OSVDC Series: Root Certificate Authority (PKI) with Dogtag 10.3 on CentOS 7.3.1611 - rharmonson/richtech GitHub Wiki
Article 19 of the Open Source Virtual Data Center Series
Published March 9, 2017
The purpose of this guide is to provide instructions on building an off-line Root Certificate Authority (CA) to issue Subordinate CA certificates. My specific use case is for use with FreeIPA, but it is applicable, generally, for any internal PKI implementation.
Why off-line? A Root CA should not be accessible and should be a carefully guarded asset. If an unauthorized individual obtained the Root CA private key, the entire PKI system is compromised. Best case, the PKI will need to be demolished, a new one built, and all certificates replaced. Depending on the size of your organization and the prevalence of certificates, recovery could be a lengthy and costly endeavor.
Complete a 7 installation using, generally, the defaults and update before proceeding.
My CentOS 7.3.1611 build follows the installation guide found at the URL below, however, I do depart from a default installation by ripping out NetworkManager and firewalld. If using either of the two, adjust the instructions as necessary.
https://github.com/rharmonson/richtech/wiki/CentOS-7-1611-Minimal-x86_64-Base-Installation-Guide
Create a file "ip4-dogtag.fw" to execute and document our firewall policies. Once created either pipe into bash or chmod +x to execute ./ip4-dogtag.fw.
[root@ca ~]# touch ip4-dogtag.fw
[root@ca ~]# chmod +x ip4-dogtag.fw
[root@ca ~]# vi ip4-dogtag.fw
copy+paste+save
#!/bin/bash
# Dogtab 10.3 iptables Policies
#Flush current policies
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
#ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
# Accept incoming SSH
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
# Dogtag Web Portal
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 8443 -j ACCEPT
# Save Changes
service iptables save
# Service
systemctl restart iptables
systemctl status iptables
Execute
[root@ca ~]# ./ip4-dogtag.fw
Results
[root@ca ~]# iptables -L -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
45 3806 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 30 packets, 3358 bytes)
pkts bytes target prot opt in out source destination
DNS in my environment will be FreeIPA, but the Dogtag CA is a dependency to build FreeIPA. As such, configure the host with a static IP address and update /etc/hosts to meet the requirement for name resolution of the 389-ds-base directory service. Using host name ca.mydomain.net and IP address 192.168.10.30/24 results with:
[root@ca ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.30 ca.mydomain.net ca
Entropy in virtual machines can be a bit of a challenge. At this time, I am using "haveged" but I am hoping the oVirt project will resolve the issues with a better implementation of their /dev/random. Please research and understand the pros/cons of haveged for yourself.
Further reading:
- http://wiki.qemu.org/Features-Done/VirtIORNG.
- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Administration_Guide/sect-Guest_virtual_machine_device_configuration-Random_number_generator_device.html
Install haveged
[root@ca ~]# yum install haveged
Enable haveged
[root@ca ~]# systemctl enable haveged
[root@ca ~]# systemctl start haveged
[root@ca ~]# systemctl status haveged
● haveged.service - Entropy Daemon based on the HAVEGE algorithm
Loaded: loaded (/usr/lib/systemd/system/haveged.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2017-03-09 10:14:20 PST; 13min ago
Docs: man:haveged(8)
http://www.issihosts.com/haveged/
Main PID: 642 (haveged)
CGroup: /system.slice/haveged.service
└─642 /usr/sbin/haveged -w 1024 -v 1 --Foreground
Mar 09 10:14:20 ca.mydomain.net systemd[1]: Started Entropy Daemon base...
Mar 09 10:14:20 ca.mydomain.net systemd[1]: Starting Entropy Daemon bas...
Mar 09 10:14:21 ca.mydomain.net haveged[642]: haveged: ver: 1.9.1; arch...
Mar 09 10:14:21 ca.mydomain.net haveged[642]: haveged: cpu: (L4 VC); da...
Mar 09 10:14:21 ca.mydomain.net haveged[642]: haveged: tot tests(BA8): ...
