6.2.4. Installing and Configuring an RA

  1. A CA must be configured and running somewhere on the network. An RA depends on the CA to issue their certificates and to create a security domain. If the security domain CA is not available, then the configuration process fails.
  2. Set up the required yum repositories.
    Create a .repo file with the repository information (this was likely configured in Section 6.2.1, “Installing and Configuring a CA”). For example:
    [root@client ~]# touch /etc/yum.repos.d/rhcs.repo
    [root@client ~]# vim /etc/yum.repos.d/rhcs.repo
  3. Run yum to install the RA packages.
    [root@server ~]# yum install pki-ra
  4. Run the pkicreate command to create the RA instance. For example:
    pkicreate -pki_instance_root=/var/lib
              -redirect logs=/var/log/pki-name/logs
    When the pkicreate command completes, it returns a URL to use to access the web-based configuration wizard and a PIN to use to authenticate. This PIN is also contained in the install logs (/var/log/pki-name-install.log) and in the CS.cfg file for the instance.
    PKI instance creation Utility ...
    PKI instance creation completed ...
    Starting instance_name:                                     [  OK  ]
    instance_name (pid 17990) is running ...
        'instance_name' must still be CONFIGURED!
        (see /var/log/pki-name-install.log)
    Before proceeding with the configuration, make sure
    the firewall settings of this machine permit proper
    access to this subsystem.
    Please start the configuration by accessing:
    After configuration, the server can be operated by the command:
    	service instance_name start | stop | restart
    This example uses the recommended port separation configuration, specifies an auditor group, and uses a Java Security Manager. Other options could be specified to set user-defined log and configuration directories and a user-defined operating system user and group. For other pkicreate options, see Table 6.1, “pkicreate Parameters”.
    The command options here are on separate lines to make it clear what options are used. All options should be on a single line.
  5. Create a new Firefox browser profile to use for configuring and accessing subsystems. Because of the certificates that are loaded, it is simpler and cleaner to use a fresh profile.
  6. Download the CA certificate chain for the CA which will issue the CA certificate, and import the CA chain into the browser.
    1. Open the CA web services page.
    2. Click the Retrieval tab.
    3. Click the Import CA Certificate Chain link.
    4. Select the radio button to import the CA certificate into the browser.
    5. Click Submit.
  7. If the CA which will be used to configure the RA is configured to prefer client authentication (sslClientAuth = want is set in the server.xml file), then this setting must be disabled before the RA can be configured. Otherwise, the CA requests client authentication when the RA attempts to connect with it during configuration, which the RA cannot perform, and the configuration process hangs.
    The procedure for changing the client authentication settings is in the Administrator's Guide.
  8. Open the configuration wizard using the URL returned by running pkicreate.
  9. Join an existing security domain by entering the CA information. This URL can be identified by running service pki-ca status on the CA's host; the security domain URL is returned with the other configuration settings. For example:
    When the CA is successfully contacted, then supply the admin username and password for the CA so that it can be properly accessed.
    The hostname for the security domain CA can be the fully-qualified domain name or an IPv4 or IPv6 address, if IPv6 was configured before the packages were installed.
  10. Enter a name for the new instance.
  11. Select the CA which will issue, renew, and revoke certificates for certificates processed through the RA. All of the CAs configured in the security domain are listed in a dropdown menu.
  12. Click Next on the Internal Database panel; the SQLite database is created automatically.


    The RA uses a SQLite database to store its configuration and user data rather than an LDAP database, as the other subsystems do.
  13. Select the token which will store the Certificate System certificates and keys; a list of detected hardware tokens and databases is given.
    Any hardware tokens used with the instance must be configured before configuring the subsystem instance.
  14. Set the key size and type (RSA or ECC) to use for the subsystem instance keys.
    By default, the settings for the signing key are applied to the keys for every certificate for the CA. To set different key types, sizes, or hashing algorithms (RSA) or curves (ECC) for each certificate, click the [Advanced] link to expand the form so each key pair is listed.
    The default RSA key size is 2048 and for ECC, 256.
    Any ECC-enabled PKCS#11 module must be loaded before beginning to configure the RA.
  15. Optionally, change the subject names for the certificates.


    Certificate nicknames must be unique, and changing the default nicknames is one way to ensure that.
    Having unique certificate nicknames is vital for using an HSM, since any nickname conflicts (even for subsystems on different servers) will cause configuration to fail.
  16. The next panels generate and show certificate requests, certificates, and key pairs.
  17. Provide the information for the new subsystem administrator.
  18. Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration.
  19. When the configuration is complete, restart the subsystem.
    service pki-ra restart


    The new instance is not active until it is restarted, and weird behaviors can occur if you try to use the instance without restarting it first.