Installing KRA with Existing NSS Database - dogtagpki/pki GitHub Wiki
This page describes the process to install a KRA subsystem with existing system certificates and keys stored in an NSS database.
Availability: Since PKI 11.6.
Obtain the certificate chain from the CA (e.g. cert_chain.pem
).
See Exporting CA System Certificates.
Create a new PKI server instance (default is pki-tomcat
) with the following command:
$ pki-server create
Move the existing NSS database into /var/lib/pki/pki-tomcat/conf/alias
and store the password in /var/lib/pki/pki-tomcat/conf/password.conf
as follows:
internal=<password>
Make sure that the files and folders are owned by pkiuser
user and pkiuser
group.
For testing, a new NSS database can be created in the server instance with the following command:
$ pki-server nss-create
Then the KRA system certificates can be created as follows:
The CSRs should be stored in /var/lib/pki/pki-tomcat/conf/certs
folder.
To migrate an existing KRA subsystem to a new machine, the existing subsystem and the SSL server certificates should not be added into the NSS database, or they should be removed from the NSS database with the following commands:
$ pki-server cert-del sslserver $ pki-server cert-del subsystem
To install the new KRA subsystem obtain the admin certificate from the CA or the existing KRA subsystem (e.g. admin.crt
).
To access the new KRA subsystem obtain the admin certificate with its key in a PKCS #12 file (e.g. ca_admin_cert.p12
).
See Default CA Admin.
For testing, a new admin certificate can also be created as follows:
Prepare a file that contains the deployment configuration. A sample deployment configuration is available at /usr/share/pki/server/examples/installation/kra.cfg.
Specify the certificate chain with the following parameter:
pki_cert_chain_path=cert_chain.pem
Specify the admin certificate with the following parameter:
pki_admin_cert_path=admin.crt
Finally, execute the following command:
$ pkispawn -f kra.cfg -s KRA
It will install a KRA subsystem in the server instance and use the NSS database in /var/lib/pki/pki-tomcat/conf/alias
.
Verify that the server NSS database contains the following certificates:
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca_signing CT,C,C kra_transport u,u,u kra_storage u,u,u subsystem u,u,u kra_audit_signing u,u,Pu sslserver u,u,u
Import the certificate chain into the client NSS database (e.g. ~/.dogtag/nssdb
):
$ pki nss-cert-import \ --cert cert_chain.pem \ --trust CT,C,C \ ca_signing
Import admin key and certificate:
$ pki pkcs12-import \ --pkcs12 ca_admin_cert.p12 \ --pkcs12-password Secret.123
Verify that the admin certificate can be used to access the KRA subsystem by executing the following command:
$ pki -n caadmin kra-user-show kraadmin --------------- User "kraadmin" --------------- User ID: kraadmin Full name: kraadmin Email: [email protected] Type: adminType State: 1