Red Hat Bugzilla – Bug 1464549
CC: Installation: allow installation with existing system certificates
Last modified: 2017-08-03 20:16:14 EDT
This came out of the PP requirement: FIA_CMC_EXT.1.3
Basically, when a subordinate CA acts as a client to its superior CA, the cert requests and responses should be carried in CMC format and protocol.
Since retrofitting CMC into the existing installation system is not feasibly as installation is a "one-time-thing" that doesn't happen often, our plan is to give some manual CC setup steps with assistance of some code changes:
* for sub-ca's, just give instruction on manual cmc request generation and submission to the superior ca, and then use the "existing CA" feature to install
* for non-ca subsystems, such as KRA, OCSP, TPS, and TKS, we need some (possibly not a lot) changes to allow pre-existing system certificates to be used. We add instruction on manual cmc request generation and submission to the ca before directing people to use this new "existing all subsystems" feature.
For the above, there is already a ticket:
Another area needs to be covered is a set of system certificate profiles for CMC requests to complete the above strategy.
note that the cmc system cert enrollment profiles have been pushed to Dogtag master.
See Usage info here: