Relocating CA - dogtagpki/pki GitHub Wiki

Overview

Note
This page is still under development.

This page describes the process to relocate a PKI server to a new machine with a different hostname.

Transferring PKI server files

First, transfer PKI server files to the new machine using the backup and restore procedure, but do not restart the server yet.

Updating configuration files

To replace the old hostname with the new hostname:

$ find \
    etc/pki/pki-tomcat \
    etc/sysconfig/pki-tomcat \
    etc/sysconfig/pki/tomcat/pki-tomcat \
    etc/systemd/system/pki-tomcatd.target.wants/[email protected] \
    var/lib/pki/pki-tomcat \
    -type f \
    ! -name "*.db" \
    ! -name "CS.cfg.bak.*" \
    -exec sed -i 's/<old hostname>/<new hostname>/g' {} +

Updating SSL server certificate in NSS database

To remove the old SSL server certificate:

$ pki nss-cert-remove certutil \
    -D \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/alias/password.txt \
    -n sslserver

To generate a new SSL server certificate request:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    nss-cert-request \
    --subject "CN=<new hostname>,OU=pki-tomcat,O=EXAMPLE" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --csr sslserver.csr

To issue a new SSL server certificate:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    nss-cert-issue \
    --issuer ca_signing \
    --csr sslserver.csr \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --cert sslserver.crt

To import the new SSL server certificate:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    nss-cert-import \
    --cert sslserver.crt \
    sslserver

Updating SSL server certificate in CS.cfg

To update the certificate request:

$ openssl req \
    -outform der \
    -in sslserver.csr \
    -out sslserver.csr.der
$ pki-server ca-config-set ca.signing.certreq `cat sslserver.csr.der | base64 -w 0`

To update the certificate:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    nss-cert-export \
    sslserver \
    --format DER \
    --output-file sslserver.crt.der
$ pki-server ca-config-set ca.sslserver.cert `cat sslserver.crt.der | base64 -w 0`

Importing SSL server certificate into CA

To import the certificate request:

$ pki-server ca-cert-request-import \
    --csr sslserver.csr \
    --profile serverCert.profile \

To import the certificate:

$ pki-server ca-cert-import \
    --cert sslserver.crt \
    --profile serverCert.profile \
    --request <request ID>

Updating security domain registration

To unregister the old subsystem:

$ pki-server \
    sd-subsystem-del \
    "CA <old hostname> 8443"

To register the new subsystem:

$ pki-server \
    sd-subsystem-add \
    --subsystem CA \
    --hostname <new hostname> \
    --secure-port 8443 \
    --domain-manager \
    "CA <new hostname> 8443"

Updating subsystem user

To export the subsystem certificate:

$ pki-server cert-export \
    --cert-file subsystem.crt \
    subsystem

To remove the old subsystem user:

$ pki-server \
    ca-user-del \
    CA-<old hostname>-8443

To add the new subsystem user:

$ pki-server \
    ca-user-add \
    --full-name "CA-<new hostname>-8443" \
    --type agentType \
    --state 1 \
    CA-<new hostname>-8443

To assign the subsystem certificate to the new subsystem user:

$ pki-server \
    ca-user-cert-add \
    --cert subsystem.crt \
    CA-<new hostname>-8443

Restarting PKI server

Finally, restart the server on the new machine:

$ pki-server start --wait
⚠️ **GitHub.com Fallback** ⚠️