Issuing KRA Certificates with PKI CA - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to issue KRA certificates with pki ca command on PKI 10.3 or later.

For older versions, see:

Submitting Certificate Requests

The certificate requests can be submitted to an external PKI CA with the following commands:

$ cd /var/lib/pki/pki-tomcat/conf
$ pki -U <CA URL> ca-cert-request-submit --profile caStorageCert --csr-file kra_storage.csr
$ pki -U <CA URL> ca-cert-request-submit --profile caTransportCert --csr-file kra_transport.csr
$ pki -U <CA URL> ca-cert-request-submit --profile caSignedLogCert --csr-file kra_audit_signing.csr
$ pki -U <CA URL> ca-cert-request-submit --profile caSubsystemCert --csr-file subsystem.csr
$ pki -U <CA URL> ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr
$ pki -U <CA URL> ca-cert-request-submit --profile AdminCert --csr-file kra_admin.csr

Approving Certificate Requests

The external CA admin can approve the request by executing the following command on the external PKI CA:

$ pki -c Secret.123 -n "PKI Administrator example.com" ca-cert-request-review <request ID> --action approve

Retrieving Issued Certificates

The KRA certificates and the external CA certificate can be downloaded to the installing server with the following commands:

$ pki -U <CA URL> ca-cert-show <cert ID> --output kra_storage.cert
$ pki -U <CA URL> ca-cert-show <cert ID> --output kra_transport.cert
$ pki -U <CA URL> ca-cert-show <cert ID> --output kra_audit_signing.cert
$ pki -U <CA URL> ca-cert-show <cert ID> --output subsystem.cert
$ pki -U <CA URL> ca-cert-show <cert ID> --output sslserver.cert
$ pki -U <CA URL> ca-cert-show <cert ID> --output kra_admin.cert
$ pki -U <CA URL> ca-cert-show 0x1 --output ca_signing.cert
⚠️ **GitHub.com Fallback** ⚠️