Mar 09 10:14:21 ca.mydomain.net haveged[642]: haveged: fills: 0, genera...
Hint: Some lines were ellipsized, use -l to show in full.
The solution components are:
- Dogtag PKI Certificate Authority; pki-ca and dependencies
- Dogtag theme; server theme (optional)
- 389, 389-ds-base; Directory Service
389 is a dependency for Dogtag CA.
Install 389 and Dogtag PKI-CA. Package dogtag-server-theme is optional, however, if you want to explore the web UI, you need the theme package installed prior to configuration of the Dogtag CA instance.
[root@ca ~]# yum install 389-ds-base pki-ca
Results
============================================================================
Package Arch Version Repository Size
============================================================================
Installing:
389-ds-base x86_64 1.3.5.10-15.el7_3 centos-7-updates 1.7 M
pki-ca noarch 10.3.3-16.el7_3 centos-7-updates 494 k
Installing for dependencies:
389-ds-base-libs x86_64 1.3.5.10-15.el7_3 centos-7-updates 664 k
antlr-tool noarch 2.7.7-30.el7 centos-7-base 357 k
apache-commons-cli noarch 1.2-13.el7 centos-7-base 50 k
apache-commons-codec noarch 1.8-7.el7 centos-7-base 223 k
apache-commons-collections
noarch 3.2.1-22.el7_2 centos-7-base 509 k
apache-commons-daemon x86_64 1.0.13-6.el7 centos-7-base 54 k
apache-commons-dbcp noarch 1.4-17.el7 centos-7-base 167 k
apache-commons-io noarch 1:2.4-12.el7 centos-7-base 189 k
apache-commons-lang noarch 2.6-15.el7 centos-7-base 276 k
apache-commons-logging noarch 1.1.2-7.el7 centos-7-base 78 k
apache-commons-pool noarch 1.6-9.el7 centos-7-base 113 k
args4j noarch 2.0.16-13.el7 centos-7-base 70 k
avalon-framework noarch 4.3-10.el7 centos-7-base 88 k
avalon-logkit noarch 2.1-14.el7 centos-7-base 87 k
bcel noarch 5.2-18.el7 centos-7-base 469 k
bea-stax noarch 1.2.0-9.el7 centos-7-base 176 k
bea-stax-api noarch 1.2.0-9.el7 centos-7-base 31 k
bind-libs x86_64 32:9.9.4-38.el7_3.2 centos-7-updates 1.0 M
bind-utils x86_64 32:9.9.4-38.el7_3.2 centos-7-updates 202 k
codemodel noarch 2.6-9.el7 centos-7-base 164 k
copy-jdk-configs noarch 1.2-1.el7 centos-7-base 14 k
cyrus-sasl-gssapi x86_64 2.1.26-20.el7_2 centos-7-base 40 k
cyrus-sasl-md5 x86_64 2.1.26-20.el7_2 centos-7-base 56 k
dom4j noarch 1.6.1-20.el7 centos-7-base 277 k
easymock2 noarch 2.5.2-12.el7 centos-7-base 92 k
ecj x86_64 1:4.2.1-8.el7 centos-7-base 1.4 M
fontconfig x86_64 2.10.95-10.el7 centos-7-base 229 k
fontpackages-filesystem noarch 1.44-8.el7 centos-7-base 9.9 k
geronimo-jms noarch 1.1.1-19.el7 centos-7-base 31 k
geronimo-jta noarch 1.1.1-17.el7 centos-7-base 20 k
giflib x86_64 4.1.6-9.el7 centos-7-base 40 k
glassfish-dtd-parser noarch 1.2-0.8.20120120svn.el7
centos-7-base 70 k
glassfish-fastinfoset noarch 1.2.12-9.el7 centos-7-base 272 k
glassfish-jaxb noarch 2.2.5-6.el7 centos-7-base 1.8 M
