PKI 10.2 Issuing KRA Certificates with PKI CA - dogtagpki/pki GitHub Wiki
This page describes the process to issue KRA certificates with pki ca command on PKI 10.2 or older.
Download the request templates from an external PKI CA with the following commands:
$ pki -U <CA URL> ca-cert-request-profile-show caStorageCert --output caStorageCert.xml $ pki -U <CA URL> ca-cert-request-profile-show caTransportCert --output caTransportCert.xml $ pki -U <CA URL> ca-cert-request-profile-show caSignedLogCert --output caSignedLogCert.xml $ pki -U <CA URL> ca-cert-request-profile-show caSubsystemCert --output caSubsystemCert.xml $ pki -U <CA URL> ca-cert-request-profile-show caServerCert --output caServerCert.xml $ pki -U <CA URL> ca-cert-request-profile-show caUserCert --output caUserCert.xml
Insert the CSRs into the corresponding request templates. Submit the requests to the external CA with the following commands:
$ pki -U <CA URL> ca-cert-request-submit caStorageCert.xml $ pki -U <CA URL> ca-cert-request-submit caTransportCert.xml $ pki -U <CA URL> ca-cert-request-submit caSignedLogCert.xml $ pki -U <CA URL> ca-cert-request-submit caSubsystemCert.xml $ pki -U <CA URL> ca-cert-request-submit caServerCert.xml $ pki -U <CA URL> ca-cert-request-submit caUserCert.xml
The KRA certificates and the external CA certificate can be downloaded to the installing server with the following commands:
$ pki -U <CA URL> ca-cert-show <cert ID> --output kra_storage.crt $ pki -U <CA URL> ca-cert-show <cert ID> --output kra_transport.crt $ pki -U <CA URL> ca-cert-show <cert ID> --output kra_audit_signing.crt $ pki -U <CA URL> ca-cert-show <cert ID> --output subsystem.crt $ pki -U <CA URL> ca-cert-show <cert ID> --output sslserver.crt $ pki -U <CA URL> ca-cert-show <cert ID> --output kra_admin.crt $ pki -U <CA URL> ca-cert-show 0x1 --output ca_signing.crt