Issuing KRA Certificates with PKI CA - dogtagpki/pki GitHub Wiki
This page describes the process to issue KRA certificates with pki ca command on PKI 10.3 or later.
For older versions, see:
The certificate requests can be submitted to an external PKI CA with the following commands:
$ cd /var/lib/pki/pki-tomcat/conf $ pki -U <CA URL> ca-cert-request-submit --profile caStorageCert --csr-file kra_storage.csr $ pki -U <CA URL> ca-cert-request-submit --profile caTransportCert --csr-file kra_transport.csr $ pki -U <CA URL> ca-cert-request-submit --profile caSignedLogCert --csr-file kra_audit_signing.csr $ pki -U <CA URL> ca-cert-request-submit --profile caSubsystemCert --csr-file subsystem.csr $ pki -U <CA URL> ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr $ pki -U <CA URL> ca-cert-request-submit --profile AdminCert --csr-file kra_admin.csr
The external CA admin can approve the request by executing the following command on the external PKI CA:
$ pki -c Secret.123 -n "PKI Administrator example.com" ca-cert-request-review <request ID> --action approve
The KRA certificates and the external CA certificate can be downloaded to the installing server with the following commands:
$ pki -U <CA URL> ca-cert-show <cert ID> --output kra_storage.cert $ pki -U <CA URL> ca-cert-show <cert ID> --output kra_transport.cert $ pki -U <CA URL> ca-cert-show <cert ID> --output kra_audit_signing.cert $ pki -U <CA URL> ca-cert-show <cert ID> --output subsystem.cert $ pki -U <CA URL> ca-cert-show <cert ID> --output sslserver.cert $ pki -U <CA URL> ca-cert-show <cert ID> --output kra_admin.cert $ pki -U <CA URL> ca-cert-show 0x1 --output ca_signing.cert