Chapter 9. Installing an Instance with ECC Enabled

9.1. Loading a Third-Party ECC Module
9.2. Loading the Certicom ECC Module
9.3. Using ECC with an HSM
Elliptic curve cryptography (ECC) is much more secure than the more common RSA-style encryption, which allows it to use much shorter key lengths and makes it faster to generate certificates. CAs which are ECC-enabled can issue both RSA and ECC certificates, using their ECC signing certificate.
Certificate System does not include a module natively to enable ECC, but it is possible to load and use a third-party PKCS #11 module with ECC-enabled.
To use the ECC module, it must be loaded before the subsystem instance is configured.

IMPORTANT

Third-party ECC modules must have an SELinux policy configured for them, or SELinux needs to be changed from enforcing mode to permissive mode to allow the module to function. Otherwise, any subsystem operations which require the ECC module will fail.

9.1. Loading a Third-Party ECC Module

  1. Copy the third-party module to a common directory, like /usr/lib for 32-bit systems or /usr/lib64 for 64-bit systems.
  2. Create a new instance by running pkicreate, but do not go through the configuration wizard.
  3. Stop the instance. 
    service instance_name stop
  4. The subsystem user runs as the pkiuser user. As root, create a home directory for pkiuser. 
    /usr/sbin/usermod --home /usr/share/pki/pkiuser pkiuser 
cd /usr/share/pki
mkdir pkiuser
HOME=/usr/share/pki/pkiuser
export HOME
  5. Install the third-party module in the instance's security databases so it is available for the configuration. 
    cd /var/lib/instance_name/alias

modutil -dbdir . -nocertdb -add THIRD_PARTY_MODULE -libfile /usr/lib/libYourNewModule.so
    This creates a directory called THIRD_PARTY_MODULE in the new home directory created for root (the new pkiuser home directory). For example, if the module's name is EccForPki, then the directory is named .EccForPki/
  6. Using modutil, set the password for the new ECC module token. 
    modutil -dbdir . -nocertdb -changepw "THIRD_PARTY_MODULE_TOKEN"
  7. Change the ownership of the new home directory from root to pkiuser. 
    cd /usr/share/pki
chown -R pkiuser:pkiuser pkiuser
  8. Add the password for the ECC token to the instance's password file. 
    vim /etc/instance_name/password.conf

hardware-THIRD_PARTY_MODULE_TOKEN=secret
    The hardware- prefix is required.
  9. Edit the instance configuration and add a line to require signature verification. For example: 
    ca.requestVerify.token=THIRD_PARTY_MODULE_TOKEN
  10. Start the instance. 
    service instance_name start
  11. Continue with the instance configuration, with two important configuration settings:
    • In the Key Store panel, the ECC module should be listed as an available token. Select that module for the key store.
    • In the Key Pairs panel, ECC should be listed as an option to use to generate the keys used for the CA's certificates. Select the ECC key type.
  12. After completing the configuration for the instance, assuming it is a Java subsystem, try to log into the console. 
    pkiconsole https://server.example.com:admin_port/subsystem_type
    This fails, because the console is not yet configured to run with ECC enabled. However, this does create the security databases for the console, so the ECC module can be loaded.
  13. Load the ECC module into the console security databases. 
    cd ~/.redhat-idm-console/

modutil -dbdir . -nocertdb -add THIRD_PARTY_MODULE -libfile /usr/lib/libYourNewModule.so
    Now, logging into the console succeeds.