Installing KRA with Existing Certificates - dogtagpki/pki GitHub Wiki
This page describes the process to install a KRA subsystem with existing system certificates and keys stored in a PKCS #12 file.
Availability: Since PKI 11.6.
Obtain the certificate chain from the CA (e.g. cert_chain.pem
).
See Exporting CA System Certificates.
Export KRA system certificates and the keys from an existing KRA subsystem into a PKCS #12 file (e.g. kra-certs.p12
) and the CSRs into separate files.
See Exporting KRA System Certificates.
For testing, new KRA system certificates can also be created as follows:
To migrate an existing KRA subsystem to a new machine, the existing subsystem and the SSL server certificates should not be added into the PKCS #12 file, or they should be removed from the PKCS #12 file with the following commands:
$ pki pkcs12-cert-del --pkcs12-file kra-certs.p12 --pkcs12-password Secret.123 sslserver $ pki pkcs12-cert-del --pkcs12-file kra-certs.p12 --pkcs12-password Secret.123 subsystem
To install the new KRA subsystem obtain the admin certificate from the CA or the existing KRA subsystem (e.g. admin.crt
).
To access the new KRA subsystem obtain the admin certificate with its key in a PKCS #12 file (e.g. ca_admin_cert.p12
).
See Default CA Admin.
For testing, a new admin certificate can also be created as follows:
Prepare a file that contains the deployment configuration. A sample deployment configuration is available at /usr/share/pki/server/examples/installation/kra.cfg.
Specify the certificate chain with the following parameter:
pki_cert_chain_path=cert_chain.pem
Specify the certificates and their keys with the following parameters:
pki_server_pkcs12_path=kra-certs.p12 pki_server_pkcs12_password=Secret.123
Specify the CSRs with the following parameters:
pki_storage_csr_path=kra_storage.csr pki_transport_csr_path=kra_transport.csr pki_audit_signing_csr_path=kra_audit_signing.csr pki_subsystem_csr_path=subsystem.csr pki_sslserver_csr_path=sslserver.csr
Specify the admin certificate with the following parameter:
pki_admin_cert_path=admin.crt
Finally, execute the following command:
$ pkispawn -f kra.cfg -s KRA
It will install KRA subsystem in a Tomcat instance (default is pki-tomcat
) and create a server NSS database in /var/lib/pki/pki-tomcat/conf/alias
.
Verify that the server NSS database contains the following certificates:
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca_signing CT,C,C kra_transport u,u,u kra_storage u,u,u subsystem u,u,u kra_audit_signing u,u,Pu sslserver u,u,u
Import the certificate chain into the client NSS database (e.g. ~/.dogtag/nssdb
):
$ pki nss-cert-import \ --cert cert_chain.pem \ --trust CT,C,C \ ca_signing
Import admin key and certificate:
$ pki pkcs12-import \ --pkcs12 ca_admin_cert.p12 \ --pkcs12-password Secret.123
Verify that the admin certificate can be used to access the KRA subsystem by executing the following command:
$ pki -n caadmin kra-user-show kraadmin --------------- User "kraadmin" --------------- User ID: kraadmin Full name: kraadmin Email: [email protected] Type: adminType State: 1