glassfish-jaxb-api noarch 2.2.7-4.el7 centos-7-base 92 k
hamcrest noarch 1.3-6.el7 centos-7-base 124 k
hsqldb noarch 1:1.8.1.3-14.el7 centos-7-base 950 k
httpcomponents-client noarch 4.2.5-5.el7_0 centos-7-base 425 k
httpcomponents-core noarch 4.2.4-6.el7 centos-7-base 466 k
isorelax noarch 1:0-0.15.release20050331.el7
centos-7-base 75 k
istack-commons noarch 2.17-4.el7 centos-7-base 100 k
jackson noarch 1.9.4-7.el7 centos-7-base 1.0 M
jakarta-commons-httpclient
noarch 1:3.1-16.el7_0 centos-7-base 241 k
jakarta-oro noarch 2.0.8-16.el7 centos-7-base 78 k
java-1.8.0-openjdk x86_64 1:1.8.0.121-0.b13.el7_3
centos-7-updates 232 k
java-1.8.0-openjdk-headless
x86_64 1:1.8.0.121-0.b13.el7_3
centos-7-updates 31 M
javamail noarch 1.4.6-8.el7 centos-7-base 758 k
javapackages-tools noarch 3.4.1-11.el7 centos-7-base 73 k
javassist noarch 3.16.1-10.el7 centos-7-base 627 k
jaxen noarch 1.1.3-11.el7 centos-7-base 204 k
jboss-annotations-1.1-api
noarch 1.0.1-0.6.20120212git76e1a2.el7
centos-7-base 20 k
jdom noarch 1.1.3-6.el7 centos-7-base 174 k
jing noarch 20091111-14.el7 centos-7-base 611 k
joda-convert noarch 1.3-5.el7 centos-7-base 46 k
joda-time noarch 2.2-3.tzdata2013c.el7
centos-7-base 484 k
jsr-311 noarch 1.1.1-6.el7 centos-7-base 45 k
jss x86_64 4.2.6-42.el7 centos-7-base 706 k
junit noarch 4.11-8.el7 centos-7-base 261 k
jvnet-parent noarch 4-2.el7 centos-7-base 10 k
ldapjdk noarch 4.18-16.el7_3 centos-7-updates 316 k
libICE x86_64 1.0.9-2.el7 centos-7-base 65 k
libSM x86_64 1.2.2-2.el7 centos-7-base 39 k
libX11 x86_64 1.6.3-3.el7 centos-7-base 606 k
libX11-common noarch 1.6.3-3.el7 centos-7-base 162 k
libXau x86_64 1.0.8-2.1.el7 centos-7-base 29 k
libXcomposite x86_64 0.4.4-4.1.el7 centos-7-base 22 k
libXext x86_64 1.3.3-3.el7 centos-7-base 39 k
libXfont x86_64 1.5.1-2.el7 centos-7-base 150 k
libXi x86_64 1.7.4-2.el7 centos-7-base 40 k
libXrender x86_64 0.9.8-2.1.el7 centos-7-base 25 k
libXtst x86_64 1.2.2-2.1.el7 centos-7-base 20 k
libfontenc x86_64 1.1.2-3.el7 centos-7-base 30 k
libicu x86_64 50.1.2-15.el7 centos-7-base 6.9 M
libpng x86_64 2:1.5.13-7.el7_2 centos-7-base 213 k
libtalloc x86_64 2.1.6-1.el7 centos-7-base 34 k
libtevent x86_64 0.9.28-1.el7 centos-7-base 34 k
libxcb x86_64 1.11-4.el7 centos-7-base 189 k
libxslt x86_64 1.1.28-5.el7 centos-7-base 242 k
lksctp-tools x86_64 1.0.17-2.el7 centos-7-base 88 k
log4j noarch 1.2.17-15.el7 centos-7-base 443 k
msv-msv noarch 1:2013.5.1-7.el7 centos-7-base 3.7 M
msv-xsdlib noarch 1:2013.5.1-7.el7 centos-7-base 1.1 M
nuxwdog x86_64 1.0.3-5.el7 centos-7-base 45 k
nuxwdog-client-java x86_64 1.0.3-5.el7 centos-7-base 11 k
objectweb-asm noarch 3.3.1-9.el7 centos-7-base 197 k
openldap-clients x86_64 2.4.40-13.el7 centos-7-base 188 k
perl x86_64 4:5.16.3-291.el7 centos-7-base 8.0 M
perl-Archive-Tar noarch 1.92-2.el7 centos-7-base 73 k
perl-Carp noarch 1.26-244.el7 centos-7-base 19 k
