Installing DS Server - dogtagpki/pki GitHub Wiki
Note: This page has been moved/converted to the following pages:
This page describes the process to prepare a local DS instance for PKI server.
Normally the DS installation will automatically generate a self-signed signing certificate and a server certificate for SSL connection. In this procedure the certificate generation and the SSL connection will be disabled by default, but it can be enabled after installation if necessary.
For DS 1.3 or older, see DS 1.3 Installation.
To install DS packages:
$ dnf install -y 389-ds-base
Generate a DS configuration file (e.g. ds.inf
):
$ dscreate create-template ds.inf
Customize the DS configuration file as follows:
$ sed -i \ -e "s/;instance_name = .*/instance_name = localhost/g" \ -e "s/;root_password = .*/root_password = Secret.123/g" \ -e "s/;suffix = .*/suffix = dc=example,dc=com/g" \ -e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \ -e "s/;self_sign_cert = .*/self_sign_cert = False/g" \ ds.inf
where
-
instance_name specifies the name of the DS instance. In this example it’s set to
localhost
. -
root_password specifies the password for DS admin (i.e.
cn=Directory Manager
). In this example it’s set toSecret.123
. -
suffix specifies the namespace for the DS instance. In this example it’s set to
dc=example,dc=com
. -
self_sign_cert specifies whether to create self-signed certificates for SSL connection. In this example it’s set to
False
. The SSL connection can be enabled after installation in this document.
For more information see the parameter descriptions in the DS configuration file itself (i.e. ds.inf
) and in DS documentation.
Finally, create the instance:
$ dscreate from-file ds.inf
Initially the DS instance is empty. Use an LDAP client to add a root entry and PKI base entry, for example:
$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: dc=pki,dc=example,dc=com objectClass: domain dc: pki EOF
The subtree for each PKI subsystem will be created when the subsystem is installed. See PKI LDAP Tree.
If required, PKI can use SSL connection to DS.
To enable SSL connection in DS, see Enabling SSL Connection in DS.
To remove DS instance:
$ dsctl localhost remove --do-it
DS log files are available in /var/log/dirsrv/slapd-localhost
:
-
access
-
audit
-
errors