#736 Provide manual procedure which will allow to propagate new transport certificate and keys to DRM clones
Closed: Fixed None Opened 10 years ago by awnuk.

This is part of ticket #129 - RFE: Add support for multiple DRM transport keys.

This ticket will provide manual procedure which will allow to propagate new transport certificate and keys to DRM clones.

[[br]] Base on discussion with Nathan (nkinder) scope of this feature has been significantly reduced by only providing ability for DRM to support two transport keys: current key and new key. DRM will provide ability to automatically distinguish between its transport keys during archival process.

All other processes will be covered by manual procedures. This includes:

  • requesting new transport certificate
  • obtaining issued certificate
  • importing of new transport certificate and keys to DRM's NSS DB
  • updating of DRM configuration to reflect existence of new transport certificate and keys
  • propagation of new transport certificate and keys to DRM clones
  • replacement of the current transport certificate and keys during process of transfer of the new transport certificate and keys to become the current one.
  • propagation of new transport certificate to all CAs communicating with updated DRM (including CAs' clones)

Above list of procedures may grow.

Please note that all manual procedures are requiring subsystem restarts which are resulting in service interruptions.

\ \ ‚Äčhttps://bugzilla.redhat.com/show_bug.cgi?id=804677 (Red Hat Certificate System)


Here is how to transfer new transport key and certificate to DRM clone:

  • Go to DRM's NSS DB directory [[br]] cd /etc/pki/pki-tomcat/alias
  • Stop DRM [[br]] systemctl stop pki-tomcatd@pki-tomcat.service
  • Verify if new DRM transport certificate is present by running [[br]] certutil -d . -L [[br]] followed by [[br]] certutil -d . -L -n 'transportCert-<sn> cert-pki-tomcat KRA'
  • Export DRM's new transport key and certificate by [[br]] pk12util -o transport.p12 -d . -n 'transportCert-021 cert-pki-tomcat KRA'
  • Verify exported DRM's transport key and certificate by [[br]] pk12util -l transport.p12
  • Transport transport.p12 file including transport key and certificate to DRM's clone location.
  • Go to clone's NSS DB directory [[br]] cd /etc/pki/pki-tomcat/alias
  • Stop DRM clone [[br]] systemctl stop pki-tomcatd@pki-tomcat.service
  • Check content of clone's NSS DB by running [[br]] certutil -d . -L
  • Import clone's new transport key and certificate by [[br]] pk12util -i transport.p12 -d .
  • Edit clone's configuration file [[br]] /var/lib/pki/pki-tomcat/kra/conf/CS.cfg to add the following line: [[br]] kra.transportUnit.newNickName=transportCert-<sn> cert-pki-tomcat KRA
  • Start DRM clone [[br]] systemctl start pki-tomcatd@pki-tomcat.service

Metadata Update from @awnuk:
- Issue assigned to awnuk
- Issue set to the milestone: 10.1 - 09/13 (September)

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1304

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata