This is part of ticket #129 - RFE: Add support for multiple DRM transport keys.
This ticket will provide manual procedure which will allow to propagate new transport certificate and keys to DRM clones.
[[br]] Base on discussion with Nathan (nkinder) scope of this feature has been significantly reduced by only providing ability for DRM to support two transport keys: current key and new key. DRM will provide ability to automatically distinguish between its transport keys during archival process.
All other processes will be covered by manual procedures. This includes:
Above list of procedures may grow.
Please note that all manual procedures are requiring subsystem restarts which are resulting in service interruptions.
\ \ https://bugzilla.redhat.com/show_bug.cgi?id=804677 (Red Hat Certificate System)
Here is how to transfer new transport key and certificate to DRM clone:
cd /etc/pki/pki-tomcat/alias
systemctl stop pki-tomcatd@pki-tomcat.service
certutil -d . -L
certutil -d . -L -n 'transportCert-<sn> cert-pki-tomcat KRA'
pk12util -o transport.p12 -d . -n 'transportCert-021 cert-pki-tomcat KRA'
pk12util -l transport.p12
transport.p12
pk12util -i transport.p12 -d .
/var/lib/pki/pki-tomcat/kra/conf/CS.cfg
kra.transportUnit.newNickName=transportCert-<sn> cert-pki-tomcat KRA
systemctl start pki-tomcatd@pki-tomcat.service
Metadata Update from @awnuk: - Issue assigned to awnuk - Issue set to the milestone: 10.1 - 09/13 (September)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1304
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.