Installing CA with Existing DS Database - dogtagpki/pki GitHub Wiki
Warning
|
This page is still under development. |
This page describes the process to install CA with an existing DS database. The DS database could be set up manually or restored from a backup.
Availability: Since PKI 11.5
$ pki-server create $ pki-server nss-create
To create CA signing certificate in server’s NSS database:
$ pki-server cert-request \ --subject "CN=CA Signing Certificate" \ --ext /usr/share/pki/server/certs/ca_signing.conf \ ca_signing $ pki-server cert-create \ --ext /usr/share/pki/server/certs/ca_signing.conf \ ca_signing $ pki-server cert-import ca_signing
To create CA OCSP signing certificate in server’s NSS database:
$ pki-server cert-request \ --subject "CN=OCSP Signing Certificate" \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ ca_ocsp_signing $ pki-server cert-create \ --issuer ca_signing \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ ca_ocsp_signing $ pki-server cert-import ca_ocsp_signing
To create CA audit signing certificate in server’s NSS database:
$ pki-server cert-request \ --subject "CN=Audit Signing Certificate" \ --ext /usr/share/pki/server/certs/audit_signing.conf \ ca_audit_signing $ pki-server cert-create \ --issuer ca_signing \ --ext /usr/share/pki/server/certs/audit_signing.conf \ ca_audit_signing $ pki-server cert-import ca_audit_signing
To create subsystem certificate in server’s NSS database
$ pki-server cert-request \ --subject "CN=Subsystem Certificate" \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem $ pki-server cert-create \ --issuer ca_signing \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem $ pki-server cert-import subsystem
To create SSL server certificate in server’s NSS database:
$ pki pki-server cert-request \ --subject "CN=pki.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver $ pki-server cert-create \ --issuer ca_signing \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver $ pki-server cert-import sslserver
To create admin certificate in client’s NSS database:
$ pki \ nss-cert-request \ --subject "CN=Administrator" \ --ext /usr/share/pki/server/certs/admin.conf \ --csr admin.csr $ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ nss-cert-issue \ --issuer ca_signing \ --csr admin.csr \ --ext /usr/share/pki/server/certs/admin.conf \ --cert admin.crt $ pki \ nss-cert-import \ --cert admin.crt \ caadmin
$ pki-server ca-create
To store DS password in /var/lib/pki/pki-tomcat/conf/password.conf
:
$ pki-server password-add \ --password Secret.123 \ internaldb
To configure DS connection in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
:
$ pki-server ca-db-config-mod \ --hostname ds.example.com \ --port 3389 \ --secure false \ --auth BasicAuth \ --bindDN "cn=Directory Manager" \ --bindPWPrompt internaldb \ --database userroot \ --baseDN dc=ca,dc=pki,dc=example,dc=com \ --multiSuffix false \ --maxConns 15 \ --minConns 3
To configure CA user/group subsystem:
$ pki-server ca-config-set usrgrp.ldap internaldb
To configure CA database subsystem:
$ pki-server ca-config-set dbs.ldap internaldb $ pki-server ca-config-set dbs.newSchemaEntryAdded true $ pki-server ca-config-set dbs.requestDN ou=ca,ou=requests $ pki-server ca-config-set dbs.request.id.generator random $ pki-server ca-config-set dbs.serialDN ou=certificateRepository,ou=ca $ pki-server ca-config-set dbs.cert.id.generator random
$ pki-server ca-cert-request-import \ --csr /var/lib/pki/pki-tomcat/conf/certs/ca_signing.csr \ --profile /usr/share/pki/ca/conf/caCert.profile $ pki-server ca-cert-import \ --cert /var/lib/pki/pki-tomcat/conf/certs/ca_signing.crt \ --profile /usr/share/pki/ca/conf/caCert.profile \ --request <request ID>
$ pki-server ca-cert-request-import \ --csr /var/lib/pki/pki-tomcat/conf/certs/ca_ocsp_signing.csr \ --profile /usr/share/pki/ca/conf/caOCSPCert.profile $ pki-server ca-cert-import \ --cert /var/lib/pki/pki-tomcat/conf/certs/ca_ocsp_signing.crt \ --profile /usr/share/pki/ca/conf/caOCSPCert.profile \ --request <request ID>
$ pki-server ca-cert-request-import \ --csr /var/lib/pki/pki-tomcat/conf/certs/ca_audit_signing.csr \ --profile /usr/share/pki/ca/conf/caAuditSigningCert.profile $ pki-server ca-cert-import \ --cert /var/lib/pki/pki-tomcat/conf/certs/ca_audit_signing.crt \ --profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \ --request <request ID>
$ pki-server ca-cert-request-import \ --csr /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr \ --profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile $ pki-server ca-cert-import \ --cert /var/lib/pki/pki-tomcat/conf/certs/subsystem.crt \ --profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \ --request <request ID>
$ pki-server ca-cert-request-import \ --csr /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr \ --profile /usr/share/pki/ca/conf/rsaServerCert.profile $ pki-server ca-cert-import \ --cert /var/lib/pki/pki-tomcat/conf/certs/sslserver.crt \ --profile /usr/share/pki/ca/conf/rsaServerCert.profile \ --request <request ID>
$ pki-server ca-cert-request-import \ --csr admin.csr \ --profile /usr/share/pki/ca/conf/rsaAdminCert.profile $ pki-server ca-cert-import \ --cert admin.crt \ --profile /usr/share/pki/ca/conf/rsaAdminCert.profile \ --request <request ID>
Prepare a deployment configuration (e.g. ca.cfg
) to deploy CA subsystem.
A sample deployment configuration is available at /usr/share/pki/server/examples/installation/ca.cfg.
To finish CA installation execute the following command:
$ pkispawn \ -f /usr/share/pki/server/examples/installation/ca.cfg \ -s CA \ -D pki_ds_url=ldap://ds.example.com:389 \ -D pki_ds_setup=False \ -D pki_share_db=True \ -D pki_security_domain_setup=False \ -D pki_admin_setup=False \ -v