You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Provide manual procedure which will allow to propagate of new transport certificate to all CAs communicating with updated DRM (including CAs' clones)
#1306
Closed
pki-bot opened this issue
Oct 2, 2020
· 2 comments
This is part of ticket 129 - RFE: Add support for multiple DRM transport keys.
This ticket will provide manual procedure which will allow to propagate of new transport certificate to all CAs communicating with updated DRM (including CAs' clones).
[[br]] Base on discussion with Nathan (nkinder) scope of this feature has been significantly reduced by only providing ability for DRM to support two transport keys: current key and new key. DRM will provide ability to automatically distinguish between its transport keys during archival process.
All other processes will be covered by manual procedures. This includes:
requesting new transport certificate
obtaining issued certificate
importing of new transport certificate and keys to DRM's NSS DB
updating of DRM configuration to reflect existence of new transport certificate and keys
propagation of new transport certificate and keys to DRM clones
replacement of the current transport certificate and keys during process of transfer of the new transport certificate and keys to become the current one.
propagation of new transport certificate to all CAs communicating with updated DRM (including CAs' clones)
Above list of procedures may grow.
Please note that all manual procedures are requiring subsystem restarts which are resulting in service interruptions.
Here is how to update CA configuration with new DRM transport certificate:
Stop CA [[br]] systemctl stop pki-tomcatd@pki-tomcat.service
Get the DRM transport certificate file cert-<sn>.txt obtained in ticket:734#comment:2
Convert base64 encoded certificate included in cert-<sn>.txt to single line file by [[br]] tr -d '\n' < cert-<sn>.txt > cert-in-one-line-<sn>.txt
Edit /var/lib/pki/pki-tomcat/ca/conf/CS.cfg by replacing certificate included in line [[br]] ca.connector.KRA.transportCert= . . . [[br]] with certificate included in cert-in-one-line-<sn>.txt
Save updated /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
Start CA [[br]] systemctl start pki-tomcatd@pki-tomcat.service
This issue was migrated from Pagure Issue #738. Originally filed by awnuk (@awnuk) on 2013-09-08 02:06:29:
This is part of ticket 129 - RFE: Add support for multiple DRM transport keys.
This ticket will provide manual procedure which will allow to propagate of new transport certificate to all CAs communicating with updated DRM (including CAs' clones).
[[br]] Base on discussion with Nathan (nkinder) scope of this feature has been significantly reduced by only providing ability for DRM to support two transport keys: current key and new key. DRM will provide ability to automatically distinguish between its transport keys during archival process.
All other processes will be covered by manual procedures. This includes:
Above list of procedures may grow.
Please note that all manual procedures are requiring subsystem restarts which are resulting in service interruptions.
\ \ https://bugzilla.redhat.com/show_bug.cgi?id=804677 (Red Hat Certificate System)
The text was updated successfully, but these errors were encountered: