Bug 773082 - Provide the user the ability to import their own CA certificate with private key
Summary: Provide the user the ability to import their own CA certificate with private key
Status: POST
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Installation Wizard
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Ben Levenson
Depends On:
Blocks: 530474 1280391 1289323 1310195 1373526
TreeView+ depends on / blocked
Reported: 2012-01-10 21:21 UTC by bbonok
Modified: 2016-09-06 13:59 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1280391 1289323 (view as bug list)
Last Closed:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 736138 None None None Never

Internal Links: 736138

Description bbonok 2012-01-10 21:21:04 UTC
It will be a good feature that if a user have generated certificate and private key the user can import them in Instalation Wizard. 

Think about migration from one certificate system to another.

Comment 1 Andrew Wnuk 2012-02-13 19:02:21 UTC
Dogtag's configuration wizard provides support for external CAs (see: http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/AdditionalInstallOptions.html#requesting-certs-from-an-external-ca)

We would appreciate, if you could provide more details explaining your scenario.

Comment 2 bbonok 2012-02-13 20:18:26 UTC
Suppose that you have generated CA certificate with keys. Example - openssl or another RHCS CA. Also In the end of install wizard you can export generated keys and certificates. This pkcs12 you can use only for cloning. You can't use pkcs12 for 'clean' install.

Now suppose that you make some terrible mistake and the original system doesn't work. You can't clone it. You have to generate new keys for CA certificate in new RHCS CA instance. This means new CA certificate and all certificates issued with old CA certificate (from the not working RHCS CA) are invalidated. 

Another scenario:
You have created some simple CA with openssl a couple months ago. But now you want
to scale this because openssl comand-line is not convenient way to issue a lot of certificates. You have decided to move to RHCS CA, but you can't import the keys and certificate from openssl. The install wizard generate every time new keys, there is no way to import already generated keys. Again with new generated keys and new CA certificate the issued 'old' certificates are invalidated.

Comment 3 Andrew Wnuk 2012-02-16 01:32:05 UTC
I recommend not to move CA keys and store them securely on HSM but I see a value in migration scenario.

Comment 4 Nathan Kinder 2012-12-11 16:57:17 UTC
Upstream ticket:

Comment 6 Matthew Harmsen 2016-01-19 20:03:01 UTC
Fixed external CA case for IPA compatibility (edewata):

    * 449e4357e733a70e8f27f65f69ca8f0f7c8b5b21 

Should be fixed in Dogtag 10.3 packages on Fedora 24.

Comment 7 Mike McCune 2016-03-28 22:14:36 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Note You need to log in before you can comment on or make changes to this bug.