
I'm interested in replacing (not renewing) all the server certificates
for every subsystem (CA,TKS,DRM,TPS).
The solution I had planned on using was to painstakingly use certutil to
generate certificate requests, sign then, and import them back into the
subsystem cert db with identical cert nicknames.
Is there an easier way to do this (other than reinstalling+rerunning the
create wizard)? I can attempt to use pkiconsole to replace certificates
and automatically send them to the CA's ee page, but that seems to be
erroring repeatedly.
Using the certutil method, I'm unsure of which CA profiles to use when
signing some of the server certificates certificates. For example, when
replacing the TKS's 'subsystemCert' or 'Server-Cert' using the
CA's
'manual server certificate enrollment' profile, I don't a get a cert
with identical extensions as the original TKS 'subsytem cert'. Which
profile does the CA use at TKS creation-time for these certs?
Thanks
Patrick Raspante
Software Engineer
General Dynamics C4 Systems
Work: 781-455-2399
This message and/or attachments may include information subject to GDC4S
O.M. 1.8.6 and GD Corporate Policy 07-105 and is intended to be accessed
only by authorized recipients. Use, storage and transmission are
governed by General Dynamics and its policies. Contractual restrictions
apply to third parties. Recipients should refer to the policies or
contract to determine proper handling. Unauthorized review, use,
disclosure or distribution is prohibited. If you are not an intended
recipient, please contact the sender and destroy all copies of the
original message.
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
5393
days inactive
5393
days old
3 comments
4 participants
participants (4)
-
Arshad Noor -
John Magne -
Raspante, Patrick -
Veale, Sean