11.5. Performing Silent Configuration Using an External CA

As described in Section 9.1, “Requesting Subsystem Certificates from an External CA”, a CA outside of the security domain can be used to generate a subsystem's certificates. It is also possible to request and submit certificates issued by an external CA using pkisilent.
By default, the pkisilent command assumes that you will request a certificate from a CA within the security domain, and this CA is identified in the -ca_hostname and other ca_ options. This assumes that the -external option is false.
To submit the subsystem certificate requests to an external CA, explicitly set the -external option to true. The generated certificate requests are exported to a file, and then can be submitted to the external CA. Once they are issued, files which contain the subsystem certificates and the CA certificate chain for the issuing external CA can be passed using the pkisilent command. This is set in four parameters:
  • -external, which explicitly sets whether to use an external CA
  • -ext_csr_file, which gives the path and name of the output file to which to write the certificate requests for the subsystem
  • -ext_ca_cert_file, which gives the input file to use which contains the certificates issued by the external CA
  • -ext_ca_cert_file, which gives the input file to use which contains the CA certificate chain for the external CA which issued the certificates
Whether it is performed through the HTML wizard or using pkisilent, submitting certificates to an external CA is a three-step process, two of them involving pkisilent:
  1. In the first step, much of the preliminary information is configured for the instance.
    Along with the subsystem configuration settings, the subsystem's certificate requests are generated and written to the file specified in -ext_csr_file. These certificate requests must be submitted to the external CA.
    For example (in real life, these options should be on a single line):
    pkisilent ConfigureCA 
           -cs_hostname server.example.com
           -cs_port 9445 
           -subsystem_name "pki-ca2" 
           -client_certdb_dir /tmp/ 
           -client_certdb_pwd password 
           -preop_pin sYY8er834FG9793fsef7et5 
           -domain_name "testca" 
           -agent_name jsmith
           -agent_key_size 2048 
           -agent_key_type rsa 
           -agent_cert_subject "cn=ca\ agent\ cert" 
           -ldap_host ldapserver.example.com
           -ldap_port 389 
           -secure_conn false
           -remove_data true
           -bind_dn "cn=directory\ manager" 
           -bind_password password -base_dn "o=pki-ca2" 
           -db_name "server.example.com-pki-ca2" 
           -key_size 2048 
           -key_type rsa 
           -key_algorithm SHA512withRSA
           -token_name internal
           -token_pwd 242986083911
           -save_p12 true 
           -backup_pwd password 
           -backup_fname /export/backup.p12 
           -ca_subsystem_cert_subject_name "cn=ca\ subsystem\ cert,o=testca\ domain" 
           -ca_ocsp_cert_subject_name "cn=ocsp\ signing\ cert,o=testca\ domain" 
           -ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca\ domain" 
           -ca_sign_cert_subject_name "cn=ca\ signing\ cert,o=testca\ domain" 
           -ca_audit_signing_cert_subject_name "cn=audit\ signing\ cert,o=testca\ domain" 
           -external true 
           -ext_csr_file /tmp/cert.req
  2. The certificate requests are submitted to the external CA, and the issued certificates are retrieved and saved to file.
  3. The newly issued subsystem certificates are installed in the instance by referencing the saved certificate file in the -ext_cert_file parameter and the issuing CA's certificate chain in the -ext_cert_chain_file parameter.
    For example (in real life, these options should be on a single line):
    pkisilent ConfigureCA 
           -cs_hostname server.example.com
           -cs_port 9445 
           -subsystem_name "pki-ca2" 
           -client_certdb_dir /tmp/ 
           -client_certdb_pwd password 
           -preop_pin sYY8er834FG9793fsef7et5 
           -domain_name "testca" 
           -admin_user admin   
           -admin_password secret   
           -admin_email "admin@example.com"   
           -agent_name jsmith
           -agent_key_size 2048 
           -agent_key_type rsa 
           -agent_cert_subject "cn=ca\ agent\ cert" 
           -ldap_host ldapserver.example.com
           -ldap_port 389 
           -secure_conn false
           -remove_data true
           -bind_dn "cn=directory\ manager" 
           -bind_password password 
           -base_dn "o=pki-ca2" 
           -db_name "server.example.com-pki-ca2" 
           -key_size 2048 
           -key_type rsa 
           -key_algorithm SHA512withRSA
           -token_name internal
           -token_pwd 242986083911
           -save_p12 true 
           -backup_pwd password 
           -backup_fname /export/backup.p12 
           -ca_subsystem_cert_subject_name "cn=ca\ subsystem\ cert,o=testca\ domain" 
           -ca_ocsp_cert_subject_name "cn=ocsp\ signing\ cert,o=testca\ domain" 
           -ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca\ domain" 
           -ca_sign_cert_subject_name "cn=ca\ signing\ cert,o=testca\ domain" 
           -ca_audit_signing_cert_subject_name "cn=audit\ signing\ cert,o=testca\ domain" 
           -external true   
           -ext_cert_file /tmp/cert.cer  
           -ext_cert_chain_file /tmp/cachain.cer
    This is also when the final configuration to create the administrator user is performed.

    NOTE

    All of the previous parameters must be included the second time that pkisilent is invoked.