PKI 10.5 Installing KRA - dogtagpki/pki GitHub Wiki
This document describes the process to install KRA subsystem. This assumes the CA subsystem has already been installed and the CA admin certificate has been exported to /root/.dogtag/pki-tomcat/ca_admin.cert.
Prepare a deployment configuration file:
[KRA] pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert [email protected] pki_admin_name=kraadmin pki_admin_nickname=kraadmin pki_admin_password=Secret.123 pki_admin_uid=kraadmin pki_client_database_password=Secret.123 pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=kra,dc=example,dc=com pki_ds_database=kra pki_ds_password=Secret.123 pki_security_domain_name=EXAMPLE pki_security_domain_user=caadmin pki_security_domain_password=Secret.123
Optionally, the certificate nicknames can be specified in the following parameters:
pki_storage_nickname=kra_storage pki_transport_nickname=kra_transport pki_audit_signing_nickname=kra_audit_signing pki_ssl_server_nickname=sslserver pki_subsystem_nickname=subsystem
Note: If you have specified nicknames for sslserver and subsystem system certificates previously, you need to specify same nicknames.
To begin the installation, execute the following command:
$ pkispawn -v -f kra.cfg -s KRA
Verify KRA is running with the following command:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin kra-user-find ----------------- 2 entries matched ----------------- User ID: kraadmin Full name: kraadmin User ID: CA-pki.example.com-8443 Full name: CA-pki.example.com-8443 ---------------------------- Number of entries returned 2 ----------------------------
Verify the CS.cfg in the issuing CA has the following parameters:
ca.connector.KRA.enable=true ca.connector.KRA.host=pki.example.com ca.connector.KRA.local=false ca.connector.KRA.nickName=subsystemCert cert-pki-tomcat ca.connector.KRA.port=8443 ca.connector.KRA.timeout=30 ca.connector.KRA.transportCert=<base-64 encoded data> ca.connector.KRA.uri=/kra/agent/kra/connector