Installing KRA with Existing DS Database - dogtagpki/pki GitHub Wiki
Warning
|
This page is still under development. |
This page describes the process to install KRA with an existing DS database. The DS database could be set up manually or restored from a backup.
Availability: Since PKI 11.5
$ pki-server create $ pki-server nss-create
To generate a CSR for KRA storage certificate:
$ pki-server cert-request \ --subject "CN=DRM Storage Certificate" \ --ext /usr/share/pki/server/certs/kra_storage.conf \ kra_storage
The kra_storage.csr
can be found in /var/lib/pki/pki-tomcat/conf/certs
.
Store the kra_storage.crt
in the same directory, then import it with the following command:
$ pki-server cert-import kra_storage
To generate a CSR for KRA transport certificate:
$ pki-server cert-request \ --subject "CN=DRM Transport Certificate" \ --ext /usr/share/pki/server/certs/kra_transport.conf \ kra_transport
The kra_transport.csr
can be found in /var/lib/pki/pki-tomcat/conf/certs
.
Store the kra_transport.crt
in the same directory, then import it with the following command:
$ pki-server cert-import kra_transport
To generate a CSR for KRA audit signing certificate:
$ pki-server cert-request \ --subject "CN=Audit Signing Certificate" \ --ext /usr/share/pki/server/certs/audit_signing.conf \ kra_audit_signing
The kra_audit_signing.csr
can be found in /var/lib/pki/pki-tomcat/conf/certs
.
Store the kra_audit_signing.crt
in the same directory, then import it with the following command:
$ pki-server cert-import kra_audit_signing
To generate a CSR for subsystem certificate:
$ pki-server cert-request \ --subject "CN=Subsystem Certificate" \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem
The subsystem.csr
can be found in /var/lib/pki/pki-tomcat/conf/certs
.
Store the subsystem.crt
in the same directory, then import it with the following command:
$ pki-server cert-import subsystem
To generate a CSR for SSL server certificate:
$ pki-server cert-request \ --subject "CN=kra.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver
The sslserver.csr
can be found in /var/lib/pki/pki-tomcat/conf/certs
.
Store the sslserver.crt
in the same directory, then import it with the following command:
$ pki-server cert-import sslserver
To generate a CSR for admin certificate:
$ pki nss-cert-request \ --subject "CN=Administrator" \ --ext /usr/share/pki/server/certs/admin.conf \ --csr admin.csr
The admin.csr
can be found in the local directory.
Store the admin.crt
, then import it with the following command:
$ pki nss-cert-import \ --cert admin.crt \ admin
$ pki-server kra-create
$ pki-server password-add \ --password Secret.123 \ internaldb $ pki-server kra-db-config-mod \ --hostname ds.example.com \ --port 3389 \ --secure false \ --auth BasicAuth \ --bindDN "cn=Directory Manager" \ --bindPWPrompt internaldb \ --database userroot \ --baseDN dc=kra,dc=pki,dc=example,dc=com \ --multiSuffix false \ --maxConns 15 \ --minConns 3
Prepare a deployment configuration (e.g. kra.cfg
) to deploy KRA subsystem.
A sample deployment configuration is available at /usr/share/pki/server/examples/installation/kra.cfg.
To finish KRA installation execute the following command:
$ pkispawn \ -f /usr/share/pki/server/examples/installation/kra.cfg \ -s KRA \ -D pki_ds_url=ldap://ds.example.com:389 \ -D pki_ds_setup=False \ -D pki_security_domain_uri=https://ca.example.com:8443 \ -D pki_issuing_ca_uri=https://ca.example.com:8443 \ -D pki_admin_setup=False \ -v