Setting up Security Domain - dogtagpki/pki GitHub Wiki
This page describe the process to set up a security domain and register a security domain manager and a security domain member.
In most cases the security domain manager will be running on the CA, but standalone KRA and OCSP might have their own security domain manager.
To create a security domain database:
$ pki-server sd-create --name EXAMPLE
To configure a subsystem (e.g. CA) as a security domain manager:
$ pki-server ca-config-set securitydomain.select new $ pki-server ca-config-set securitydomain.name EXAMPLE $ pki-server ca-config-set securitydomain.host ca.example.com $ pki-server ca-config-set securitydomain.httpport 8080 $ pki-server ca-config-set securitydomain.httpsadminport 8443 $ pki-server ca-config-set securitydomain.checkIP false $ pki-server ca-config-set securitydomain.checkinterval 300000 $ pki-server ca-config-set securitydomain.flushinterval 86400000 $ pki-server ca-config-set securitydomain.source ldap
To remotely register the subsystem into the security domain:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -d /var/lib/pki/pki-tomcat/conf/password.conf \ -U https://ca.example.com:8443 securitydomain-join \ --install-token <token> \ --type CA \ --hostname ca.example.com \ --secure-port 8443 \ --unsecure-port 8080 \ --domain-manager \ "CA kra.example.com 8443"
To locally register the subsystem into the security domain:
$ pki-server sd-subsystem-add \ --subsystem CA \ --hostname pki.example.com \ --unsecure-port 8080 \ --secure-port 8443 \ --domain-manager \ "CA pki.example.com 8443"
To configure a subsystem (e.g. KRA) as a security domain member:
$ pki-server kra-config-set securitydomain.select existing $ pki-server kra-config-set securitydomain.name EXAMPLE $ pki-server kra-config-set securitydomain.host ca.example.com $ pki-server kra-config-set securitydomain.httpport 8080 $ pki-server kra-config-set securitydomain.httpsadminport 8443
To remotely register the subsystem into the security domain:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -d /var/lib/pki/pki-tomcat/conf/password.conf \ -U https://ca.example.com:8443 securitydomain-join \ --install-token <token> \ --type KRA \ --hostname kra.example.com \ --secure-port 8443 \ --unsecure-port 8080 \ "KRA kra.example.com 8443"
To locally register the subsystem into the security domain:
$ pki-server sd-subsystem-add \ --subsystem KRA \ --hostname kra.example.com \ --secure-port 8443 \ --unsecure-port 8080 \ "KRA kra.example.com 8443"