Changing PKI Server Ports - dogtagpki/pki GitHub Wiki

Overview

Warning
This page is still under construction.

This page describes the process to change PKI server port numbers.

The ports are stored in several locations:

  • /var/lib/pki/<instance>/conf/server.xml

  • /var/lib/pki/<instance>/conf/<subsystem>/CS.cfg

  • security domain database

  • LWCA database

Stopping Server

$ pki-server stop --wait

Configuring HTTP Port

$ pki-server http-connector-mod Unsecure --port 80

Configuring HTTPS Port

$ pki pki-server http-connector-mod Secure --port 443

Updating Security Domain Registration

To remove the old subsystem user from Subsystem Group:

$ pki-server ca-group-member-del "Subsystem Group" CA-<hostname>-<old HTTPS port>

To remove the old subsystem user:

$ pki-server ca-user-del CA-<hostname>-<old HTTPS port>"

To remove the old subsystem registration:

$ pki-server sd-subsystem-del "CA <hostname> <old HTTPS port>"

To add the new subsystem registration:

$ pki-server sd-subsystem-add \
    --subsystem CA \
    --hostname <hostname> \
    --unsecure-port <new HTTP port> \
    --secure-port <new HTTPS port> \
    --domain-manager \
    "CA pki.example.com <new HTTPS port>"

To add a new subsystem user:

$ pki-server ca-user-add \
    --full-name "CA-<hostname>-<new HTTP port>" \
    --type agentType \
    --state 1 \
    CA-<hostname>-<new HTTP port>

In PKI 11.6 or later the user certificate can be specified with the --cert <path> option.

To assign the subsystem certificate to the new subsystem user:

$ cat subsystem.crt | pki pki-server \
    ca-user-cert-add \
    CA-<hostname>-<new HTTP port>

To add the new subsystem user into the Subsystem Group:

$ pki-server ca-group-member-add "Subsystem Group" CA-<hostname>-<new HTTPS port>

Updating Security Domain Connection

$ pki-server ca-config-set service.securityDomainPort <new HTTPS port>

Restarting Server

$ pki-server start --wait
⚠️ **GitHub.com Fallback** ⚠️