Installing CA with Existing DS Database - dogtagpki/pki GitHub Wiki

Overview

Warning
This page is still under development.

This page describes the process to install CA with an existing DS database. The DS database could be set up manually or restored from a backup.

Availability: Since PKI 11.5

Setting up PKI Server

$ pki-server create
$ pki-server nss-create

Creating CA Signing Certificate

To create CA signing certificate in server’s NSS database:

$ pki-server cert-request \
    --subject "CN=CA Signing Certificate" \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    ca_signing
$ pki-server cert-create \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    ca_signing
$ pki-server cert-import ca_signing

Creating CA OCSP Signing Certificate

To create CA OCSP signing certificate in server’s NSS database:

$ pki-server cert-request \
    --subject "CN=OCSP Signing Certificate" \
    --ext /usr/share/pki/server/certs/ocsp_signing.conf \
    ca_ocsp_signing
$ pki-server cert-create \
    --issuer ca_signing \
    --ext /usr/share/pki/server/certs/ocsp_signing.conf \
    ca_ocsp_signing
$ pki-server cert-import ca_ocsp_signing

Creating CA Audit Signing Certificate

To create CA audit signing certificate in server’s NSS database:

$ pki-server cert-request \
    --subject "CN=Audit Signing Certificate" \
    --ext /usr/share/pki/server/certs/audit_signing.conf \
    ca_audit_signing
$ pki-server cert-create \
    --issuer ca_signing \
    --ext /usr/share/pki/server/certs/audit_signing.conf \
    ca_audit_signing
$ pki-server cert-import ca_audit_signing

Creating Subsystem Certificate

To create subsystem certificate in server’s NSS database

$ pki-server cert-request \
    --subject "CN=Subsystem Certificate" \
    --ext /usr/share/pki/server/certs/subsystem.conf \
    subsystem
$ pki-server cert-create \
    --issuer ca_signing \
    --ext /usr/share/pki/server/certs/subsystem.conf \
    subsystem
$ pki-server cert-import subsystem

Creating SSL Server Certificate

To create SSL server certificate in server’s NSS database:

$ pki pki-server cert-request \
    --subject "CN=pki.example.com" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    sslserver
$ pki-server cert-create \
    --issuer ca_signing \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    sslserver
$ pki-server cert-import sslserver

Creating Admin Certificate

To create admin certificate in client’s NSS database:

$ pki \
    nss-cert-request \
    --subject "CN=Administrator" \
    --ext /usr/share/pki/server/certs/admin.conf \
    --csr admin.csr
$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    nss-cert-issue \
    --issuer ca_signing \
    --csr admin.csr \
    --ext /usr/share/pki/server/certs/admin.conf \
    --cert admin.crt
$ pki \
    nss-cert-import \
    --cert admin.crt \
    caadmin

Creating CA Subsystem

$ pki-server ca-create

Configure Connection to CA Database

To store DS password in /var/lib/pki/pki-tomcat/conf/password.conf:

$ pki-server password-add \
    --password Secret.123 \
    internaldb

To configure DS connection in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg:

$ pki-server ca-db-config-mod \
    --hostname ds.example.com \
    --port 3389 \
    --secure false \
    --auth BasicAuth \
    --bindDN "cn=Directory Manager" \
    --bindPWPrompt internaldb \
    --database userroot \
    --baseDN dc=ca,dc=pki,dc=example,dc=com \
    --multiSuffix false \
    --maxConns 15 \
    --minConns 3

To configure CA user/group subsystem:

$ pki-server ca-config-set usrgrp.ldap internaldb

To configure CA database subsystem:

$ pki-server ca-config-set dbs.ldap internaldb
$ pki-server ca-config-set dbs.newSchemaEntryAdded true
$ pki-server ca-config-set dbs.requestDN ou=ca,ou=requests
$ pki-server ca-config-set dbs.request.id.generator random
$ pki-server ca-config-set dbs.serialDN ou=certificateRepository,ou=ca
$ pki-server ca-config-set dbs.cert.id.generator random

Setting up CA Database

See Setting up CA Database.

Importing CA Signing Certificate

$ pki-server ca-cert-request-import \
    --csr /var/lib/pki/pki-tomcat/conf/certs/ca_signing.csr \
    --profile /usr/share/pki/ca/conf/caCert.profile
$ pki-server ca-cert-import \
    --cert /var/lib/pki/pki-tomcat/conf/certs/ca_signing.crt \
    --profile /usr/share/pki/ca/conf/caCert.profile \
    --request <request ID>

Importing CA OCSP Signing Certificate

$ pki-server ca-cert-request-import \
    --csr /var/lib/pki/pki-tomcat/conf/certs/ca_ocsp_signing.csr \
    --profile /usr/share/pki/ca/conf/caOCSPCert.profile
$ pki-server ca-cert-import \
    --cert /var/lib/pki/pki-tomcat/conf/certs/ca_ocsp_signing.crt \
    --profile /usr/share/pki/ca/conf/caOCSPCert.profile \
    --request <request ID>

Importing CA Audit Signing Certificate

$ pki-server ca-cert-request-import \
    --csr /var/lib/pki/pki-tomcat/conf/certs/ca_audit_signing.csr \
    --profile /usr/share/pki/ca/conf/caAuditSigningCert.profile
$ pki-server ca-cert-import \
    --cert /var/lib/pki/pki-tomcat/conf/certs/ca_audit_signing.crt \
    --profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \
    --request <request ID>

Importing Subsystem Certificate

$ pki-server ca-cert-request-import \
    --csr /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr \
    --profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile
$ pki-server ca-cert-import \
    --cert /var/lib/pki/pki-tomcat/conf/certs/subsystem.crt \
    --profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \
    --request <request ID>

Importing SSL Server Certificate

$ pki-server ca-cert-request-import \
    --csr /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr \
    --profile /usr/share/pki/ca/conf/rsaServerCert.profile
$ pki-server ca-cert-import \
    --cert /var/lib/pki/pki-tomcat/conf/certs/sslserver.crt \
    --profile /usr/share/pki/ca/conf/rsaServerCert.profile \
    --request <request ID>

Importing Admin Certificate

$ pki-server ca-cert-request-import \
    --csr admin.csr \
    --profile /usr/share/pki/ca/conf/rsaAdminCert.profile
$ pki-server ca-cert-import \
    --cert admin.crt \
    --profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
    --request <request ID>

Setting up CA Database User

See Setting up CA Database User.

Setting up Security Domain

See Setting up Security Domain.

Setting up Subsystem User

See Setting up Subsystem User.

Setting up CA Admin User

See Setting up CA Admin User.

Finishing CA Installation

Prepare a deployment configuration (e.g. ca.cfg) to deploy CA subsystem.

A sample deployment configuration is available at /usr/share/pki/server/examples/installation/ca.cfg.

To finish CA installation execute the following command:

$ pkispawn \
    -f /usr/share/pki/server/examples/installation/ca.cfg \
    -s CA \
    -D pki_ds_url=ldap://ds.example.com:389 \
    -D pki_ds_setup=False \
    -D pki_share_db=True \
    -D pki_security_domain_setup=False \
    -D pki_admin_setup=False \
    -v
⚠️ **GitHub.com Fallback** ⚠️