Installing KRA with Existing DS Database - dogtagpki/pki GitHub Wiki

Overview

Warning
This page is still under development.

This page describes the process to install KRA with an existing DS database. The DS database could be set up manually or restored from a backup.

Availability: Since PKI 11.5

Setting up PKI Server

$ pki-server create
$ pki-server nss-create

Creating KRA Storage Certificate

To generate a CSR for KRA storage certificate:

$ pki-server cert-request \
    --subject "CN=DRM Storage Certificate" \
    --ext /usr/share/pki/server/certs/kra_storage.conf \
    kra_storage

The kra_storage.csr can be found in /var/lib/pki/pki-tomcat/conf/certs. Store the kra_storage.crt in the same directory, then import it with the following command:

$ pki-server cert-import kra_storage

Creating KRA Transport Certificate

To generate a CSR for KRA transport certificate:

$ pki-server cert-request \
      --subject "CN=DRM Transport Certificate" \
      --ext /usr/share/pki/server/certs/kra_transport.conf \
      kra_transport

The kra_transport.csr can be found in /var/lib/pki/pki-tomcat/conf/certs. Store the kra_transport.crt in the same directory, then import it with the following command:

$ pki-server cert-import kra_transport

Creating KRA Audit Signing Certificate

To generate a CSR for KRA audit signing certificate:

$ pki-server cert-request \
    --subject "CN=Audit Signing Certificate" \
    --ext /usr/share/pki/server/certs/audit_signing.conf \
    kra_audit_signing

The kra_audit_signing.csr can be found in /var/lib/pki/pki-tomcat/conf/certs. Store the kra_audit_signing.crt in the same directory, then import it with the following command:

$ pki-server cert-import kra_audit_signing

Creating Subsystem Certificate

To generate a CSR for subsystem certificate:

$ pki-server cert-request \
    --subject "CN=Subsystem Certificate" \
    --ext /usr/share/pki/server/certs/subsystem.conf \
    subsystem

The subsystem.csr can be found in /var/lib/pki/pki-tomcat/conf/certs. Store the subsystem.crt in the same directory, then import it with the following command:

$ pki-server cert-import subsystem

Creating SSL Server Certificate

To generate a CSR for SSL server certificate:

$ pki-server cert-request \
    --subject "CN=kra.example.com" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    sslserver

The sslserver.csr can be found in /var/lib/pki/pki-tomcat/conf/certs. Store the sslserver.crt in the same directory, then import it with the following command:

$ pki-server cert-import sslserver

Creating Admin Certificate

To generate a CSR for admin certificate:

$ pki nss-cert-request \
    --subject "CN=Administrator" \
    --ext /usr/share/pki/server/certs/admin.conf \
    --csr admin.csr

The admin.csr can be found in the local directory. Store the admin.crt, then import it with the following command:

$ pki nss-cert-import \
    --cert admin.crt \
    admin

Creating KRA Subsystem

$ pki-server kra-create

Configure Connection to KRA Database

$ pki-server password-add \
    --password Secret.123 \
    internaldb
$ pki-server kra-db-config-mod \
    --hostname ds.example.com \
    --port 3389 \
    --secure false \
    --auth BasicAuth \
    --bindDN "cn=Directory Manager" \
    --bindPWPrompt internaldb \
    --database userroot \
    --baseDN dc=kra,dc=pki,dc=example,dc=com \
    --multiSuffix false \
    --maxConns 15 \
    --minConns 3

Setting up KRA Database

See Setting up KRA Database.

Setting up KRA Admin User

See Setting up KRA Admin User.

Finishing KRA Installation

Prepare a deployment configuration (e.g. kra.cfg) to deploy KRA subsystem.

A sample deployment configuration is available at /usr/share/pki/server/examples/installation/kra.cfg.

To finish KRA installation execute the following command:

$ pkispawn \
    -f /usr/share/pki/server/examples/installation/kra.cfg \
    -s KRA \
    -D pki_ds_url=ldap://ds.example.com:389 \
    -D pki_ds_setup=False \
    -D pki_security_domain_uri=https://ca.example.com:8443 \
    -D pki_issuing_ca_uri=https://ca.example.com:8443 \
    -D pki_admin_setup=False \
    -v
⚠️ **GitHub.com Fallback** ⚠️