7.4.3. Creating the DRM, OCSP, or TKS Instance

The first step is to create the instance. All three subsystem types allow port separation configuration, auditor groups, and Java Security Managers, all of which are recommended. Other options could be specified to set user-defined log and configuration directories and a user-defined operating system user and group. For other pkicreate options, see Table 7.1, “pkicreate Parameters”.
The command options here are on separate lines to make it clear what options are used; in practice, all options should be on a single line. This example configures a DRM; to create a TKS or OCSP instance, change the -subsystem_type value.
pkicreate -pki_instance_root=/var/lib
          -pki_instance_name=pki-kra         
          -subsystem_type=kra                
          -agent_secure_port=10443           
          -ee_secure_port=10444              
          -admin_secure_port=10445           
          -unsecure_port=10180               
          -tomcat_server_port=10701
	  -audit_group=pkiaudit
          -redirect logs=/var/log
When the pkicreate command completes, it returns a URL to use to access the web-based configuration wizard and a PIN to use to authenticate. This PIN is also contained in the install logs (/var/lib/instance_name/logs-install.log) and in the CS.cfg file for the instance.
PKI instance creation Utility ...


PKI instance creation completed ...

Starting instance_name:                                     [  OK  ]

instance_name (pid 17990) is running ...

    'instance_name' must still be CONFIGURED!
    (see /var/lib/instance_name/logs-install.log)

Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.

Please start the configuration by accessing:

http://server.example.com:10180/kra/admin/console/config/login?pin=kI7E1MByNIUcPJ6RKHmH

After configuration, the server can be operated by the command:

    service instance_name start | stop | restart