PKI 10.5 Installing CA with Existing Certificates using PKCS12 File - dogtagpki/pki GitHub Wiki
The CA installation with existing certificates using PKCS #12 file is part of CA migration procedure without HSM. In this process the existing certificates and keys will be migrated using a PKCS #12 file.
PKI 10.4 or older supports migrating the CA signing certificate only. The other system certificates will be reissued in the new CA. In PKI 10.5 or later all CA’s system certificates can be migrated.
Prepare a password file for the PKCS #12 file:
$ echo Secret.123 > password.txt
Export the existing NSS database password of the existing CA instance into a file:
$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt
Then export all existing certificates and keys with the following command:
$ PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p internal.txt -o ca.p12 -w password.txt
This will include the CA signing certificate and key, other system certificates and keys, and certificate chain (if any).
Transfer the PKCS #12 file to the host where the new CA will be installed.
Export the CA signing CSR with the following command:
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr $ sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_signing.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr
In PKI 10.5 or later, export the CSRs for the other system certificates as well:
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr $ sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr $ sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr $ sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr $ sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr
Transfer the CSR files to the host where the new CA will be installed.
On the new host put the PKCS #12 password into a file (i.e. password.txt), then verify that the PKCS #12 contains at least the CA signing certificate and key (it may include other certificates and keys):
$ pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 1 entries found --------------- Certificate ID: 308b4c7d4b5efc4052aec26e49a2c5e2e14c9e90 Serial Number: 0x1 Nickname: ca_signing Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Trust Flags: CTu,Cu,Cu Has Key: true $ pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 1 entries found --------------- Key ID: 308b4c7d4b5efc4052aec26e49a2c5e2e14c9e90 Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Algorithm: RSA
In PKI 10.4 or earlier, remove the other system certificates and keys, but keep the certificate chain using the following commands:
$ pki pkcs12-cert-del "ca_ocsp_signing" --pkcs12-file ca.p12 --pkcs12-password-file password.txt $ pki pkcs12-cert-del "ca_audit_signing" --pkcs12-file ca.p12 --pkcs12-password-file password.txt $ pki pkcs12-cert-del "subsystem" --pkcs12-file ca.p12 --pkcs12-password-file password.txt $ pki pkcs12-cert-del "sslserver" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
In PKI 10.5 it is not necessary to remove the other system certificates and keys.
Verify that the trust flags of the CA signing certificate is CTu,Cu,Cu. If it’s different or missing, it can be fixed with the following command:
$ pki pkcs12-cert-mod "ca_signing" --pkcs12-file ca.p12 --pkcs12-password-file password.txt --trust-flags "CTu,Cu,Cu"
Also verify that the trust flags of the certificate chain (if any) is CT,C,C. If it’s different or missing, it can be fixed with the following command:
$ pki pkcs12-cert-mod "external" --pkcs12-file ca.p12 --pkcs12-password-file password.txt --trust-flags "CT,C,C"
Prepare a deployment configuration file for CA, then specify the CA signing certificate nickname and the CSR, and the PKCS #12 file in the following properties:
pki_existing=True pki_pkcs12_path=ca.p12 pki_pkcs12_password=Secret.123 pki_ca_signing_nickname=ca_signing pki_ca_signing_csr_path=ca_signing.csr
In PKI 10.5 or later, specify also the nicknames and the CSRs of the other system certificates:
pki_ocsp_signing_nickname=ca_ocsp_signing pki_ocsp_signing_csr_path=ca_ocsp_signing.csr pki_audit_signing_nickname=ca_audit_signing pki_audit_signing_csr_path=ca_audit_signing.csr pki_subsystem_nickname=subsystem pki_subsystem_csr_path=subsystem.csr pki_sslserver_nickname=sslserver pki_sslserver_csr_path=sslserver.csr
Make sure the nicknames above match the nicknames in the PKCS #12 file.
Then execute the following command:
$ pkispawn -f ca.cfg -s CA
Verify that the CA signing key ID is the same in the existing and new CA instances. For example:
$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt
$ certutil -K -d /var/lib/pki/pki-tomcat/alias -f internal.txt
...
< 2> rsa 7bd4dc662670ebe08a35086b054175559608ac20 ca_signing
...
In PKI 10.4 or earlier, the CA signing key IDs should be the same. All other key IDs will be different.
In PKI 10.5 or later, all key IDs should be the same (except for SSL server key IDs if they are installed on different hosts).
Verify that the CA admin can access the server with the following command:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-find ----------------- 3 entries matched ----------------- User ID: CA-pki.example.com-8443 Full name: CA-pki.example.com-8443 User ID: caadmin Full name: caadmin User ID: pkidbuser Full name: pkidbuser ---------------------------- Number of entries returned 3 ----------------------------