Planning, Installation, and Deployment Guide
I. Planning How to Deploy Red Hat Certificate System
Expand section "I. Planning How to Deploy Red Hat Certificate System" Collapse section "I. Planning How to Deploy Red Hat Certificate System"
1. 1. Introduction to Public-Key Cryptography
  Expand section "1. Introduction to Public-Key Cryptography" Collapse section "1. Introduction to Public-Key Cryptography"
  1. 1.1. Encryption and Decryption
    
    Expand section "1.1. Encryption and Decryption" Collapse section "1.1. Encryption and Decryption"
    
    1.1.1. Symmetric-Key Encryption
    
    1.1.2. Public-Key Encryption
    
    1.1.3. Key Length and Encryption Strength
  2. 1.2. Digital Signatures
  3. 1.3. Certificates and Authentication
    
    Expand section "1.3. Certificates and Authentication" Collapse section "1.3. Certificates and Authentication"
    
    1.3.1. A Certificate Identifies Someone or Something
    
    1.3.2. Authentication Confirms an Identity
    
    Expand section "1.3.2. Authentication Confirms an Identity" Collapse section "1.3.2. Authentication Confirms an Identity"
    
    1.3.2.1. Password-Based Authentication
    
    1.3.2.2. Certificate-Based Authentication
    
    1.3.3. Uses for Certificates
    
    Expand section "1.3.3. Uses for Certificates" Collapse section "1.3.3. Uses for Certificates"
    
    1.3.3.1. SSL/TLS
    
    1.3.3.2. Signed and Encrypted Email
    
    1.3.3.3. Single Sign-on
    
    1.3.3.4. Object Signing
    
    1.3.4. Types of Certificates
    
    Expand section "1.3.4. Types of Certificates" Collapse section "1.3.4. Types of Certificates"
    
    1.3.4.1. CA Signing Certificates
    
    1.3.4.2. Other Signing Certificates
    
    1.3.4.3. SSL/TLS Server and Client Certificates
    
    1.3.4.4. User Certificates
    
    1.3.4.5. Dual-Key Pairs
    
    1.3.4.6. Cross-Pair Certificates
    
    1.3.5. Contents of a Certificate
    
    Expand section "1.3.5. Contents of a Certificate" Collapse section "1.3.5. Contents of a Certificate"
    
    1.3.5.1. Certificate Data Formats
    
    Expand section "1.3.5.1. Certificate Data Formats" Collapse section "1.3.5.1. Certificate Data Formats"
    
    1.3.5.1.1. Binary
    
    1.3.5.1.2. Text
    
    1.3.5.2. Distinguished Names
    
    1.3.5.3. A Typical Certificate
    
    1.3.6. How CA Certificates Establish Trust
    
    Expand section "1.3.6. How CA Certificates Establish Trust" Collapse section "1.3.6. How CA Certificates Establish Trust"
    
    1.3.6.1. CA Hierarchies
    
    1.3.6.2. Certificate Chains
    
    1.3.6.3. Verifying a Certificate Chain
    
    1.3.7. Certificate Status
  4. 1.4. Certificate Life Cycle
    
    Expand section "1.4. Certificate Life Cycle" Collapse section "1.4. Certificate Life Cycle"
    
    1.4.1. Certificate Issuance
    
    1.4.2. Certificate Expiration and Renewal
  5. 1.5. Key Management
2. 2. Introduction to Red Hat Certificate System
  Expand section "2. Introduction to Red Hat Certificate System" Collapse section "2. Introduction to Red Hat Certificate System"
  1. 2.1. A Review of Certificate System Subsystems
  2. 2.2. Overview of Certificate System Subsystems
    
    Expand section "2.2. Overview of Certificate System Subsystems" Collapse section "2.2. Overview of Certificate System Subsystems"
    
    2.2.1. Separate versus Shared Instances
    
    2.2.2. Instance Installation Prerequisites
    
    Expand section "2.2.2. Instance Installation Prerequisites" Collapse section "2.2.2. Instance Installation Prerequisites"
    
