While fixing the following two bugs:
The following was discovered:
## URL to CA used to Issue Certificates for PKI Instance Creation ## ## * each 'hostname:port' must be a CA EE Hostname and CA EE Port ## * referenced CA does not need to be a Security Domain (see CAVEAT) ## * referenced CA must reside within the same security domain ## as the associated PKI instance ## ## CAVEAT: If the chosen CA is a security domain: ## ## * all PKI subsystem certificates (including the ## 'Subsystem' certificates) will be stored on this CA ## * all PKI subsystem client 'Administration' ## certificates will automatically be imported into ## the NSS client security databases associated with ## the 'pkisilent' invocation of each PKI subsystem ## * the 'pkisilent' client security databases may be ## used inside a firefox browser with no further ## changes ## ## If the chosen CA is NOT a security domain: ## ## * all PKI subsystem certificates EXCEPT the ## 'Subsystem' certificate will be stored on this CA; ## the 'Subsystem' certificate will be stored on the ## CA that is the security domain for this PKI ## subsystem ## * no non-CA PKI subsystem client 'Administration' ## certificates will automatically be imported into ## the NSS client security databases associated with ## the 'pkisilent' invocation of each PKI subsystem; ## import will fail with something similar to the ## following message: ## ## ERROR: exception importing cert: Security ## library failed to decode certificate ## package: (-8183) security library: ## improperly formatted DER-encoded ## message. ## ## * in order to utilize the 'pkisilent' client ## security databases inside a firefox browser, one ## will need to manually import all 'Administration' ## certificates for each of the non-CA PKI subsystems ## stored in this non-security domain CA
We should consider fixing this issue for CA's which are not security domains.
While chatting with Christina about this issue, and testing these bugs with Andrew, it was suggested that this issue may not have to do with the subordinate CA not being a security domain, but rather the fact that the failure to store the PKI subsystem's Administration certificate in the client NSS security databases may be due to a problem traversing the Certificate Chain.
On a couple of occasions, the ERROR displayed when attempting to configure a KRA instance was:
ERROR: exception importing cert: Expected user cert but no matching key?: (-8157) Certificate extension not found.
NOTE: When this ticket is addressed, the documented comment should be corrected appropriately within all of the various 'pkisilent' template files.
Metadata Update from @mharmsen: - Issue assigned to vakwetu - Issue set to the milestone: N/A
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1190
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.