Reuse Existing CA Keypair

From Dogtag
Jump to: navigation, search

Existing Keypair is in PKCS#12 format

There may be a situation where you have keys already stored in the PKCS#12 format. The following instructions will help you reuse these keys to request new certificates from Dogtag.

  • Extract the contents of the PKCS#12 using openssl. Whatever was in the PKCS#12 will end up base64 encoded in the ca.pem file.
    • The import password is the PKCS#12 password.
    • The PEM pass phrase you enter below will protect the private key so it is still in an encrypted form. You will need the pass phrase for the next step.
$ openssl pkcs12 -in ca.p12 -out ca.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
  • Now you create a new PKCS#10 request based on info in the existing cert.
$ openssl x509 -x509toreq -signkey ca.pem -out ca.req -in ca.pem
Getting request Private Key
Enter PEM pass phrase:
Generating certificate request
  • Output the request so you can paste it into the Dogtag webpage.
$ cat ca.req
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=CA, CN=My New CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d8:c5:64:2f:1b:0d:99:36:1f:6c:17:70:d5:1e:
                    0b:5c:a0:80:94:5b:18:46:5a:67:a9:2e:5c:ae:27:
                    54:6f:be:4d:10:cb:e1:27:df:f7:9d:b9:d9:9a:9b:
                    a7:37:4c:52:70:1e:10:78:1c:5a:4b:f3:40:4c:25:
                    8c:e1:53:c6:a6:ca:f9:01:35:2e:96:56:59:13:31:
                    bf:a6:cb:85:b3:88:dc:24:83:0c:9d:74:28:5a:d6:
                    4d:c2:54:fd:74:3a:c7:7b:05:06:5a:19:95:e8:50:
                    3d:c1:a8:1a:66:b3:6a:fa:2a:b5:26:78:de:f1:e7:
                    ae:32:0a:76:98:b3:18:c4:df:5b:2c:3e:34:7f:00:
                    01:4f:0c:95:fd:9a:4e:a8:96:24:30:42:68:d4:ac:
                    25:91:34:2f:30:43:d7:41:c4:11:6a:ee:8f:b1:fa:
                    ac:49:78:3b:bb:ee:43:43:53:7b:20:54:a1:b6:2c:
                    e9:e4:80:68:fb:7d:c6:f0:07:1e:51:10:3c:73:fa:
                    9a:2d:25:e8:7e:f9:f3:0d:9f:17:d2:1a:d2:1f:77:
                    9e:fe:49:cb:40:ea:be:9d:57:18:8b:51:40:19:ad:
                    b0:b7:97:fa:03:58:de:4a:5d:f9:12:28:a8:94:08:
                    63:01:f3:e9:f9:d2:e6:44:87:ea:b5:4b:ec:0e:8d:
                    6e:59
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: md5WithRSAEncryption
        90:ad:da:cf:c2:3b:d1:11:31:12:ae:1f:69:09:0a:68:5f:c8:
        f1:5c:7d:6b:cc:a0:55:91:e6:84:40:f8:34:25:47:6c:87:80:
        ef:33:83:ea:eb:e3:fb:4a:64:96:d0:fb:40:0a:95:50:69:12:
        10:8f:48:6d:42:a9:e4:f4:13:7d:0f:e8:8d:89:ac:26:97:0e:
        f1:41:9f:87:bc:db:21:20:73:2a:61:6f:89:97:a3:33:61:f1:
        b1:ab:03:50:7e:df:7d:d1:53:76:95:f7:2c:9e:37:6f:e7:92:
        ed:b1:ee:ce:16:67:3e:31:4e:9b:ec:f0:46:8a:cd:37:0b:70:
        c9:33:0b:de:42:9a:90:0c:af:34:c3:d5:5b:30:dc:97:2c:1e:
        70:14:35:65:24:49:6c:e5:67:a5:13:36:0c:03:d1:0a:14:30:
        30:ae:9d:f2:c3:16:cc:3a:35:f6:28:d5:6a:83:49:41:5e:23:
        60:1c:55:8f:0c:75:71:ba:b3:63:0a:ce:d7:b1:1f:10:71:f4:
        b0:18:a8:38:84:4b:94:a1:f2:83:12:29:2b:2e:d3:4d:34:15:
        54:82:d1:61:b6:d5:38:54:73:54:60:ce:a7:57:aa:29:30:35:
        c4:ec:2d:fa:85:1f:29:7b:73:c8:41:4c:fd:a0:32:f3:77:c7:
        a9:f2:66:5a
-----BEGIN CERTIFICATE REQUEST-----
MIICoTCCAYkCAQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJu
bWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxFzAVBgNVBAMTDkNFUkRF
QyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2MVkLxsN
mTYfbBdw1R4LXKCAlFsYRlpnqS5cridUb75NEMvhJ9/3nbnZmpunN0xScB4QeBxa
S/NATCWM4VPGpsr5ATUullZZEzG/psuFs4jcJIMMnXQoWtZNwlT9dDrHewUGWhmV
6FA9wagaZrNq+iq1Jnje8eeuMgp2mLMYxN9bLD40fwABTwyV/ZpOqJYkMEJo1Kwl
kTQvMEPXQcQRau6PsfqsSXg7u+5DQ1N7IFShtizp5IBo+33G8AceURA8c/qaLSXo
fvnzDZ8X0hrSH3ee/knLQOq+nVcYi1FAGa2wt5f6A1jeSl35EiiolAhjAfPp+dLm
RIfqtUvsDo1uWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADggEBAJCt2s/CO9ERMRKu
H2kJCmhfyPFcfWvMoFWR5oRA+DQlR2yHgO8zg+rr4/tKZJbQ+0AKlVBpEhCPSG1C
qeT0E30P6I2JrCaXDvFBn4e82yEgcyphb4mXozNh8bGrA1B+333RU3aV9yyeN2/n
ku2x7s4WZz4xTpvs8EaKzTcLcMkzC95CmpAMrzTD1Vsw3JcsHnAUNWUkSWzlZ6UT
NgwD0QoUMDCunfLDFsw6NfYo1WqDSUFeI2AcVY8MdXG6s2MKztexHxBx9LAYqDiE
S5Sh8oMSKSsu0000FVSC0WG21ThUc1RgzqdXqikwNcTsLfqFHyl7c8hBTP2gMvN3
x6nyZlo=
-----END CERTIFICATE REQUEST-----
  • Visit your Dogtag end-entity interface (something like: https://<host>:<port>/ca/ee/ca/)
    • Choose the Manual Certificate Manager Signing Certificate Enrollment profile
    • Paste the request from above into the large text area labeled "Certificate Request" (the parts between -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----
    • Submit!
  • Finally, you'll need to go over to the agent interface (something like: https://<host>:<port>/ca/agent/ca/), possibly edit the request, and approve it.
  • After you are all done I'd recommend deleting the ca.pem file and, as long as it's not your only copy, the PKCS#12 file as well.