    2.2.2.1. Directory Server Instance Availability
    
    2.2.2.2. PKI Packages
    
    2.2.2.3. Instance Installation and Configuration
    
    2.2.2.4. Instance Removal
    
    2.2.3. Execution Management (systemctl)
    
    Expand section "2.2.3. Execution Management (systemctl)" Collapse section "2.2.3. Execution Management (systemctl)"
    
    2.2.3.1. Starting, Stopping, Restarting, and Obtaining Status
    
    2.2.3.2. Starting the Instance Automatically
    
    2.2.4. Process Management (pki-server and pkidaemon)
    
    Expand section "2.2.4. Process Management (pki-server and pkidaemon)" Collapse section "2.2.4. Process Management (pki-server and pkidaemon)"
    
    2.2.4.1. The pki-server Command Line Tool
    
    2.2.4.2. Enabling and Disabling an Installed Subsystem Using pki-server
    
    2.2.4.3. The pkidaemon Command Line Tool
    
    2.2.4.4. Finding the Subsystem Web Services URLs
    
    2.2.4.5. Starting the Certificate System Console
  3. 2.3. Certificate System Architecture Overview
    
    Expand section "2.3. Certificate System Architecture Overview" Collapse section "2.3. Certificate System Architecture Overview"
    
    2.3.1. Java Application Server
    
    2.3.2. Java Security Manager
    
    2.3.3. Interfaces
    
    Expand section "2.3.3. Interfaces" Collapse section "2.3.3. Interfaces"
    
    2.3.3.1. Servlet Interface
    
    2.3.3.2. Administrative Interface
    
    2.3.3.3. End-Entity Interface
    
    2.3.3.4. Operator Interface
    
    2.3.4. REST Interface
    
    2.3.5. JSS
    
    2.3.6. Tomcatjss
    
    2.3.7. PKCS #11
    
    Expand section "2.3.7. PKCS #11" Collapse section "2.3.7. PKCS #11"
    
    2.3.7.1. NSS Soft Token (internal token)
    
    2.3.7.2. Hardware Security Module (HSM, external token)
    
    2.3.8. Certificate System Serial Number Management
    
    Expand section "2.3.8. Certificate System Serial Number Management" Collapse section "2.3.8. Certificate System Serial Number Management"
    
    2.3.8.1. Serial Number Ranges
    
    2.3.8.2. Random Serial Number Management
    
    2.3.9. Security Domain
    
    2.3.10. Passwords and Watchdog (nuxwdog)
    
    2.3.11. Internal LDAP Database
    
    2.3.12. Security-Enhanced Linux (SELinux)
    
    2.3.13. Self-tests
    
    2.3.14. Logs
    
    Expand section "2.3.14. Logs" Collapse section "2.3.14. Logs"
    
    2.3.14.1. Audit Log
    
    2.3.14.2. System Log
    
    2.3.14.3. Transactions Log
    
    2.3.14.4. Debug Logs
    
    2.3.14.5. Installation Logs
    
    2.3.14.6. Tomcat Error and Access Logs
    
    2.3.14.7. Self-Tests Log
    
    2.3.14.8. journalctl Logs
    
    2.3.15. Instance Layout
    
    Expand section "2.3.15. Instance Layout" Collapse section "2.3.15. Instance Layout"
    
    2.3.15.1. File and Directory Locations for Certificate System
    
    2.3.15.2. CA Subsystem Information
    
    2.3.15.3. KRA Subsystem Information
    
    2.3.15.4. OCSP Subsystem Information
    
    2.3.15.5. TKS Subsystem Information
    
    2.3.15.6. TPS Subsystem Information
    
    2.3.15.7. Shared Certificate System Subsystem File Locations
  4. 2.4. PKI with Certificate System
    
    Expand section "2.4. PKI with Certificate System" Collapse section "2.4. PKI with Certificate System"
    
