The current procedure for installing CA with existing CA certificate requires specifying the CSR in the pki_ca_signing_csr_path property:
http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate
The installation tool will read the CSR, store it in CS.cfg, then import it into the database afterwards. The CSR is needed for future renewals, but the renewal process will use the CSR in the database, so the CSR doesn't actually need to be stored in the CS.cfg.
In migration case the CSR is already included in the database records imported from the existing server, so the pki_ca_signing_csr_path should be changed to optional. All references to the CSR in CS.cfg should be changed with a code that retrieves the CSR from the database directly. An upgrade script should remove the CSR from existing CS.cfg.
Fixed in master (10.4):
With the above changes the CSR will now be optional during installation. However, due to the complexity of various cases that need to be supported, for now the CSR should still remain in CS.cfg. So in migration case after importing the old database the CSR should be restored into CS.cfg using this command:
$ pki-server subsystem-cert-update ca signing
See http://pki.fedoraproject.org/wiki/CSR_Migration.
The following were cherry-picked in to DOGTAG_10_3_BRANCH:
commit e0db19f831159689e9fd63b988799ee16b618dc6 Author: Endi S. Dewata <edewata@redhat.com> Date: Sat Aug 20 10:47:15 2016 +0200 Updated pki-server subsystem-cert-update CLI. The pki-server subsystem-cert-update CLI has been updated to use certutil to retrieve the certificate data from the proper token. It will also show a warning if the certificate request cannot be found. The NSSDatabase constructor has been modified to normalize the name of internal NSS token to None. If the token name is None, the certutil will be executed without the -h option. The NSSDatabase.get_cert() has been modified to prepend the token name to the certificate nickname. https://fedorahosted.org/pki/ticket/2440 (cherry picked from commit eb28cf05cfad246383dbda054c8cd477bc7acc73) commit f422b219ec989bc7a5be9569643d4cb598b2887c Author: Endi S. Dewata <edewata@redhat.com> Date: Wed Aug 17 16:44:48 2016 +0200 Allowing optional CA signing CSR. The CA signing CSR is already stored in request record which will be imported as part of migration process, so it's not necessary to export and reimport the CSR file again for migration. To allow optional CSR, the pki-server subsystem-cert-validate CLI has been modified to no longer check the CSR in CS.cfg. The ConfigurationUtils.loadCertRequest() has been modified to ignore the missing CSR in CS.cfg. https://fedorahosted.org/pki/ticket/2440 (cherry picked from commit bde2cd1d3e65850c82a6ea7a6cebcae46a4408f2)
Metadata Update from @edewata: - Issue assigned to edewata - Issue set to the milestone: 10.3.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2560
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.