perl-Compress-Raw-Bzip2 x86_64 2.061-3.el7 centos-7-base 32 k
perl-Compress-Raw-Zlib x86_64 1:2.061-4.el7 centos-7-base 57 k
perl-DB_File x86_64 1.830-6.el7 centos-7-base 74 k
perl-Data-Dumper x86_64 2.145-3.el7 centos-7-base 47 k
perl-Encode x86_64 2.51-7.el7 centos-7-base 1.5 M
perl-Exporter noarch 5.68-3.el7 centos-7-base 28 k
perl-File-Path noarch 2.09-2.el7 centos-7-base 26 k
perl-File-Temp noarch 0.23.01-3.el7 centos-7-base 56 k
perl-Filter x86_64 1.49-3.el7 centos-7-base 76 k
perl-Getopt-Long noarch 2.40-2.el7 centos-7-base 56 k
perl-HTTP-Tiny noarch 0.033-3.el7 centos-7-base 38 k
perl-IO-Compress noarch 2.061-2.el7 centos-7-base 260 k
perl-IO-Zlib noarch 1:1.10-291.el7 centos-7-base 51 k
perl-Mozilla-LDAP x86_64 1.5.3-12.el7 centos-7-base 147 k
perl-NetAddr-IP x86_64 4.069-3.el7 centos-7-base 125 k
perl-Package-Constants noarch 1:0.02-291.el7 centos-7-base 45 k
perl-PathTools x86_64 3.40-5.el7 centos-7-base 82 k
perl-Pod-Escapes noarch 1:1.04-291.el7 centos-7-base 51 k
perl-Pod-Perldoc noarch 3.20-4.el7 centos-7-base 87 k
perl-Pod-Simple noarch 1:3.28-4.el7 centos-7-base 216 k
perl-Pod-Usage noarch 1.63-3.el7 centos-7-base 27 k
perl-Scalar-List-Utils x86_64 1.27-248.el7 centos-7-base 36 k
perl-Socket x86_64 2.010-4.el7 centos-7-base 49 k
perl-Storable x86_64 2.45-3.el7 centos-7-base 77 k
perl-Text-ParseWords noarch 3.29-4.el7 centos-7-base 14 k
perl-Time-HiRes x86_64 4:1.9725-3.el7 centos-7-base 45 k
perl-Time-Local noarch 1.2300-2.el7 centos-7-base 24 k
perl-constant noarch 1.27-2.el7 centos-7-base 19 k
perl-libs x86_64 4:5.16.3-291.el7 centos-7-base 688 k
perl-macros x86_64 4:5.16.3-291.el7 centos-7-base 43 k
perl-parent noarch 1:0.225-244.el7 centos-7-base 12 k
perl-podlators noarch 2.5.1-3.el7 centos-7-base 112 k
perl-threads x86_64 1.87-4.el7 centos-7-base 49 k
perl-threads-shared x86_64 1.43-6.el7 centos-7-base 39 k
pki-base noarch 10.3.3-16.el7_3 centos-7-updates 340 k
pki-base-java noarch 10.3.3-16.el7_3 centos-7-updates 1.1 M
pki-server noarch 10.3.3-16.el7_3 centos-7-updates 2.7 M
pki-tools x86_64 10.3.3-16.el7_3 centos-7-updates 658 k
python-javapackages noarch 3.4.1-11.el7 centos-7-base 31 k
python-ldap x86_64 2.4.15-2.el7 centos-7-base 159 k
python-lxml x86_64 3.2.1-4.el7 centos-7-base 758 k
python-nss x86_64 0.16.0-3.el7 centos-7-base 266 k
qdox noarch 1.12.1-10.el7 centos-7-base 170 k
regexp noarch 1.5-13.el7 centos-7-base 47 k
relaxngDatatype noarch 1.0-11.el7 centos-7-base 15 k
resteasy-base-atom-provider
noarch 3.0.6-4.el7 centos-7-base 41 k
resteasy-base-client noarch 3.0.6-4.el7 centos-7-base 125 k
resteasy-base-jackson-provider
noarch 3.0.6-4.el7 centos-7-base 13 k
resteasy-base-jaxb-provider
noarch 3.0.6-4.el7 centos-7-base 65 k
resteasy-base-jaxrs noarch 3.0.6-4.el7 centos-7-base 728 k
resteasy-base-jaxrs-api noarch 3.0.6-4.el7 centos-7-base 96 k