    2.4.1. Issuing Certificates
    
    Expand section "2.4.1. Issuing Certificates" Collapse section "2.4.1. Issuing Certificates"
    
    2.4.1.1. The Enrollment Process
    
    Expand section "2.4.1.1. The Enrollment Process" Collapse section "2.4.1.1. The Enrollment Process"
    
    2.4.1.1.1. Enrollment Using the User Interface
    
    2.4.1.1.2. Enrollment Using the Command Line
    
    Expand section "2.4.1.1.2. Enrollment Using the Command Line" Collapse section "2.4.1.1.2. Enrollment Using the Command Line"
    
    2.4.1.1.2.1. Enrolling Using the pki Utility
    
    2.4.1.1.2.2. Enrolling with CMC
    
    Expand section "2.4.1.1.2.2. Enrolling with CMC" Collapse section "2.4.1.1.2.2. Enrolling with CMC"
    
    2.4.1.1.2.2.1. CMC Enrollment without POP
    
    2.4.1.1.2.2.2. Signed CMC Requests
    
    2.4.1.1.2.2.3. Unsigned CMC Requests
    
    2.4.1.1.2.2.4. The Shared Secret Workflow
    
    2.4.1.1.2.2.5. Simple CMC Requests
    
    2.4.1.2. Certificate Profiles
    
    2.4.1.3. Authentication for Certificate Enrollment
    
    2.4.1.4. Cross-Pair Certificates
    
    2.4.2. Renewing Certificates
    
    2.4.3. Publishing Certificates and CRLs
    
    2.4.4. Revoking Certificates and Checking Status
    
    Expand section "2.4.4. Revoking Certificates and Checking Status" Collapse section "2.4.4. Revoking Certificates and Checking Status"
    
    2.4.4.1. Revoking Certificates
    
    2.4.4.2. Certificate Status
    
    Expand section "2.4.4.2. Certificate Status" Collapse section "2.4.4.2. Certificate Status"
    
    2.4.4.2.1. CRLs
    
    2.4.4.2.2. OCSP Services
    
    Expand section "2.4.4.2.2. OCSP Services" Collapse section "2.4.4.2.2. OCSP Services"
    
    2.4.4.2.2.1. OCSP Response Signing
    
    2.4.4.2.2.2. OCSP Responses
    
    2.4.4.2.2.3. OCSP Services
    
    2.4.5. Archiving, Recovering, and Rotating Keys
    
    Expand section "2.4.5. Archiving, Recovering, and Rotating Keys" Collapse section "2.4.5. Archiving, Recovering, and Rotating Keys"
    
    2.4.5.1. Archiving Keys
    
    2.4.5.2. Recovering Keys
    
    2.4.5.3. KRA Transport Key Rotation
  5. 2.5. Smart Card Token Management with Certificate System
    
    Expand section "2.5. Smart Card Token Management with Certificate System" Collapse section "2.5. Smart Card Token Management with Certificate System"
    
    2.5.1. Token Key Service (TKS)
    
    Expand section "2.5.1. Token Key Service (TKS)" Collapse section "2.5.1. Token Key Service (TKS)"
    
    2.5.1.1. Master Keys and Key Sets
    
    2.5.1.2. Key Ceremony (Shared Key Transport)
    
    2.5.1.3. Key Update (Key Changeover)
    
    2.5.1.4. APDUs and Secure Channels
    
    2.5.2. Token Processing System (TPS)
    
    Expand section "2.5.2. Token Processing System (TPS)" Collapse section "2.5.2. Token Processing System (TPS)"
    
    2.5.2.1. Coolkey Applet
    
    2.5.2.2. Token Operations
    
    2.5.2.3. TPS Profiles
    
    2.5.2.4. Token Database
    
    Expand section "2.5.2.4. Token Database" Collapse section "2.5.2.4. Token Database"
    
