Installing CA Clone with Shared DS - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to install CA clone with the same DS instance used by the primary CA.

Availability: Since PKI 11.5

Prerequisites

Exporting System Certificates from Primary CA

Export the system certificates and keys from primary CA with the following commands:

$ pki-server ca-clone-prepare \
    --pkcs12-file ca-certs.p12 \
    --pkcs12-password Secret.123

$ pki-server cert-export ca_signing \
    --cert-file ca_signing.crt

Optionally, the CSRs for the above certificates can be exported as well with the following commands:

$ pki-server cert-export ca_signing \
    --csr-file ca_signing.csr

$ pki-server cert-export ca_ocsp_signing \
    --csr-file ca_ocsp_signing.csr

$ pki-server cert-export ca_audit_signing \
    --csr-file ca_audit_signing.csr

$ pki-server cert-export subsystem \
    --csr-file subsystem.csr

Installing Secondary CA

Prepare a deployment configuration (e.g. ca-clone.cfg) to deploy CA subsystem clone. By default the subsystem will be deployed into a Tomcat instance called pki-tomcat.

A sample deployment configuration is available at /usr/share/pki/server/examples/installation/ca-clone.cfg. It assumes that the primary CA subsystem is running at https://primary.example.com:8443, the CA signing certificate has been exported into ca_signing.crt, and the admin certificate and key have been exported into ca_admin_cert.p12. The PKCS #12 password is specified in the pki_client_pkcs12_password parameter.

To start the installation execute the following command:

$ pkispawn \
    -f /usr/share/pki/server/examples/installation/ca-clone.cfg \
    -s CA \
    -D pki_cert_chain_path=ca_signing.crt \
    -D pki_clone_pkcs12_path=ca-certs.p12 \
    -D pki_clone_pkcs12_password=Secret.123 \
    -D pki_ds_url=ldap://secondaryds.example.com:389 \
    -D pki_ds_setup=False \
    -v

If the CSRs are available, they can be specified with the following parameters:

    -D pki_ca_signing_csr_path=ca_signing.csr \
    -D pki_ocsp_signing_csr_path=ca_ocsp_signing.csr \
    -D pki_audit_signing_csr_path=ca_audit_signing.csr \
    -D pki_subsystem_csr_path=subsystem.csr \
⚠️ **GitHub.com Fallback** ⚠️