Installing OCSP with Existing Certificates - dogtagpki/pki GitHub Wiki
This page describes the process to install OCSP with existing certificates in PKI 10.6 or later. In this scenario, the OCSP uses an external CA to issue the OCSP system certificates. The OCSP will join the CA's security domain.
The installation process consists multiple steps:
- Initializing installation
- Creating initial configuration files
- Creating empty NSS database
- Generating keys, CSRs, and certificates
- Finalizing installation
Prepare a deployment configuration file for step 1 (e.g. ocsp-step1.cfg):
[OCSP] [email protected] pki_admin_name=ocspadmin pki_admin_nickname=ocspadmin pki_admin_password=Secret.123 pki_admin_uid=ocspadmin pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=ocsp,dc=example,dc=com pki_ds_database=ocsp pki_ds_password=Secret.123 pki_security_domain_name=EXAMPLE pki_security_domain_user=caadmin pki_security_domain_password=Secret.123 pki_token_password=Secret.123 pki_external=True pki_external_step_two=False pki_ocsp_signing_nickname=ocsp_signing pki_subsystem_nickname=subsystem pki_sslserver_nickname=sslserver pki_audit_signing_nickname=ocsp_audit_signing
Note: Do not specify the paths to store the CSR files so that pkispawn will not generate the keys and CSRs.
Optionally, specify the HSM parameters:
pki_hsm_enable=True pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so pki_hsm_modulename=nfast
Then execute the following command:
$ pkispawn -f ocsp-step1.cfg -s OCSP
It will create an empty NSS database in /var/lib/pki/pki-tomcat/conf/alias.
Follow this procedure to export OCSP certificates.
If the existing OCSP has certificate chain, export it into a file (see Exporting Certificate Chain):
$ certutil -L -d /var/lib/pki/<font color="red">pki-tomcat</font>/alias -n "<font color="red">external</font>" -a > external.crt
Transfer the certificates and the certificate chain to the host where the new OCSP will be installed.
Follow this procedure to export OCSP CSRs.
Transfer the CSRs to the host where the new OCSP will be installed.
Prepare a deployment configuration for step 2 (e.g. ocsp-step2.cfg) by copying it from step 1 (i.e. ocsp-step1.cfg) and make the following changes.
Specify step 2 with the following parameter:
pki_external_step_two=True
Specify the CSRs with the following parameters:
pki_ocsp_signing_csr_path=ocsp_signing.csr pki_subsystem_csr_path=subsystem.csr pki_sslserver_csr_path=sslserver.csr pki_audit_signing_csr_path=ocsp_audit_signing.csr pki_admin_csr_path=ocsp_admin.csr
Specify the certificates with the following parameters:
pki_ocsp_signing_cert_path=ocsp_signing.crt pki_subsystem_cert_path=subsystem.crt pki_sslserver_cert_path=sslserver.crt pki_audit_signing_cert_path=ocsp_audit_signing.crt pki_admin_cert_path=ocsp_admin.crt
Each certificate file can contain either a single PEM certificate or a PKCS #7 certificate chain.
If all of the above certificate files contain single certificates, the CA signing certificate and/or the certificate chain can be specified with the following parameters:
pki_ca_signing_nickname=ca_signing pki_ca_signing_cert_path=ca_signing.crt pki_cert_chain_nickname=cert_chain pki_cert_chain_path=cert_chain.p7b
The CA signing certificate and the certificate chain file can contain either a single certificate or a PKCS #7 certificate chain as well.
Finally, execute the following command:
$ pkispawn -f ocsp-step2.cfg -s OCSP