    2.5.2.4.1. Token States and Transitions
    
    Expand section "2.5.2.4.1. Token States and Transitions" Collapse section "2.5.2.4.1. Token States and Transitions"
    
    2.5.2.4.1.1. Token States
    
    2.5.2.4.1.2. Token State Transitions Done Using the Graphical or Command Line Interface
    
    Expand section "2.5.2.4.1.2. Token State Transitions Done Using the Graphical or Command Line Interface" Collapse section "2.5.2.4.1.2. Token State Transitions Done Using the Graphical or Command Line Interface"
    
    2.5.2.4.1.2.1. Token State Transitions Using the Command Line or Graphical Interface
    
    2.5.2.4.1.3. Token State Transitions using Token Operations
    
    2.5.2.4.1.4. Token State and Transition Labels
    
    2.5.2.4.1.5. Customizing Allowed Token State Transitions
    
    2.5.2.4.1.6. Customizing Token State and Transition Labels
    
    2.5.2.4.1.7. Token Activity Log
    
    2.5.2.4.2. Token Policies
    
    2.5.2.5. Mapping Resolver
    
    2.5.2.6. TPS Roles
    
    2.5.3. TKS/TPS Shared Secret
    
    2.5.4. Enterprise Security Client (ESC)
  6. 2.6. Red Hat Certificate System Services
    
    Expand section "2.6. Red Hat Certificate System Services" Collapse section "2.6. Red Hat Certificate System Services"
    
    2.6.1. Notifications
    
    2.6.2. Jobs
    
    2.6.3. Logging
    
    2.6.4. Auditing
    
    2.6.5. Self-Tests
    
    2.6.6. Users, Authorization, and Access Controls
    
    Expand section "2.6.6. Users, Authorization, and Access Controls" Collapse section "2.6.6. Users, Authorization, and Access Controls"
    
    2.6.6.1. Default Administrative Roles
    
    2.6.6.2. Built-in Subsystem Trust Roles
  7. 2.7. About Cloning
    
    Expand section "2.7. About Cloning" Collapse section "2.7. About Cloning"
    
    2.7.1. Cloning for CAs
    
    2.7.2. Cloning for KRAs
    
    2.7.3. Cloning for Other Subsystems
    
    2.7.4. Cloning and Key Stores
    
    2.7.5. LDAP and Port Considerations
    
    2.7.6. Replica ID Numbers
    
    2.7.7. Custom Configuration and Clones
3. 3. Supported Standards and Protocols
  Expand section "3. Supported Standards and Protocols" Collapse section "3. Supported Standards and Protocols"
  1. 3.1. TLS, ECC, and RSA
    
    Expand section "3.1. TLS, ECC, and RSA" Collapse section "3.1. TLS, ECC, and RSA"
    
    3.1.1. Supported Cipher Suites
    
    Expand section "3.1.1. Supported Cipher Suites" Collapse section "3.1.1. Supported Cipher Suites"
    
    3.1.1.1. Recommended TLS Cipher Suites
  2. 3.2. Allowed Key Algorithms and Their Sizes
  3. 3.3. Allowed Hash Functions
  4. 3.4. IPv4 and IPv6 Addresses
  5. 3.5. Supported PKIX Formats and Protocols
4. 4. Supported Platforms
  Expand section "4. Supported Platforms" Collapse section "4. Supported Platforms"
5. 5. Planning the Certificate System
  Expand section "5. Planning the Certificate System" Collapse section "5. Planning the Certificate System"
  1. 5.1. Deciding on the Required Subsystems
    
    Expand section "5.1. Deciding on the Required Subsystems" Collapse section "5.1. Deciding on the Required Subsystems"
    
