Chapter 7. Installing and Configuring Certificate System

There are three major configuration steps to create a new, running instance of a subsystem:
  1. Installing the packages.
  2. Running pkicreate to create an instance.
  3. Going through the configuration wizard (or running pkisilent) to configure the new instance.
Additional steps — like configuring SSL for Red Hat Directory Server connections — can be performed to meet the needs of your environment.

7.1. About pkicreate

Certificate System subsystem instances are created and defined using a script called pkicreate. This script creates individual subsystem instances, with user-defined settings like the configuration and log directories and port numbers. After the instance is created, it is then configured through the HTML-based configuration wizard or by using the pkisilent script.
The syntax for pkicreate is slightly different between subsystems because of the different port and groups configurations. Table 7.1, “pkicreate Parameters”

TIP

To get full usage examples and syntax for the pkicreate command, run pkicreate --help.

Table 7.1. pkicreate Parameters

Parameter Description
pki_instance_root Gives the full path to the new instance configuration directory.
subsystem_type Gives the type of subsystem being created.
pki_instance_name Gives the name of the new instance. Instance names must be unique on a single machine, but do not have to be unique within the security domain (since instances are identified by hostname and port, not instance name).
secure_port[a] Sets a single SSL port number for the subsystem. This parameter is required if port separation is not configured, meaning that separate ports are not assigned for the administrator, agent, and end-entities services.
agent_secure_port[a] Sets the SSL port for the agent web services. If this is specified, then both ee_secure_port and admin_secure_port must be specified. For CAs only, an end-entities client authentication port is also required with the ee_secure_client_auth_port option.
ee_secure_port[a] Sets the SSL port for the end-entities web services. If this is specified, then both agent_secure_port and admin_secure_port must be specified. For CAs only, an end-entities client authentication port is also required with the ee_secure_client_auth_port option.
ee_secure_client_auth_port[a] For CAs only. Sets the SSL port for the end-entity client authentication. If this is specified, then ee_secure_port, agent_secure_port, and admin_secure_port must be specified.
admin_secure_port[a] Sets the SSL port number for the administrator services, usually the pkiconsole. If this is specified, then both agent_secure_port and ee_secure_port must be specified. For CAs only, an end-entities client authentication port is also required with the ee_secure_client_auth_port option.
non_clientauth_secure_port[a] Sets the end entities SSL port for RA and TPS subsystems.
unsecure_port[a] Sets the regular port number. If this is not set, the number is randomly generated. Still, it is recommended that administrators set this value to make sure there are no conflicts with SELinux labels for other services.
tomcat_server_port[a] Sets the port number for the Tomcat web server for CA, OCSP, TKS, and DRM instances.
redirect conf Optional. Sets the location for the configuration files for the new instance.
redirect logs Optional. Sets the location for the log files for the new instance.
user Optional. Sets the user as which the Certificate System instance will run.
group Optional. Sets the group as which the Certificate System instance will run.
audit_group Optional. Gives the name of the group for auditors for the TPS instance. The default is pkiaudit, if this option is not given.
sans_security_manager Optional. For the CA, OCSP, DRM, and TKS. Configures the new instance to run without a Java Security Manager. This option should not be used for subsystems in a Common Criteria environment.
[a] The ports selected for the new instance should not conflict with any other ports assigned on the host or SELinux. Check the /etc/services file to see port assignments for the system. Then, run semanage port -l |grep port# to check SELinux; if there is no output, then there is no conflict with SELinux assignments.

For more information on the pkicreate tool options, see the Certificate System Command-Line Tools Guide.