Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide manual procedure which will allow to propagate of new transport certificate to all CAs communicating with updated DRM (including CAs' clones) #1306

Closed
pki-bot opened this issue Oct 2, 2020 · 2 comments
Closed

Provide manual procedure which will allow to propagate of new transport certificate to all CAs communicating with updated DRM (including CAs' clones) #1306

pki-bot opened this issue Oct 2, 2020 · 2 comments
Labels
Closed: Fixed
Milestone
10.1 - 09/13 (Sep...

Comments

@pki-bot
Copy link

pki-bot commented Oct 2, 2020

This issue was migrated from Pagure Issue #738. Originally filed by awnuk (@awnuk) on 2013-09-08 02:06:29:

This is part of ticket 129 - RFE: Add support for multiple DRM transport keys.

This ticket will provide manual procedure which will allow to propagate of new transport certificate to all CAs communicating with updated DRM (including CAs' clones).

[[br]] Base on discussion with Nathan (nkinder) scope of this feature has been significantly reduced by only providing ability for DRM to support two transport keys: current key and new key. DRM will provide ability to automatically distinguish between its transport keys during archival process.

All other processes will be covered by manual procedures. This includes:

  • requesting new transport certificate
  • obtaining issued certificate
  • importing of new transport certificate and keys to DRM's NSS DB
  • updating of DRM configuration to reflect existence of new transport certificate and keys
  • propagation of new transport certificate and keys to DRM clones
  • replacement of the current transport certificate and keys during process of transfer of the new transport certificate and keys to become the current one.
  • propagation of new transport certificate to all CAs communicating with updated DRM (including CAs' clones)

Above list of procedures may grow.

Please note that all manual procedures are requiring subsystem restarts which are resulting in service interruptions.

\ \ ​https://bugzilla.redhat.com/show_bug.cgi?id=804677 (Red Hat Certificate System)
@pki-bot pki-bot added this to the 10.1 - 09/13 (September) milestone Oct 2, 2020
@pki-bot pki-bot closed this as completed Oct 2, 2020
@pki-bot
Copy link
Author

pki-bot commented Oct 2, 2020

Comment from awnuk (@awnuk) at 2013-09-18 02:48:53

Here is how to update CA configuration with new DRM transport certificate:

  • Stop CA [[br]] systemctl stop pki-tomcatd@pki-tomcat.service
  • Get the DRM transport certificate file cert-<sn>.txt obtained in ticket:734#comment:2
  • Convert base64 encoded certificate included in cert-<sn>.txt to single line file by [[br]] tr -d '\n' < cert-<sn>.txt > cert-in-one-line-<sn>.txt
  • Edit /var/lib/pki/pki-tomcat/ca/conf/CS.cfg by replacing certificate included in line [[br]] ca.connector.KRA.transportCert= . . . [[br]] with certificate included in cert-in-one-line-<sn>.txt
  • Save updated /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
  • Start CA [[br]] systemctl start pki-tomcatd@pki-tomcat.service

@pki-bot
Copy link
Author

pki-bot commented Oct 2, 2020

Comment from awnuk (@awnuk) at 2017-02-27 13:58:06

Metadata Update from @awnuk:

  • Issue assigned to awnuk
  • Issue set to the milestone: 10.1 - 09/13 (September)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Closed: Fixed
Projects
None yet
Milestone
10.1 - 09/13 (September)
Development

No branches or pull requests
1 participant
@pki-bot