Setting up KRA Connector - dogtagpki/pki GitHub Wiki
This page describes the manual process to set up a KRA connector after installing CA and KRA to support certificate enrollment with key archival.
The process consists of the following steps:
-
Setting up CA subsystem user in KRA
-
Configuring KRA connector in CA
Each step can be done locally or remotely.
To set up the CA subsystem user (e.g. CA) in KRA locally, execute the following commands:
$ pki-server kra-user-add \
--full-name "CA" \
--type agentType \
--cert ca_subsystem.crt \
CA
$ pki-server kra-user-role-add \
CA \
"Trusted Managers"
To set up the CA subsystem user (e.g. CA) in KRA remotely, execute the following commands:
$ pki \
-U https://kra.example.com:8443 \
-n kraadmin \
kra-user-add \
--fullName "CA" \
--type agentType \
--cert-file ca_subsystem.crt \
CA
$ pki \
-U https://kra.example.com:8443 \
-n kraadmin \
kra-user-membership-add \
CA \
"Trusted Managers"
To configure KRA connector in the CA locally, execute the following commands:
$ pki-server ca-config-set ca.connector.KRA.enable true $ pki-server ca-config-set ca.connector.KRA.host kra.example.com $ pki-server ca-config-set ca.connector.KRA.local false $ pki-server ca-config-set ca.connector.KRA.nickName subsystem $ pki-server ca-config-set ca.connector.KRA.port 8443 $ pki-server ca-config-set ca.connector.KRA.timeout 30 $ pki-server ca-config-set ca.connector.KRA.uri /kra/agent/kra/connector $ pki-server ca-config-set ca.connector.KRA.transportCert <base64-encoded KRA transport cert>
To configure KRA connector in the CA remotely, prepare the following file (e.g. kra-connector.json):
{
"host": "kra.example.com",
"port": "8443",
"transportCert": "<base64-encoded KRA transport cert>"
}
Then execute the following command:
$ pki \ -U https://ca.example.com:8443 \ -n caadmin \ ca-kraconnector-add \ --input-file kra-connector.json
Note: Make sure the user executing the operation is a member of Enterprise KRA Administrators.