Installing CA with Existing DS Database - dogtagpki/pki GitHub Wiki
|
Warning
|
This page is still under development. |
This page describes the process to install CA with an existing DS database. The DS database could be set up manually or restored from a backup.
Availability: Since PKI 11.5
$ pki-server create $ pki-server nss-create
To create CA signing certificate in server’s NSS database:
$ pki-server cert-request \
--subject "CN=CA Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
ca_signing
$ pki-server cert-create \
--ext /usr/share/pki/server/certs/ca_signing.conf \
ca_signing
$ pki-server cert-import ca_signing
To create CA OCSP signing certificate in server’s NSS database:
$ pki-server cert-request \
--subject "CN=OCSP Signing Certificate" \
--ext /usr/share/pki/server/certs/ocsp_signing.conf \
ca_ocsp_signing
$ pki-server cert-create \
--issuer ca_signing \
--ext /usr/share/pki/server/certs/ocsp_signing.conf \
ca_ocsp_signing
$ pki-server cert-import ca_ocsp_signing
To create CA audit signing certificate in server’s NSS database:
$ pki-server cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
ca_audit_signing
$ pki-server cert-create \
--issuer ca_signing \
--ext /usr/share/pki/server/certs/audit_signing.conf \
ca_audit_signing
$ pki-server cert-import ca_audit_signing
To create subsystem certificate in server’s NSS database
$ pki-server cert-request \
--subject "CN=Subsystem Certificate" \
--ext /usr/share/pki/server/certs/subsystem.conf \
subsystem
$ pki-server cert-create \
--issuer ca_signing \
--ext /usr/share/pki/server/certs/subsystem.conf \
subsystem
$ pki-server cert-import subsystem
To create SSL server certificate in server’s NSS database:
$ pki pki-server cert-request \
--subject "CN=pki.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
sslserver
$ pki-server cert-create \
--issuer ca_signing \
--ext /usr/share/pki/server/certs/sslserver.conf \
sslserver
$ pki-server cert-import sslserver
To create admin certificate in client’s NSS database:
$ pki \
nss-cert-request \
--subject "CN=Administrator" \
--ext /usr/share/pki/server/certs/admin.conf \
--csr admin.csr
$ pki \
-d /var/lib/pki/pki-tomcat/conf/alias \
nss-cert-issue \
--issuer ca_signing \
--csr admin.csr \
--ext /usr/share/pki/server/certs/admin.conf \
--cert admin.crt
$ pki \
nss-cert-import \
--cert admin.crt \
caadmin
$ pki-server ca-create
To store DS password in /var/lib/pki/pki-tomcat/conf/password.conf:
$ pki-server password-add \
--password Secret.123 \
internaldb
To configure DS connection in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg:
$ pki-server ca-db-config-mod \
--hostname ds.example.com \
--port 3389 \
--secure false \
--auth BasicAuth \
--bindDN "cn=Directory Manager" \
--bindPWPrompt internaldb \
--database userroot \
--baseDN dc=ca,dc=pki,dc=example,dc=com \
--multiSuffix false \
--maxConns 15 \
--minConns 3
To configure CA user/group subsystem:
$ pki-server ca-config-set usrgrp.ldap internaldb
To configure CA database subsystem:
$ pki-server ca-config-set dbs.ldap internaldb $ pki-server ca-config-set dbs.newSchemaEntryAdded true $ pki-server ca-config-set dbs.requestDN ou=ca,ou=requests $ pki-server ca-config-set dbs.request.id.generator random $ pki-server ca-config-set dbs.serialDN ou=certificateRepository,ou=ca $ pki-server ca-config-set dbs.cert.id.generator random
$ pki-server ca-cert-request-import \
--csr /var/lib/pki/pki-tomcat/conf/certs/ca_signing.csr \
--profile /usr/share/pki/ca/conf/caCert.profile
$ pki-server ca-cert-import \
--cert /var/lib/pki/pki-tomcat/conf/certs/ca_signing.crt \
--profile /usr/share/pki/ca/conf/caCert.profile \
--request <request ID>
$ pki-server ca-cert-request-import \
--csr /var/lib/pki/pki-tomcat/conf/certs/ca_ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile
$ pki-server ca-cert-import \
--cert /var/lib/pki/pki-tomcat/conf/certs/ca_ocsp_signing.crt \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile \
--request <request ID>
$ pki-server ca-cert-request-import \
--csr /var/lib/pki/pki-tomcat/conf/certs/ca_audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile
$ pki-server ca-cert-import \
--cert /var/lib/pki/pki-tomcat/conf/certs/ca_audit_signing.crt \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \
--request <request ID>
$ pki-server ca-cert-request-import \
--csr /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile
$ pki-server ca-cert-import \
--cert /var/lib/pki/pki-tomcat/conf/certs/subsystem.crt \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \
--request <request ID>
$ pki-server ca-cert-request-import \
--csr /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile
$ pki-server ca-cert-import \
--cert /var/lib/pki/pki-tomcat/conf/certs/sslserver.crt \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile \
--request <request ID>
$ pki-server ca-cert-request-import \
--csr admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile
$ pki-server ca-cert-import \
--cert admin.crt \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--request <request ID>
Prepare a deployment configuration (e.g. ca.cfg) to deploy CA subsystem.
A sample deployment configuration is available at /usr/share/pki/server/examples/installation/ca.cfg.
To finish CA installation execute the following command:
$ pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
-D pki_ds_url=ldap://ds.example.com:389 \
-D pki_ds_setup=False \
-D pki_share_db=True \
-D pki_security_domain_setup=False \
-D pki_admin_setup=False \
-v