rngom noarch 201103-0.8.20120119svn.el7
centos-7-base 266 k
scannotation noarch 1.0.3-0.7.r12.el7 centos-7-base 23 k
stax-ex noarch 1.7.1-6.el7 centos-7-base 33 k
stax2-api noarch 3.1.1-10.el7 centos-7-base 165 k
svrcore x86_64 4.1.2-1.el7 centos-7-base 19 k
tomcat noarch 7.0.69-10.el7 centos-7-base 88 k
tomcat-el-2.2-api noarch 7.0.69-10.el7 centos-7-base 79 k
tomcat-jsp-2.2-api noarch 7.0.69-10.el7 centos-7-base 93 k
tomcat-lib noarch 7.0.69-10.el7 centos-7-base 3.8 M
tomcat-servlet-3.0-api noarch 7.0.69-10.el7 centos-7-base 210 k
tomcatjss noarch 7.1.2-3.el7 centos-7-base 35 k
ttmkfdir x86_64 3.0.9-42.el7 centos-7-base 48 k
txw2 noarch 20110809-8.el7 centos-7-base 134 k
tzdata-java noarch 2016j-1.el7 centos-7-updates 182 k
velocity noarch 1.7-10.el7 centos-7-base 414 k
ws-jaxme noarch 0.5.2-10.el7 centos-7-base 1.1 M
xalan-j2 noarch 2.7.1-23.el7 centos-7-base 1.9 M
xerces-j2 noarch 2.11.0-17.el7_0 centos-7-base 1.1 M
xml-commons-apis noarch 1.4.01-16.el7 centos-7-base 227 k
xml-commons-resolver noarch 1.2-15.el7 centos-7-base 108 k
xorg-x11-font-utils x86_64 1:7.5-20.el7 centos-7-base 87 k
xorg-x11-fonts-Type1 noarch 7.5-9.el7 centos-7-base 521 k
xpp3 noarch 1.1.3.8-11.el7 centos-7-base 336 k
xsom noarch 0-10.20110809svn.el7 centos-7-base 380 k
Transaction Summary
============================================================================
Install 2 Packages (+164 Dependent packages)
Total download size: 96 M
Installed size: 239 M
Is this ok [y/d/N]:
The theme package is not available in the CentOS nor EPEL repositories. WTF? Install directly using yum and the URL from the Fedora Project.
[root@ca ~]# yum install https://kojipkgs.fedoraproject.org//packages/dogtag-pki-theme/10.3.5/1.fc24/noarch/dogtag-pki-server-theme-10.3.5-1.fc24.noarch.rpm
Results
============================================================================
Package
Arch Version Repository Size
============================================================================
Installing:
dogtag-pki-server-theme
noarch 10.3.5-1.fc24 /dogtag-pki-server-theme-10.3.5-1.fc24.noarch 525 k
Transaction Summary
============================================================================
Install 1 Package
Total size: 525 k
Installed size: 525 k
Is this ok [y/d/N]:
Begin setup by executing setup-ds.pl to setup 389. See "Results" for details and note account names and passwords.
[root@ca ~]# setup-ds.pl
Results
==============================================================================
This program will set up the 389 Directory Server.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" or the word "back" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]:
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 14-JULY-2016.
NOTICE : System is x86_64-unknown-linux3.10.0-514.6.1.el7.x86_64 (1 processor).
