Thanks for the update Christina. Where does the Dogtag CA store its certificate for the https://<dogtag_ca_url>:8443/. I checked the /etc/ssl/certs/ directory, but I found nothing.
Thanks again Christina Rafael On Thu, Jun 1, 2017 at 9:00 AM, <[email protected]> wrote: > Send Pki-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/pki-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Pki-users digest..." > > > Today's Topics: > > 1. Re: Dogtag Cert Lauch Page Renewal (Christina Fu) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 31 May 2017 14:31:31 -0700 > From: Christina Fu <[email protected]> > To: [email protected] > Subject: Re: [Pki-users] Dogtag Cert Lauch Page Renewal > Message-ID: <[email protected]> > Content-Type: text/plain; charset="windows-1252"; Format="flowed" > > Hi Rafael, > > I think the following should work for you in theory (Note: I have not > tried it myself). > > If you mean the web server cert, by default it uses the caServerCert > profile. So to add SAN you would want to add Subject Alt Name Default > and possibly constraint to that profile. You can look up how other > default profiles. > > Here is an example policy you could add: > > policyset.serverCertSet.9.constraint.class_id=noConstraintImpl > policyset.serverCertSet.9.constraint.name=No Constraint > policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl > policyset.serverCertSet.9.default.name=Subject Alternative Name > Extension Default > policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true > policyset.serverCertSet.9.default.params.subjAltExtPattern_0=yourServer > .example.com > policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName > policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 > > Make sure you add the set id "9" (if unique..you can change it to > another unique id) to > > policyset.serverCertSet.list= > > It is important that you add that to the profile before you proceed with > the renewal instruction (under the assumption that you wish to reuse > keys), because the instruction I am about to give you will use the same > profile that the original cert was issued through. Restart the CA after > the above config change. > > About renewal, if you want to reuse the same keys of the original web > server certificate, you could try going to the ee page > Enrollment/Renewal tab. Where you would find on the last link of the > page to be > > Renewal: Renew certificate to be manually approved by agents. > > Enter the current (to be replaced) server cert serial number and > submit. Have the CA agent approve the request. Download and update > your server cert, restart the intended web server. > > If you don't want to reuse keys, then simply enroll through the Manual > Server Certificate Enrollment, which uses the profile that you just > modified, but will expect a whole new csr to be the input (rekey). > Incidentally, if you happen to have the original CSR (hence preserving > the same keys), you would end up having the same keys with the new > update profile (with SAN) as well, which would effectively give you the > same result. > > Let us know if that works for you. > > Christina > > > On 05/30/2017 06:29 PM, Rafael Leiva-Ochoa wrote: > > Any takers? > > > > Rafael > > > > On Sat, May 27, 2017 at 10:29 PM, Rafael Leiva-Ochoa > > <[email protected] <mailto:[email protected]>> wrote: > > > > Hi Everyone, > > > > I am was looking through the Dogtag CA documentation, and I > > was not able to find the process for renewing the Dogtag Web page > > certificate. I wanted to update the cert since all browser now > > required a SAN on the cert. Any help would be great. > > > > Thanks, > > > > Rafael > > > > > > > > > > _______________________________________________ > > Pki-users mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <https://www.redhat.com/archives/pki-users/ > attachments/20170531/7a1c9f30/attachment.html> > > ------------------------------ > > _______________________________________________ > Pki-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pki-users > > End of Pki-users Digest, Vol 110, Issue 1 > ***************************************** >
_______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
