PKI 10.5 Installing KRA - dogtagpki/pki GitHub Wiki

Overview

This document describes the process to install KRA subsystem. This assumes the CA subsystem has already been installed and the CA admin certificate has been exported to /root/.dogtag/pki-tomcat/ca_admin.cert.

Installing KRA

Prepare a deployment configuration file:

[KRA]
pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
[email protected]
pki_admin_name=kraadmin
pki_admin_nickname=kraadmin
pki_admin_password=Secret.123
pki_admin_uid=kraadmin

pki_client_database_password=Secret.123
pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=kra,dc=example,dc=com
pki_ds_database=kra
pki_ds_password=Secret.123

pki_security_domain_name=EXAMPLE
pki_security_domain_user=caadmin
pki_security_domain_password=Secret.123

Optionally, the certificate nicknames can be specified in the following parameters:

pki_storage_nickname=kra_storage
pki_transport_nickname=kra_transport
pki_audit_signing_nickname=kra_audit_signing
pki_ssl_server_nickname=sslserver
pki_subsystem_nickname=subsystem

Note: If you have specified nicknames for sslserver and subsystem system certificates previously, you need to specify same nicknames.

To begin the installation, execute the following command:

$ pkispawn -v -f kra.cfg -s KRA

Verification

KRA is running

Verify KRA is running with the following command:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin kra-user-find
-----------------
2 entries matched
-----------------
  User ID: kraadmin
  Full name: kraadmin

  User ID: CA-pki.example.com-8443
  Full name: CA-pki.example.com-8443
----------------------------
Number of entries returned 2
----------------------------

KRA connector

Verify the CS.cfg in the issuing CA has the following parameters:

ca.connector.KRA.enable=true
ca.connector.KRA.host=pki.example.com
ca.connector.KRA.local=false
ca.connector.KRA.nickName=subsystemCert cert-pki-tomcat
ca.connector.KRA.port=8443
ca.connector.KRA.timeout=30
ca.connector.KRA.transportCert=<base-64 encoded data>
ca.connector.KRA.uri=/kra/agent/kra/connector
⚠️ **GitHub.com Fallback** ⚠️