Changing PKI Server Ports - dogtagpki/pki GitHub Wiki
Warning
|
This page is still under construction. |
This page describes the process to change PKI server port numbers.
The ports are stored in several locations:
-
/var/lib/pki/<instance>/conf/server.xml
-
/var/lib/pki/<instance>/conf/<subsystem>/CS.cfg
-
security domain database
-
LWCA database
$ pki-server stop --wait
$ pki-server http-connector-mod Unsecure --port 80
$ pki pki-server http-connector-mod Secure --port 443
To remove the old subsystem user from Subsystem Group
:
$ pki-server ca-group-member-del "Subsystem Group" CA-<hostname>-<old HTTPS port>
To remove the old subsystem user:
$ pki-server ca-user-del CA-<hostname>-<old HTTPS port>"
To remove the old subsystem registration:
$ pki-server sd-subsystem-del "CA <hostname> <old HTTPS port>"
To add the new subsystem registration:
$ pki-server sd-subsystem-add \ --subsystem CA \ --hostname <hostname> \ --unsecure-port <new HTTP port> \ --secure-port <new HTTPS port> \ --domain-manager \ "CA pki.example.com <new HTTPS port>"
To add a new subsystem user:
$ pki-server ca-user-add \ --full-name "CA-<hostname>-<new HTTP port>" \ --type agentType \ --state 1 \ CA-<hostname>-<new HTTP port>
In PKI 11.6 or later the user certificate can be specified with the --cert <path>
option.
To assign the subsystem certificate to the new subsystem user:
$ cat subsystem.crt | pki pki-server \ ca-user-cert-add \ CA-<hostname>-<new HTTP port>
To add the new subsystem user into the Subsystem Group
:
$ pki-server ca-group-member-add "Subsystem Group" CA-<hostname>-<new HTTPS port>
$ pki-server ca-config-set service.securityDomainPort <new HTTPS port>
$ pki-server start --wait