PKI 10.4 Installing CA with External CA Signing Certificate - dogtagpki/pki GitHub Wiki
This page describes the process to install a subordinate CA with an external CA signing certificate.
The process consists of two steps:
-
Step 1: Generate a CSR to be signed by an external CA.
-
Step 2: Import the CA signing certificate issued by the external CA.
Prepare a deployment configuration file for step 1 (e.g. ca-external-step1.cfg):
[CA] [email protected] pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret.123 pki_admin_uid=caadmin pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=ca,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret.123 pki_security_domain_name=EXAMPLE pki_token_password=Secret.123 pki_external=True pki_external_step_two=False pki_external_csr_path=ca_signing.csr
Optionally, specify the HSM parameters:
pki_hsm_enable=True pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so pki_hsm_modulename=nfast
Then execute the following command:
$ pkispawn -f ca-external-step1.cfg -s CA
It will create an NSS database in /var/lib/pki/pki-tomcat/conf/alias and generate a CA certificate CSR in ca_signing.csr.
Submit the CSR to an external CA:
Place the issued CA signing certificate in ca_signing.crt. Export the external CA certificate or certificate chain in external.crt.
Prepare a deployment configuration for step 2 (e.g. ca-external-step2.cfg) by copying it from step 1 (i.e. ca-external-step1.cfg) and make the following changes.
Specify step 2 with the following parameter:
pki_external_step_two=True
Specify the externally-signed CA certificate file with the following parameter:
pki_external_ca_cert_path=ca_signing.crt
The certificate file can contain either a single PEM certificate or a PKCS #7 certificate chain.
If the above certificate file contains a single certificate, the certificate chain can be specified with the following parameters:
pki_cert_chain_nickname=CA Signing Certificate - ROOT pki_external_ca_cert_chain_path=cert_chain.p7b
The certificate chain file can contain either a single root CA certificate or a PKCS #7 certificate chain.
Finally, execute the following command:
$ pkispawn -f ca-external-step2.cfg -s CA
If the HSM is used, the internal token will have the following certificates:
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - ROOT CT,C,C
ca_signing CT,C,C
ca_audit_signing ,,P
and the HSM will have the following certificates:
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -h HSM -f password.txt
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
HSM:ca_ocsp_signing u,u,u
HSM:sslserver/pki.example.com u,u,u
HSM:ca_signing u,u,u
HSM:subsystem u,u,u
HSM:ca_audit_signing u,u,u
Prepare a client NSS database:
$ pki -c Secret.123 client-init
Import the CA certificate chain:
$ pki -c Secret.123 client-cert-import "CA Signing Certificate - ROOT" --ca-cert cert_chain.crt
Import the subordinate CA signing certificate:
$ pki -c Secret.123 client-cert-import "CA Signing Certificate - EXAMPLE" --ca-cert ca_signing.crt
Import CA admin certificate and key:
$ pki -c Secret.123 client-cert-import \
--pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf
Execute the following command:
$ pki -c Secret.123 -n caadmin ca-user-find