Changing PKI Server Ports - dogtagpki/pki GitHub Wiki
|
Warning
|
This page is still under construction. |
This page describes the process to change PKI server port numbers.
The ports are stored in several locations:
-
/var/lib/pki/<instance>/conf/server.xml -
/var/lib/pki/<instance>/conf/<subsystem>/CS.cfg -
security domain database
-
LWCA database
$ pki-server stop --wait
$ pki-server http-connector-mod Unsecure --port 80
$ pki pki-server http-connector-mod Secure --port 443
To remove the old subsystem user from Subsystem Group:
$ pki-server ca-group-member-del "Subsystem Group" CA-<hostname>-<old HTTPS port>
To remove the old subsystem user:
$ pki-server ca-user-del CA-<hostname>-<old HTTPS port>"
To remove the old subsystem registration:
$ pki-server sd-subsystem-del "CA <hostname> <old HTTPS port>"
To add the new subsystem registration:
$ pki-server sd-subsystem-add \
--subsystem CA \
--hostname <hostname> \
--unsecure-port <new HTTP port> \
--secure-port <new HTTPS port> \
--domain-manager \
"CA pki.example.com <new HTTPS port>"
To add a new subsystem user:
$ pki-server ca-user-add \
--full-name "CA-<hostname>-<new HTTP port>" \
--type agentType \
--state 1 \
CA-<hostname>-<new HTTP port>
In PKI 11.6 or later the user certificate can be specified with the --cert <path> option.
To assign the subsystem certificate to the new subsystem user:
$ cat subsystem.crt | pki pki-server \
ca-user-cert-add \
CA-<hostname>-<new HTTP port>
To add the new subsystem user into the Subsystem Group:
$ pki-server ca-group-member-add "Subsystem Group" CA-<hostname>-<new HTTPS port>
$ pki-server ca-config-set service.securityDomainPort <new HTTPS port>
$ pki-server start --wait