It will be a good feature that if a user have generated certificate and private key the user can import them in Instalation Wizard. Think about migration from one certificate system to another.
Dogtag's configuration wizard provides support for external CAs (see: http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/AdditionalInstallOptions.html#requesting-certs-from-an-external-ca) We would appreciate, if you could provide more details explaining your scenario.
Suppose that you have generated CA certificate with keys. Example - openssl or another RHCS CA. Also In the end of install wizard you can export generated keys and certificates. This pkcs12 you can use only for cloning. You can't use pkcs12 for 'clean' install. Now suppose that you make some terrible mistake and the original system doesn't work. You can't clone it. You have to generate new keys for CA certificate in new RHCS CA instance. This means new CA certificate and all certificates issued with old CA certificate (from the not working RHCS CA) are invalidated. Another scenario: You have created some simple CA with openssl a couple months ago. But now you want to scale this because openssl comand-line is not convenient way to issue a lot of certificates. You have decided to move to RHCS CA, but you can't import the keys and certificate from openssl. The install wizard generate every time new keys, there is no way to import already generated keys. Again with new generated keys and new CA certificate the issued 'old' certificates are invalidated.
I recommend not to move CA keys and store them securely on HSM but I see a value in migration scenario.
Upstream ticket: https://fedorahosted.org/pki/ticket/456
Fixed external CA case for IPA compatibility (edewata): * 449e4357e733a70e8f27f65f69ca8f0f7c8b5b21 Should be fixed in Dogtag 10.3 packages on Fedora 24.
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions