Working With Chained (Subordinate) Cas - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Validity Date:
start date: 21:42:40 UTC Jan 12 2007
end date: 21:49:50 UTC Dec 31 2008
Associated Identity: CA
CA Certificate
Status: Available
Certificate Serial Number: 01
Key Usage: Signature
Issuer:
CN = Certificate Authority
O = Sfbay Red hat Domain 20070111d12
Subject:
CN = Certificate Authority
O = Sfbay Red hat Domain 20070111d12
Validity Date:
start date: 21:49:50 UTC Jan 11 2007
end date: 21:49:50 UTC Dec 31 2008
Associated Identity: CA
CLEANUP: Zeroize keys (necessary to re-enroll)
scep(config)# crypto key zeroize rsa
% Keys to be removed are named scep.dsdev.sjc.redhat.com.
Do you really want to remove these keys? [yes/no]: yes
CLEANUP: Removing a CA identity:
scep(config)# no crypto ca identity CA
% Removing an identity will destroy all certificates received from
the related Certificate Authority.
Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.
No enrollment sessions are currently active.
C.2.1. Working with chained (subordinate) CAs
Before running the 'crypto ca authenticate' command above, you must import all certificates in the
chain, starting with the root. In conf mode (Note: the following example has only two CAs in the chain,
therefore the root starts at 1, and the subordinate CA is 0),
Note
The following url's in the example are for enrollment via an RA. If you want to bypass RA
and directly talk to CA or subordinate CA, you need to change the url's to point to them:
e.g.
root CEP http://paw.sfbay.redhat.com:9280/ca/cgi-bin
enrollment url http://paw.sfbay.redhat.com:9280/ca/cgi-bin
Example to enroll via an RA to a subordinate CA:

Working with chained (subordinate) CAs

509