Installing KRA with Existing DS Database - dogtagpki/pki GitHub Wiki
|
Warning
|
This page is still under development. |
This page describes the process to install KRA with an existing DS database. The DS database could be set up manually or restored from a backup.
Availability: Since PKI 11.5
$ pki-server create $ pki-server nss-create
To generate a CSR for KRA storage certificate:
$ pki-server cert-request \
--subject "CN=DRM Storage Certificate" \
--ext /usr/share/pki/server/certs/kra_storage.conf \
kra_storage
The kra_storage.csr can be found in /var/lib/pki/pki-tomcat/conf/certs.
Store the kra_storage.crt in the same directory, then import it with the following command:
$ pki-server cert-import kra_storage
To generate a CSR for KRA transport certificate:
$ pki-server cert-request \
--subject "CN=DRM Transport Certificate" \
--ext /usr/share/pki/server/certs/kra_transport.conf \
kra_transport
The kra_transport.csr can be found in /var/lib/pki/pki-tomcat/conf/certs.
Store the kra_transport.crt in the same directory, then import it with the following command:
$ pki-server cert-import kra_transport
To generate a CSR for KRA audit signing certificate:
$ pki-server cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
kra_audit_signing
The kra_audit_signing.csr can be found in /var/lib/pki/pki-tomcat/conf/certs.
Store the kra_audit_signing.crt in the same directory, then import it with the following command:
$ pki-server cert-import kra_audit_signing
To generate a CSR for subsystem certificate:
$ pki-server cert-request \
--subject "CN=Subsystem Certificate" \
--ext /usr/share/pki/server/certs/subsystem.conf \
subsystem
The subsystem.csr can be found in /var/lib/pki/pki-tomcat/conf/certs.
Store the subsystem.crt in the same directory, then import it with the following command:
$ pki-server cert-import subsystem
To generate a CSR for SSL server certificate:
$ pki-server cert-request \
--subject "CN=kra.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
sslserver
The sslserver.csr can be found in /var/lib/pki/pki-tomcat/conf/certs.
Store the sslserver.crt in the same directory, then import it with the following command:
$ pki-server cert-import sslserver
To generate a CSR for admin certificate:
$ pki nss-cert-request \
--subject "CN=Administrator" \
--ext /usr/share/pki/server/certs/admin.conf \
--csr admin.csr
The admin.csr can be found in the local directory.
Store the admin.crt, then import it with the following command:
$ pki nss-cert-import \
--cert admin.crt \
admin
$ pki-server kra-create
$ pki-server password-add \
--password Secret.123 \
internaldb
$ pki-server kra-db-config-mod \
--hostname ds.example.com \
--port 3389 \
--secure false \
--auth BasicAuth \
--bindDN "cn=Directory Manager" \
--bindPWPrompt internaldb \
--database userroot \
--baseDN dc=kra,dc=pki,dc=example,dc=com \
--multiSuffix false \
--maxConns 15 \
--minConns 3
Prepare a deployment configuration (e.g. kra.cfg) to deploy KRA subsystem.
A sample deployment configuration is available at /usr/share/pki/server/examples/installation/kra.cfg.
To finish KRA installation execute the following command:
$ pkispawn \
-f /usr/share/pki/server/examples/installation/kra.cfg \
-s KRA \
-D pki_ds_url=ldap://ds.example.com:389 \
-D pki_ds_setup=False \
-D pki_security_domain_uri=https://ca.example.com:8443 \
-D pki_issuing_ca_uri=https://ca.example.com:8443 \
-D pki_admin_setup=False \
-v