-
Notifications
You must be signed in to change notification settings - Fork 138
PKI 10.5 Installing CA
Endi S. Dewata edited this page Mar 27, 2024
·
3 revisions
Prepare a deployment configuration file (e.g. ca.cfg
):
[CA] pki_admin_email=caadmin@example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret.123 pki_admin_uid=caadmin pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret.123 pki_security_domain_name=EXAMPLE
Optionally, the certificate nicknames can be specified in the following parameters:
pki_ca_signing_nickname=ca_signing pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_nickname=ca_audit_signing pki_ssl_server_nickname=sslserver # Same nicknames must be specified manually for other subsystems pki_subsystem_nickname=subsystem # Same nicknames must be specified manually for other subsystems
Since sslserver and subsystem system certificates are shared among different subsystem, same nicknames must be provided for all other additional subsystems
To begin the installation, execute the following command:
$ pkispawn -v -f ca.cfg -s CA
The NSS database should contain the following certificates:
$ sed -n "/^internal=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/password.conf > password.txt $ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca_signing CTu,Cu,Cu ca_ocsp_signing u,u,u sslserver u,u,u subsystem u,u,u ca_audit_signing u,u,Pu
The NSS database should contain the following keys:
$ certutil -K -d /var/lib/pki/pki-tomcat/conf/alias -f password.txt < 0> rsa f4e07b335299c96f0247a6f8dc049e8faa540209 ca_signing < 1> rsa 0bdf1085474b7542fa30908c2136c518fdedc615 ca_ocsp_signing < 2> rsa 39473f7309b3354d638940e55398cf500d8411f8 sslserver < 3> rsa 2235764e98d1b973aa1a231c09aebc8e33133641 subsystem < 4> rsa a532c42398cd592b664eafd4c2b0a73e20ee395e ca_audit_signing
Verify that the CA admin can access the server with the following command:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-find ----------------- 3 entries matched ----------------- User ID: CA-pki.example.com-8443 Full name: CA-pki.example.com-8443 User ID: caadmin Full name: caadmin User ID: pkidbuser Full name: pkidbuser ---------------------------- Number of entries returned 3 ----------------------------
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |