Good afternoon! Help me please. I have a private key, packages generate openssl. I have dogtag 10.3 installation to introduce my private key, as the root signing certificate. What need to do? Thank you so much. _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users

Hi Christina! I only have the private key. I would like to generate with it ca_signing.csr and ca_signing.pem. Next, import the installation of the new CA. How can I do it? Thank you. 2016-06-13 19:46 GMT+03:00 Christina Fu <cfu(a)redhat.com <mailto:cfu@redhat.com>>: Hi Anater, Not sure if anyone responded. We have something called "Existing CA" for new installations with 10.3.2 (or 1?). It's an option to allow reusing cert/keys of an existing CA. I'm not very certain of the info link, but here is one that might have some info (Endi please clarify... ): pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate <http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certific... Christina On 06/09/2016 10:06 AM, anater dembelov wrote: > Good afternoon! > > Help me please. > I have a private key, packages generate openssl. > > I have dogtag 10.3 installation to introduce my private key, as > the root signing certificate. > What need to do? > > Thank you so much. > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com <mailto:Pki-users@redhat.com> > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com <mailto:Pki-users@redhat.com> https://www.redhat.com/mailman/listinfo/pki-users

Hi, I managed to install CA with an existing CA certificate generated by OpenSSL: http://pki.fedoraproject.org/wiki/Installing_CA_with_OpenSSL_CA_Certificate The only thing is it depends on a tool that has not been added yet (see patch #768 in pki-devel list). Hopefully the tool will make it into Dogtag 10.3.3, but in the meantime feel free to create a custom build with the patch. -- Endi S. Dewata On 6/13/2016 12:53 PM, Christina Fu wrote: > hi Anater, > > Not at the moment, but the feature did cross my mind at some point, and > I don't think it's that hard to implement. What we need though is a > business case. Could you provide reasoning for a useful scenario so > maybe we can build a business case to introduce such feature in the > future release? > > thanks, > Christina > > On 06/13/2016 10:43 AM, anater dembelov wrote: > >> Hi Christina! >> >> I only have the private key. I would like to generate with it >> ca_signing.csr and ca_signing.pem. Next, import the installation of >> the new CA. How can I do it? >> >> Thank you. >> >> 2016-06-13 19:46 GMT+03:00 Christina Fu <cfu(a)redhat.com >> <mailto:cfu@redhat.com>>: >> >> Hi Anater, >> >> Not sure if anyone responded. We have something called "Existing >> CA" for new installations with 10.3.2 (or 1?). It's an option to >> allow reusing cert/keys of an existing CA. >> I'm not very certain of the info link, but here is one that might >> have some info (Endi please clarify... ): >> >> >> pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate >> < >> http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate >> > >> >> Christina >> >> >> On 06/09/2016 10:06 AM, anater dembelov wrote: >> >>> Good afternoon! >>> >>> Help me please. >>> I have a private key, packages generate openssl. >>> >>> I have dogtag 10.3 installation to introduce my private key, as >>> the root signing certificate. >>> What need to do? >>> >>> Thank you so much. >>> >>

On 6/14/2016 8:34 AM, anater dembelov wrote: > Excellent! > Just right. > I have probyval create a certificate request and through OpenSSL. With > similar attributes. As in Dogtag. > I fedora OS 23. pki-server-10.2.6-19.fc23.noarh > What do I need to download to install the patch # 768. > Thank you! > Hi, I have an unofficial build for Fedora 23 that contains the new tool: https://copr.fedorainfracloud.org/coprs/edewata/pki-fedora/ Please give it a try. Thanks! Please also note that the official build will only be available on Fedora 24 or later. -- Endi S. Dewata

On 06/16/2016 09:47 AM, anater dembelov wrote: > By an example from > > http://pki.fedoraproject.org/wiki/Installing_CA_with_OpenSSL_CA_Certificate > I created keys, request and the certificate. > But! > [root@f23-zero ~] # pki pkcs12-cert-mod - pkcs12-file ca.p12 "CA > Certificate" - pkcs12-password-file password.txt - trust-flags CTu, Cu, Cu > NotInitializedException: null > > Not work!? > > Help! > Hi, it looks like you need to create an NSS database for the pki tool first: $ pki -c Secret123 client-init For the --trust-flags option there should not be any space between the flags. And make sure the double-dashes are written exactly as in the example. I've updated the wiki page based on your feedback. Thanks! Just let me know if there are other problems. -- Endi S. Dewata