PKI 10.5 Installing KRA with External Certificates - dogtagpki/pki GitHub Wiki
This page describes the process to install KRA with an external certificates in PKI 10.5 or later. In normal KRA installation the CSRs are submitted automatically to the issuing CA and the certificates are issued and imported automatically as well. In this scenario, however, the KRA uses a manual 2-step process to generate the CSRs and to import the certificates. This mechanism provides the flexibility to use different methods to submit and approve the certificate requests (e.g. with CMC).
As in normal KRA installation, the KRA will join the CA’s security domain and a KRA connector will be configured in the CA for key archival.
The installation process consists multiple steps:
-
Generating certificate requests.
-
Issuing the certificates.
-
Completing installation with the certificates.
See also Installing Standalone KRA.
Prepare a deployment configuration file for step 1 (e.g. kra-external-step1.cfg):
[KRA] [email protected] pki_admin_name=kraadmin pki_admin_nickname=kraadmin pki_admin_password=Secret.123 pki_admin_uid=kraadmin pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=kra,dc=example,dc=com pki_ds_database=kra pki_ds_password=Secret.123 pki_security_domain_name=EXAMPLE pki_security_domain_user=caadmin pki_security_domain_password=Secret.123 pki_token_password=Secret.123 pki_external=True pki_external_step_two=False pki_storage_csr_path=kra_storage.csr pki_transport_csr_path=kra_transport.csr pki_subsystem_csr_path=subsystem.csr pki_sslserver_csr_path=sslserver.csr pki_audit_signing_csr_path=kra_audit_signing.csr pki_admin_csr_path=kra_admin.csr pki_storage_nickname=kra_storage pki_transport_nickname=kra_transport pki_subsystem_nickname=subsystem pki_sslserver_nickname=sslserver pki_audit_signing_nickname=kra_audit_signing
Optionally, specify the HSM parameters:
pki_hsm_enable=True pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so pki_hsm_modulename=nfast
Then execute the following command:
$ pkispawn -f kra-external-step1.cfg -s KRA
It will create an NSS database in /var/lib/pki/pki-tomcat/conf/alias and generate CSRs in the specified paths.
Submit the CSRs to an external CA:
Place the issued certificates in the location indicated in the next section.
Prepare a deployment configuration for step 2 (e.g. kra-external-step2.cfg) by copying it from step 1 (i.e. kra-external-step1.cfg) and make the following changes.
Specify step 2 with the following parameter:
pki_external_step_two=True
Specify the certificate files with the following parameters:
pki_storage_cert_path=kra_storage.crt pki_transport_cert_path=kra_transport.crt pki_subsystem_cert_path=subsystem.crt pki_sslserver_cert_path=sslserver.crt pki_audit_signing_cert_path=kra_audit_signing.crt pki_admin_cert_path=kra_admin.crt
Each certificate file can contain either a single PEM certificate or a PKCS #7 certificate chain.
If all of the above certificate files contain single certificates, the CA signing certificate and/or the certificate chain can be specified with the following parameters:
pki_ca_signing_nickname=ca_signing pki_ca_signing_cert_path=ca_signing.crt pki_cert_chain_nickname=external pki_cert_chain_path=cert_chain.p7b
The CA signing certificate and the certificate chain file can contain either a single certificate or a PKCS #7 certificate chain as well.
Finally, execute the following command:
$ pkispawn -f kra-external-step2.cfg -s KRA
If HSM is used, the internal token should contain the following certificates:
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ca_signing CT,C,C
kra_audit_signing ,,P
The HSM should contain the following certificates:
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -h HSM -f password.txt
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
HSM:sslserver/pki.example.com u,u,u
HSM:kra_transport u,u,u
HSM:kra_audit_signing u,u,u
HSM:subsystem u,u,u
HSM:kra_storage u,u,u
On the CA, verify that the KRA connector is created with the following command:
$ pki -c Secret.123 -n caadmin ca-kraconnector-show Host: <KRA hostname>:8443 Enabled: true Local: false Timeout: 30 URI: /kra/agent/kra/connector Transport Cert: <base-64 encoded transport cert>
On the CA, verify that the KRA is added into the security domain with the following command:
$ pki -c Secret.123 -n caadmin securitydomain-show
Domain: EXAMPLE
CA Subsystem:
Host ID: CA <CA hostname> 8443
Hostname: <CA hostname>
Port: 8080
Secure Port: 8443
Domain Manager: TRUE
KRA Subsystem:
Host ID: KRA <KRA hostname> 8443
Hostname: <KRA hostname>
Port: 8080
Secure Port: 8443
Domain Manager: FALSE
On the KRA, verify the KRA admin can access the KRA. If pki_client_database_purge=False, execute the following command:
$ pki -d ~/.dogtag/pki-tomcat/kra/alias -c Secret.123 -n kraadmin kra-user-find
Otherwise, execute the following commands:
$ pki -c Secret.123 client-init
$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt
$ pki -c Secret.123 client-cert-import \
--pkcs12 ~/.dogtag/pki-tomcat/kra_admin_cert.p12 \
--pkcs12-password-file ~/.dogtag/pki-tomcat/kra/pkcs12_password.conf
$ pki -c Secret.123 -n kraadmin kra-user-find