#667 provide option for ca-less drm install
Closed: Fixed None Opened 9 years ago by vakwetu.

There have been calls for being able to install KRA using external CA.
This includes CA-less IPA installation and storage of secrets, and possible integration with CloudKeep.

We need to figure out how to do this.

Per discussions with Christina and Ade, I simply created a standalone CA (to act as the external CA), and then created a standalone KRA without running the automatic configuration.

Once I started the GUI configuration on the KRA, I was immediately blocked by the third panel "Security Domain" because although it contains a radio button for "Create a New Security Domain", this button is basically non-selectable for subsystems other than a CA, so this will probably be the starting point to see if we can add a third option of "Use an External CA".

Additionally, there is a NOTE on this panel that reads:

Since a Security Domain MUST be a CA (although all CAs are NOT necessarily
Security Domains), an appropriate value for this URL may be obtained by
logging into the machine which hosts the desired Security Domain CA as
'root' and running the command
"/usr/bin/pkicontrol status ca pki-tomcatd@pki-tomcat.service"
from the command-line.

Due to the relative size of this effort, I have broken this ticket into two parts:

  • Phase I: Installation via 'pkispawn' and configuration via manual GUI panels in a Firefox browser
  • Phase II: Installation and configuration via 'pkispawn' and the REST interface

Patch which addresses Phase I: Installation using 'pkispawn' and manually configuration using the GUI panel interface via a Firefox browser

In recent discussions, the following was determined:

  • a security domain is required (to allow for cloning)
  • the current use cases reflect using the pkispawn RESTFUL interface rather than the legacy GUI browser interface

As a consequence of this, much of the attached patch has been rendered un-usable, and a design document has been created and placed at:

NOTE:  This task's design/implementation phases have been revised and
       are currently documented in the design document.

Checked into 'master':

  • 47c77a67d67cb443070137fd9b8d64955d499089

Metadata Update from @vakwetu:
- Issue assigned to mharmsen
- Issue set to the milestone: 10.1 - 10/13 (October)

5 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.