Relocating CA - dogtagpki/pki GitHub Wiki
Note
|
This page is still under development. |
This page describes the process to relocate a PKI server to a new machine with a different hostname.
First, transfer PKI server files to the new machine using the backup and restore procedure, but do not restart the server yet.
To replace the old hostname with the new hostname:
$ find \ etc/pki/pki-tomcat \ etc/sysconfig/pki-tomcat \ etc/sysconfig/pki/tomcat/pki-tomcat \ etc/systemd/system/pki-tomcatd.target.wants/[email protected] \ var/lib/pki/pki-tomcat \ -type f \ ! -name "*.db" \ ! -name "CS.cfg.bak.*" \ -exec sed -i 's/<old hostname>/<new hostname>/g' {} +
To remove the old SSL server certificate:
$ pki nss-cert-remove certutil \ -D \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/alias/password.txt \ -n sslserver
To generate a new SSL server certificate request:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ nss-cert-request \ --subject "CN=<new hostname>,OU=pki-tomcat,O=EXAMPLE" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr sslserver.csr
To issue a new SSL server certificate:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ nss-cert-issue \ --issuer ca_signing \ --csr sslserver.csr \ --ext /usr/share/pki/server/certs/sslserver.conf \ --cert sslserver.crt
To import the new SSL server certificate:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ nss-cert-import \ --cert sslserver.crt \ sslserver
To update the certificate request:
$ openssl req \ -outform der \ -in sslserver.csr \ -out sslserver.csr.der $ pki-server ca-config-set ca.signing.certreq `cat sslserver.csr.der | base64 -w 0`
To update the certificate:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ nss-cert-export \ sslserver \ --format DER \ --output-file sslserver.crt.der $ pki-server ca-config-set ca.sslserver.cert `cat sslserver.crt.der | base64 -w 0`
To import the certificate request:
$ pki-server ca-cert-request-import \ --csr sslserver.csr \ --profile serverCert.profile \
To import the certificate:
$ pki-server ca-cert-import \ --cert sslserver.crt \ --profile serverCert.profile \ --request <request ID>
To unregister the old subsystem:
$ pki-server \ sd-subsystem-del \ "CA <old hostname> 8443"
To register the new subsystem:
$ pki-server \ sd-subsystem-add \ --subsystem CA \ --hostname <new hostname> \ --secure-port 8443 \ --domain-manager \ "CA <new hostname> 8443"
To export the subsystem certificate:
$ pki-server cert-export \ --cert-file subsystem.crt \ subsystem
To remove the old subsystem user:
$ pki-server \ ca-user-del \ CA-<old hostname>-8443
To add the new subsystem user:
$ pki-server \ ca-user-add \ --full-name "CA-<new hostname>-8443" \ --type agentType \ --state 1 \ CA-<new hostname>-8443
To assign the subsystem certificate to the new subsystem user:
$ pki-server \ ca-user-cert-add \ --cert subsystem.crt \ CA-<new hostname>-8443
Finally, restart the server on the new machine:
$ pki-server start --wait