As with system groups, Certificate System uses a system user account for its subsystem process. This is the
pkiuser account, which is associated with the pkiuser system group.
The other Certificate System groups —
pkiadmin and pkiaudit — allow real users (not system users) to be members so that those users can carry out normal administrative and auditing functions. These user accounts simply need to be added to the PKI groups, as described in Section 5.3.7.2.3, “Associating Existing User Accounts with PKI Groups”.
On Red Hat Enterprise Linux 5.6 (and later) machines, the
pkiuser account already exists; this can be verified by checking the /etc/passwd file:
# grep pkiuser /etc/passwd
pkiuser:x:17:
As with the
pkiuser group, the pkiuser account must have a UID number of 17. If the pkiuser account does not exist or if it does not have a UID of 17, then check that the appropriate setup packages are installed:
# rpm -q setup setup-2.5.58-7.el5 # rpm -q shadow-utils shadow-utils-4.0.17-15.el5
Then create the
pkiuser user. Use the -g option to give the group to add the user to, and use the -r option to create a system account. To set the UID explicitly, use the -u option.
# userdel pkiuser # useradd -g pkiuser -d /usr/share/pki -s /sbin/nologin -c "Red Hat Certificate System" -u 17 -r pkiuser