From Fedora Project Wiki


Dogtag Certificate System

Summary

Dogtag Certificate System is an enterprise-class open source Certificate Authority (CA) supporting all aspects of certificate lifecycle management including key archival, OCSP and smartcard management.

Owner

Current status

  • Targeted release: Fedora 13
  • Last updated: 01-22-2010
  • Percentage of completion: 98%

Detailed Description

Details can be found here.

Benefit to Fedora

All new feature. Full featured open source PKI comprised of 6 major subsystems (25 packages):

  • Certificate Authority (CA)
  • Data Recovery Manager (DRM)
  • OCSP Manager (OCSP)
  • Registration Authority (RA)
  • Token Key Service (TKS)
  • Token Processing System (TPS)

Package List:

  • tomcatjss
  • osutil (x86, x86_64, ppc, ppc64)
  • pki-symkey (x86, x86_64, ppc, ppc64)
  • pki-native-tools (x86, x86_64, ppc, ppc64)
  • pki-util
    • pki-util-javadoc
  • pki-java-tools
    • pki-java-tools-javadoc
  • pki-selinux
  • pki-setup
  • dogtag-pki-common-ui
  • pki-common
    • pki-common-javadoc
  • pki-silent
  • dogtag-pki-ca-ui
  • pki-ca
  • dogtag-pki-kra-ui
  • pki-kra
  • dogtag-pki-ocsp-ui
  • pki-ocsp
  • dogtag-pki-tks-ui
  • pki-tks
  • dogtag-pki-ra-ui
  • pki-ra
  • dogtag-pki-tps-ui
  • pki-tps (x86, x86_64, ppc, ppc64)
    • pki-tps-devel
  • dogtag-pki-console-ui
  • pki-console

Scope

  • Code complete. Awaiting Package Review and fedora-cvs approval on the following four remaining packages:
    • pki-console
    • pki-ra
    • pki-tps
    • pki-symkey

How To Test

Hardware Requirements

At least Intel Pentium 4 or faster with 1GB RAM and 10GB disk

System Prep

Update system with all the latest Fedora packages

Testing and Expected Results

The following list of tests is not comprehensive by any means and not in any order but will give the user the means and the ideas of how to test a PKI system:

  • Install pki-ca,pki-kra,pki-ocsp,pki-tps,pki-tks packages via yum
  • Follow the default instance creation procedures to create a base instance of the various sub-systems.
  • Once the setup is complete, perform these tests:
    • Issue different types of certificates like user certs, server certs
    • Revoke a few certificates
    • Generate a CRL
    • Customize profiles based on different types of extensions and constraints
      • Generate certs to have say for example an AIA extension
    • Submit a CRL to the OCSP responder
    • Check Java Console access
      • Use the Java console to perform various configuration updates such as;
        • Adding/editing/deleting additional CRL issuing points
        • ACL configurations
        • Adding/editing/deleting profiles
        • Log file configurations
    • Certificate enrollment via different types of browsers such as IE and Firefox
    • Smartcard enrollment and format operations


User Experience

For any machine joined to a PKI server, users will have:

  • Support for all aspects of certificate lifecycle management
  • Key archival
  • OCSP
  • Smartcard management


Dependencies

BuildRequires

Build-time packages already included in Fedora:

  • ant
  • apr-devel
  • apr-util-devel
  • cyrus-sasl-devel
  • httpd-devel >= 2.2.3
  • idm-console-framework
  • java-devel >= 1:1.6.0
  • jpackage-utils
  • jss >= 4.2.6
  • ldapjdk
  • m4
  • make
  • mozldap-devel
  • nspr-devel >= 4.6.99
  • nss-devel >= 3.12.3.99
  • pcre-devel
  • pkgconfig
  • policycoreutils
  • selinux-policy-devel
  • svrcore-devel
  • tomcat5
  • velocity
  • xalan-j2
  • xerces-j2
  • zlib
  • zlib-devel

Build-time Dogtag packages new to Fedora:

  • osutil
  • pki-common
  • pki-symkey
  • pki-util
  • tomcatjss

Requires

Runtime packages already included in Fedora:

  • idm-console-framework
  • java >= 1:1.6.0
  • jpackage-utils
  • jss >= 4.2.6
  • ldapjdk
  • mod_nss >= 1.0.7
  • mod_perl
  • mod_perl >= 1.99_16
  • mozldap
  • mozldap >= 6.0.2
  • mozldap-tools
  • nss >= 3.12.3.99
  • nss-tools >= 3.12.3.99
  • perl-DBD-SQLite
  • perl-DBI
  • perl-HTML-Parser
  • perl-HTML-Tagset
  • perl-Parse-RecDescent
  • perl-URI
  • perl-XML-NamespaceSupport
  • perl-XML-Parser
  • perl-XML-Simple
  • policycoreutils
  • selinux-policy-targeted
  • sendmail
  • sqlite
  • tomcat5
  • velocity
  • xalan-j2
  • xerces-j2

Runtime Dogtag packages new to Fedora:

  • osutil
  • pki-ca-ui
  • pki-common
  • pki-common-ui
  • pki-console-ui
  • pki-java-tools
  • pki-kra-ui
  • pki-native-tools
  • pki-ocsp-ui
  • pki-ra-ui
  • pki-selinux
  • pki-setup
  • pki-silent
  • pki-symkey
  • pki-tks-ui
  • pki-tps-ui
  • pki-util
  • tomcatjss

Top-level Dogtag packages new to Fedora:

  • pki-ca
  • pki-console
  • pki-kra
  • pki-ocsp
  • pki-ra
  • pki-tks
  • pki-tps

Dogtag Subpackages new to Fedora:

  • osutil-debuginfo
  • pki-common-javadoc
  • pki-java-tools-javadoc
  • pki-native-tools-debuginfo
  • pki-symkey-debuginfo
  • pki-tps-debuginfo
  • pki-tps-devel
  • pki-util-javadoc

Contingency Plan

N/A as this is a completely new feature and failing to implement it will not affect any other part of the distribution.

Documentation

  • Documentation can be found here.

Release Notes

  • Release Notes can be found here.

Comments and Discussion

Retrieved from "https://fedoraproject.org/w/index.php?title=Features/DogtagCertificateSystem&oldid=147922"