-
Notifications
You must be signed in to change notification settings - Fork 138
PKI 10.5 Installing CA with Existing Certificates
This document describes the process to install CA with existing system certificates:
-
CA signing certificate
-
OCSP signing certificate
-
audit signing certificate
-
subsystem certificate
-
SSL certificate
This procedure can be used to migrate the system certificates from an existing CA into a new one. Note that this procedure does not handle database migration and upgrade.
If the existing CA uses internal NSS token, the system certificates and keys can be migrated using a PKCS #12 file. Prepare a password file for the PKCS #12 file:
$ echo Secret.123 > password.txt
Export the existing NSS database password of the existing CA into a file:
$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt
Then export the certificates and keys with the following command:
$ PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p internal.txt -o ca.p12 -w password.txt
This will include the system certificates and keys for CA, and for other subsystems too. The system certificates and keys for other subsystems will need to be removed later.
Export the CSRs with the following commands:
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr $ sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_signing.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr $ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr $ sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr $ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr $ sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr $ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr $ sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr $ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr $ sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr
If the existing CA has certificate chain, export it into a file (see Exporting Certificate Chain):
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "caSigningCert External CA" -a > external.crt
Transfer the PKCS #12 file, the CSRs, and the certificate chain to the new CA.
Prepare a deployment configuration file for CA, then specify the CSR and the PKCS #12 file in the following properties:
pki_existing=True pki_ca_signing_csr_path=/tmp/ca_signing.csr pki_ocsp_signing_csr_path=/tmp/ca_ocsp_signing.csr pki_audit_signing_csr_path=/tmp/ca_audit_signing.csr pki_subsystem_csr_path=/tmp/subsystem.csr pki_ssl_server_csr_path=/tmp/sslserver.csr pki_pkcs12_path=/tmp/ca.p12 pki_pkcs12_password=Secret.123
If the existing CA has certificate chain, specify it with the following property:
pki_cert_chain_path=/tmp/external.crt
Put the PKCS #12 password into a file (i.e. password.txt), then verify the PKCS #12 contains the CA signing certificate and key (it may include other certificates and keys):
$ pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 5 entries found --------------- Certificate ID: 57e9682904353ad737fe672d58d74d389b85a88c Serial Number: 0x1 Nickname: caSigningCert cert-pki-tomcat CA Subject DN: CN=CA Signing Certificate,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Trust Flags: CTu,Cu,Cu Has Key: true Certificate ID: be0d9b0b860495d371ac9791356880728931460f Serial Number: 0x2 Nickname: ocspSigningCert cert-pki-tomcat CA Subject DN: CN=CA OCSP Signing Certificate,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Trust Flags: u,u,u Has Key: true Certificate ID: 1ffdeacb64ee8e7372ed41eabbf5bccda65a90cd Serial Number: 0x5 Nickname: auditSigningCert cert-pki-tomcat CA Subject DN: CN=CA Audit Signing Certificate,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Trust Flags: u,u,Pu Has Key: true Certificate ID: 9a098453d5e8e6a4840ab4c3abdbcf5ef151a89c Serial Number: 0x4 Nickname: subsystemCert cert-pki-tomcat Subject DN: CN=Subsystem Certificate,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Trust Flags: u,u,u Has Key: true Certificate ID: eea6bfd57cca04447065f7a76bcdb19c3e783ea2 Serial Number: 0x3 Nickname: Server-Cert cert-pki-tomcat Subject DN: CN=pki.example.com,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Trust Flags: u,u,u Has Key: true $ pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 5 entries found --------------- Key ID: 57e9682904353ad737fe672d58d74d389b85a88c Subject DN: CN=CA Signing Certificate,O=EXAMPLE Algorithm: RSA Key ID: be0d9b0b860495d371ac9791356880728931460f Subject DN: CN=CA OCSP Signing Certificate,O=EXAMPLE Algorithm: RSA Key ID: 1ffdeacb64ee8e7372ed41eabbf5bccda65a90cd Subject DN: CN=CA Audit Signing Certificate,O=EXAMPLE Algorithm: RSA Key ID: 9a098453d5e8e6a4840ab4c3abdbcf5ef151a89c Subject DN: CN=Subsystem Certificate,O=EXAMPLE Algorithm: RSA Key ID: eea6bfd57cca04447065f7a76bcdb19c3e783ea2 Subject DN: CN=pki.example.com,O=EXAMPLE Algorithm: RSA
Remove the other certificates and keys using the following commands:
$ pki pkcs12-cert-del <nickname> --pkcs12-file ca.p12 --pkcs12-password-file password.txt
Then execute the following command:
$ pkispawn -v -f ca.cfg -s CA
If the existing CA uses HSM, the migration can be done by transporting the certificate files. The keys will remain in the HSM.
Export the system certificates with the following commands:
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "caSigningCert cert-pki-tomcat CA" -a > ca_signing.crt $ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-tomcat CA" -a > ca_ocsp_signing.crt $ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-tomcat CA" -a > ca_audit_signing.crt $ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "subsystemCert cert-pki-tomcat" -a > subsystem.crt $ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "Server-Cert cert-pki-tomcat" -a > sslserver.crt
Export the CSRs with the following commands:
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr $ grep ca.signing.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> ca_signing.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr $ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr $ grep ca.ocsp_signing.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> ca_ocsp_signing.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr $ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr $ grep ca.audit_signing.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> ca_audit_signing.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr $ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr $ grep ca.subsystem.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> subsystem.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr $ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr $ grep ca.sslserver.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> sslserver.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr
If the existing CA has certificate chain, export it into a file (see Exporting Certificate Chain):
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "caSigningCert External CA" -a > external.crt
Transfer the certificates, the CSRs, and the certificate chain to the new CA.
Prepare a deployment configuration file for CA, then specify the certificates and the CSRs in the following properties:
pki_existing=True pki_ca_signing_csr_path=/tmp/ca_signing.csr pki_ca_signing_cert_path=/tmp/ca_signing.crt pki_ocsp_signing_csr_path=/tmp/ca_ocsp_signing.csr pki_ocsp_signing_cert_path=/tmp/ca_ocsp_signing.crt pki_audit_signing_csr_path=/tmp/ca_audit_signing.csr pki_audit_signing_cert_path=/tmp/ca_audit_signing.crt pki_subsystem_csr_path=/tmp/subsystem.csr pki_subsystem_cert_path=/tmp/subsystem.crt pki_ssl_server_csr_path=/tmp/sslserver.csr pki_ssl_server_cert_path=/tmp/sslserver.crt
If the existing CA has certificate chain, specify it with the following property:
pki_cert_chain_path=/tmp/external.crt
Specify the HSM configuration in the following properties:
pki_hsm_enable=True pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so pki_hsm_modulename=nfast
Then execute:
$ pkispawn -v -f ca.cfg -s CA
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |