Testing Standalone Subsystems - dogtagpki/pki GitHub Wiki

Case I: Stand-alone KRA

External CA Installation/Configuration

Create an External CA for testing purposes:

  • Sample default.cfg override file (e.g. /tmp/pki/ca.cfg):

[DEFAULT]
pki_admin_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>
pki_ajp_port=18009
pki_http_port=18080
pki_https_port=18443
pki_instance_name=external-ca
pki_security_domain_https_port=18443
pki_tomcat_server_port=18005

  • Run pkispawn to create this instance:

$ pkispawn -s CA -f /tmp/pki/ca.cfg -vvv

Stand-alone KRA (Step 1) Installation/Configuration

Create a Stand-alone KRA (Step 1):

  • Sample default.cfg override file (e.g. /tmp/pki/kra_pass_one.cfg):

[DEFAULT]
pki_admin_password=<password>
pki_client_database_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>
pki_instance_name=standalone-kra
[KRA]
pki_standalone=True

  • Run pkispawn to create this instance:

$ pkispawn -s KRA -f /tmp/pki/kra_pass_one.cfg -vvv
  . . .
  Please obtain the necessary certificates for this stand-alone KRA,
  and re-run the configuration for step two.

  • Verify that the certificate requests have been generated and stored in CS.cfg:

$ grep "\.certreq=" /var/lib/pki/standalone-kra/conf/kra/CS.cfg
kra.admin.certreq=MIICujCCAaICAQAwd . . .
kra.audit_signing.certreq=MIICmjCCA . . .
kra.sslserver.certreq=MIICmDCCAYACA . . .
kra.storage.certreq=MIIClDCCAXwCAQA . . .
kra.subsystem.certreq=MIICljCCAX4CA . . .
kra.transport.certreq=MIICljCCAX4CA . . .

  • Verify that a value for preop.cert.admin.dn has been stored in CS.cfg:

$ grep "preop.cert.admin.dn=" /var/lib/pki/standalone-kra/conf/kra/CS.cfg
preop.cert.admin.dn=cn=PKI Administrator,[email protected],o=example.com Security Domain

  • Verify that the certificates contain the following values for Step 1 in CS.cfg:

$ grep "\.cert=" /var/lib/pki/standalone-kra/conf/kra/CS.cfg
kra.admin.cert=...paste certificate here...
kra.audit_signing.cert=...paste certificate here...
kra.sslserver.cert=...paste certificate here...
kra.storage.cert=...paste certificate here...
kra.subsystem.cert=...paste certificate here...
kra.transport.cert=...paste certificate here...

  • Verify that the certificate requests exist in CSR files for convenience:

$ ls -1 /var/lib/pki/standalone-kra/conf/*.csr
kra_admin.csr
kra_audit_signing.csr
kra_sslserver.csr
kra_storage.csr
kra_subsystem.csr
kra_transport.csr

Use of External CA for Certificate Creation

  • Submit each CSR to the appropriate Certificate Profile of the External CA configured above:

    • Manual Administrator Certificate Enrollment

      • /var/lib/pki/standalone-kra/conf/kra_admin.csr

      • Subject Name: cn=PKI Administrator,e=[email protected],o=example.com Security Domain

    • Manual Log Signing Certificate Enrollment

      • /var/lib/pki/standalone-kra/conf/kra_audit_signing.csr

    • Manual Server Certificate Enrollment

      • /var/lib/pki/standalone-kra/conf/kra_sslserver.csr

    • Manual Subsystem Certificate Enrollment

      • /var/lib/pki/standalone-kra/conf/kra_subsystem.csr

    • Manual Data Recovery Manager Storage Certificate Enrollment

      • /var/lib/pki/standalone-kra/conf/kra_storage.csr

    • Manual Data Recovery Manager Transport Certificate Enrollment

      • /var/lib/pki/standalone-kra/conf/kra_transport.csr

  • Approve each CSR and obtain the following certificates from the External CA configured above and place them into the files identified below:

    • CN=CA Signing Certificate,O=example.com Security Domain

      • /var/lib/pki/standalone-kra/conf/external_ca.cert

      • /var/lib/pki/standalone-kra/conf/external_ca_chain.cert

    • CN=PKI Administrator,E=[email protected],O=example.com Security Domain

      • /var/lib/pki/standalone-kra/conf/kra_admin.cert

    • CN=KRA Audit Signing Certificate,O=example.com Security Domain

      • /var/lib/pki/standalone-kra/conf/kra_audit_signing.cert

    • CN=standalone-kra.example.com,O=example.com Security Domain

      • /var/lib/pki/standalone-kra/conf/kra_sslserver.cert

    • CN=KRA Subsystem Certificate,O=example.com Security Domain

      • /var/lib/pki/standalone-kra/conf/kra_subsystem.cert

    • CN=DRM Storage Certificate,O=example.com Security Domain

      • /var/lib/pki/standalone-kra/conf/kra_storage.cert

    • CN=DRM Transport Certificate,O=example.com Security Domain

      • /var/lib/pki/standalone-kra/conf/kra_transport.cert

  • Verify that the certificates exist in files for use by Stand-alone KRA (Step 2):

$ ls -1 /var/lib/pki/standalone-kra/conf/*.cert
external_ca.cert
external_ca_chain.cert
kra_admin.cert
kra_audit_signing.cert
kra_sslserver.cert
kra_storage.cert
kra_subsystem.cert
kra_transport.cert

Stand-alone KRA (Step 2) Installation/Configuration

Create a Stand-alone KRA (Step 2):

  • Sample default.cfg override file (e.g. /tmp/pki/kra_pass_two.cfg):

[DEFAULT]
pki_admin_password=<password>
pki_client_database_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>
pki_instance_name=standalone-kra
[KRA]
pki_standalone=True
pki_external_step_two=True

  • Run pkispawn to create this instance:

$ pkispawn -s KRA -f /tmp/pki/kra_pass_two.cfg -vvv

  • Verify that the certificates contain the following values for Step 2 in CS.cfg:

$ grep "\.cert=" /var/lib/pki/standalone-kra/conf/kra/CS.cfg
kra.admin.cert=MIID4DCCAsigAwIBAgIBF . . .
kra.audit_signing.cert=MIIDcDCCAligA . . .
kra.external_ca.cert=MIIDyjCCArKgAwI . . .
kra.external_ca_chain.cert=MIID/QYJK . . .
kra.sslserver.cert=MIIDvjCCAqagAwIBA . . .
kra.storage.cert=MIIDsDCCApigAwIBAgI . . .
kra.subsystem.cert=MIIDsjCCApqgAwIBA . . .
kra.transport.cert=MIIDsjCCApqgAwIBA . . .
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️