There have been calls for being able to install KRA using external CA. This includes CA-less IPA installation and storage of secrets, and possible integration with CloudKeep.
We need to figure out how to do this.
Per discussions with Christina and Ade, I simply created a standalone CA (to act as the external CA), and then created a standalone KRA without running the automatic configuration.
Once I started the GUI configuration on the KRA, I was immediately blocked by the third panel "Security Domain" because although it contains a radio button for "Create a New Security Domain", this button is basically non-selectable for subsystems other than a CA, so this will probably be the starting point to see if we can add a third option of "Use an External CA".
Additionally, there is a NOTE on this panel that reads:
Since a Security Domain MUST be a CA (although all CAs are NOT necessarily Security Domains), an appropriate value for this URL may be obtained by logging into the machine which hosts the desired Security Domain CA as 'root' and running the command "/usr/bin/pkicontrol status ca pki-tomcatd@pki-tomcat.service" from the command-line.
Due to the relative size of this effort, I have broken this ticket into two parts:
Patch which addresses Phase I: Installation using 'pkispawn' and manually configuration using the GUI panel interface via a Firefox browser 20130830-Stand-alone-DRM-manual-GUI-configuration-only.patch
In recent discussions, the following was determined:
As a consequence of this, much of the attached patch has been rendered un-usable, and a design document has been created and placed at:
NOTE: This task's design/implementation phases have been revised and are currently documented in the design document.
F20 patch for Stand-alone DRM 20131015-Stand-alone-DRM.patch
Checked into 'master':
Metadata Update from @vakwetu: - Issue assigned to mharmsen - Issue set to the milestone: 10.1 - 10/13 (October)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1237
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.