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
WARNING : The warning messages above should be reviewed before proceeding.
Would you like to continue? [no]: yes
==============================================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]:
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly. If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:
General.FullMachineName=your.hostname.domain.name
Computer name [ca.mydomain.net]:
==============================================================================
The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the server,
create this user and group using your native operating
system utilities.
System User [dirsrv]:
System Group [dirsrv]:
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [ca]:
==============================================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=mydomain, dc=net]:
==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.
Directory Manager DN [cn=Directory Manager]:
Password:
Password (confirm):
Your new DS instance 'ca' was successfully created.
Exiting . . .
Log file is '/tmp/setup9aIZHo.log'
Note the password you set for the Directory Manager.
[root@ca ~]# systemctl enable dirsrv.target
Created symlink from /etc/systemd/system/multi-user.target.wants/dirsrv.target to /usr/lib/systemd/system/dirsrv.target.
[root@ca ~]# systemctl start dirsrv.target
[root@ca ~]# systemctl status dirsrv.target
● dirsrv.target - 389 Directory Server
Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; enabled; vendor preset: disabled)
Active: active since Tue 2017-02-21 19:19:57 PST; 6s ago
Feb 21 19:19:57 ca.mydomain.net systemd[1]: Reached target 389 Dire...
Feb 21 19:19:57 ca.mydomain.net systemd[1]: Starting 389 Directory ...
Hint: Some lines were ellipsized, use -l to show in full.
Dogtag uses pkispawn for component setup where -s specifies the component to configure.
[root@ca ~]# pkispawn -s CA
Results
IMPORTANT:
Interactive installation currently only exists for very basic deployments!
For example, deployments intent upon using advanced features such as:
* Cloning,
* Elliptic Curve Cryptography (ECC),
* External CA,
* Hardware Security Module (HSM),
* Subordinate CA,
* etc.,
must provide the necessary override parameters in a separate
configuration file.
Run 'man pkispawn' for details.
Tomcat:
Instance [pki-tomcat]:
HTTP port [8080]:
Secure HTTP port [8443]:
AJP port [8009]:
Management port [8005]:
Administrator:
Username [caadmin]:
Password:
Verify password:
Import certificate (Yes/No) [N]?
Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:
Directory Server:
Hostname [ca.mydomain.net]:
Use a secure LDAPS connection (Yes/No/Quit) [N]?
LDAP Port [389]:
Bind DN [cn=Directory Manager]:
Password:
Base DN [o=pki-tomcat-CA]:
Security Domain:
Name [mydomain.net Security Domain]:
Begin installation (Yes/No/Quit)? yes
Log file: /var/log/pki/pki-ca-spawn.20170221192332.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.
Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target.
==========================================================================
INSTALLATION SUMMARY
==========================================================================
Administrator's username: caadmin
Administrator's PKCS #12 file:
/root/.dogtag/pki-tomcat/ca_admin_cert.p12
To check the status of the subsystem:
systemctl status [email protected]
To restart the subsystem:
systemctl restart [email protected]
The URL for the subsystem is:
https://ca.mydomain.net:8443/ca
PKI instances will be enabled upon system boot
==========================================================================
Note the password you set for the caadmin.
If you want to use the Dogtab web UI, import the user authentication certificate for caadmin. Using CentOS 7 Workstation or Fedora 24 Workstation copy the caadmin certificate to the workstation then add it to Firefox's user certificates. If you receive an authentication error or "You did not provide a valid certificate for this operation" when browsing to "https://host.domain.net:8443/ca" then you have not used caadmin's authentication certificate for privileged access.
The caadmin certificate can be found in ~/.dogtag/pki-tomcat/ca_admin_cert.p12. Copy to an admin workstation using scp root@<ip address or hostname:/root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
Import the certificate into Firefox by selecting menu, Preferences, Advanced, View Certificates, Your Certificates, then Import. Once complete, you will find "PKI Administrator" under "Your Certificates."
Next article in the series is Identity Management with FreeIPA Server 4.4 on CentOS 7.3.1611.