Adding CA Admin - dogtagpki/pki GitHub Wiki
This document describes the process to add a new CA admin. See also the Default CA Admin.
As a Linux admin create a Linux user for the new CA admin:
$ useradd newcaadmin $ passwd newaadmin Changing password for user newcaadmin. New password: ******** Retype new password: ******** passwd: all authentication tokens updated successfully.
As an existing CA admin (e.g. the default CA admin) create a PKI user for the new CA admin:
$ pki -n <CA admin nickname> ca-user-add newcaadmin --fullName "CA Admin" ----------------------- Added user "newcaadmin" ----------------------- User ID: newcaadmin Full name: CA Admin
Then add the new user to the Administrators group:
$ pki -n <CA admin nickname> ca-group-member-add Administrators newcaadmin ------------------------------- Added group member "newcaadmin" ------------------------------- User: newcaadmin
As the new CA admin, prepare a security database:
$ pki client-init ------------------ Client initialized ------------------
Then generate and submit a certificate request:
$ pki client-cert-request uid=newcaadmin ----------------------------- Submitted certificate request ----------------------------- Request ID: 10 Type: enrollment Request Status: pending Operation Result: success
As an existing CA agent (e.g. the default CA admin), approve the request:
$ pki -n <CA agent nickname> ca-cert-request-review 10 --action approve ------------------------------- Approved certificate request 10 ------------------------------- Request ID: 10 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0xa
As an existing CA admin (e.g. the default CA admin), assign the certificate to the new user:
$ pki -n <CA admin nickname> ca-user-cert-add newcaadmin --serial 0xa ----------------------------------------------------------------------------------------------- Added certificate "2;10;CN=CA Signing Certificate,O=example.com Security Domain;UID=newcaadmin" ----------------------------------------------------------------------------------------------- Cert ID: 2;10;CN=CA Signing Certificate,O=example.com Security Domain;UID=newcaadmin Version: 2 Serial Number: 0xa Issuer: CN=CA Signing Certificate,O=example.com Security Domain Subject: UID=newcaadmin
As the new CA admin, import the certificate into security database:
$ pki client-cert-import newcaadmin --serial 0xa --------------------------------- Imported certificate "newcaadmin" ---------------------------------
Verify that the certificate has been imported:
$ pki client-cert-find ---------------------- 1 certificate(s) found ---------------------- Serial Number: 0xa Nickname: newcaadmin Subject DN: UID=newcaadmin Issuer DN: CN=CA Signing Certificate,O=example.com Security Domain ---------------------------- Number of entries returned 1 ----------------------------
To use the certificate in the CLI, specify the new CA admin certificate nickname:
$ pki -n newcaadmin <command>
To use the certificate in Firefox, export the certificate and the private key into a PKCS #12 file, then import it into the browser:
$ pki client-cert-show newcaadmin --pkcs12 newcaadmin.p12 --pkcs12-password Secret.123
To use the certificate with Python client, export the certificate and the private key into a PEM file:
$ pki client-cert-show newcaadmin --client-cert newcaadmin.pem