    5.1.1. Using a Single Certificate Manager
    
    5.1.2. Planning for Lost Keys: Key Archival and Recovery
    
    5.1.3. Balancing Certificate Request Processing
    
    5.1.4. Balancing Client OCSP Requests
    
    5.1.5. Using Smart Cards
  2. 5.2. Defining the Certificate Authority Hierarchy
    
    Expand section "5.2. Defining the Certificate Authority Hierarchy" Collapse section "5.2. Defining the Certificate Authority Hierarchy"
    
    5.2.1. Subordination to a Public CA
    
    5.2.2. Subordination to a Certificate System CA
    
    5.2.3. Linked CA
    
    5.2.4. CA Cloning
  3. 5.3. Planning Security Domains
  4. 5.4. Determining the Requirements for Subsystem Certificates
    
    Expand section "5.4. Determining the Requirements for Subsystem Certificates" Collapse section "5.4. Determining the Requirements for Subsystem Certificates"
    
    5.4.1. Determining Which Certificates to Install
    
    5.4.2. Planning the CA Distinguished Name
    
    5.4.3. Setting the CA Signing Certificate Validity Period
    
    5.4.4. Choosing the Signing Key Type and Length
    
    5.4.5. Using Certificate Extensions
    
    Expand section "5.4.5. Using Certificate Extensions" Collapse section "5.4.5. Using Certificate Extensions"
    
    5.4.5.1. Structure of Certificate Extensions
    
    5.4.6. Using and Customizing Certificate Profiles
    
    Expand section "5.4.6. Using and Customizing Certificate Profiles" Collapse section "5.4.6. Using and Customizing Certificate Profiles"
    
    5.4.6.1. Adding SAN Extensions to the SSL Server Certificate
    
    5.4.7. Planning Authentication Methods
    
    5.4.8. Publishing Certificates and CRLs
    
    5.4.9. Renewing or Reissuing CA Signing Certificates
  5. 5.5. Planning for Network and Physical Security
    
    Expand section "5.5. Planning for Network and Physical Security" Collapse section "5.5. Planning for Network and Physical Security"
    
    5.5.1. Considering Firewalls
    
    5.5.2. Considering Physical Security and Location
    
    5.5.3. Planning Ports
  6. 5.6. Tokens for Storing Certificate System Subsystem Keys and Certificates
  7. 5.7. A Checklist for Planning the PKI
  8. 5.8. Optional Third-party Services
    
    Expand section "5.8. Optional Third-party Services" Collapse section "5.8. Optional Third-party Services"
    
    5.8.1. Load Balancers
    
    5.8.2. Backup Hardware and Software
II. Installing Red Hat Certificate System
Expand section "II. Installing Red Hat Certificate System" Collapse section "II. Installing Red Hat Certificate System"
1. 6. Prerequisites and Preparation for Installation
  Expand section "6. Prerequisites and Preparation for Installation" Collapse section "6. Prerequisites and Preparation for Installation"
  1. 6.1. Installing Red Hat Enterprise Linux
  2. 6.2. Securing the System Using SELinux
    
    Expand section "6.2. Securing the System Using SELinux" Collapse section "6.2. Securing the System Using SELinux"
    
    6.2.1. Verifying if SELinux is Running in Enforcing Mode
  3. 6.3. Firewall Configuration
    
    Expand section "6.3. Firewall Configuration" Collapse section "6.3. Firewall Configuration"
    
    6.3.1. Opening the Required Ports in the Firewall
  4. 6.4. Hardware Security Module
    
    Expand section "6.4. Hardware Security Module" Collapse section "6.4. Hardware Security Module"
    
    6.4.1. Setting up SELinux for an HSM
    
    6.4.2. Enabling FIPS Mode on an HSM
    
    6.4.3. Verifying if FIPS Mode is Enabled on an HSM
    
    Expand section "6.4.3. Verifying if FIPS Mode is Enabled on an HSM" Collapse section "6.4.3. Verifying if FIPS Mode is Enabled on an HSM"
    
    6.4.3.1. Verifying if FIPS Mode is Enabled on an nCipher HSM
    
    6.4.3.2. Verifying if FIPS Mode is Enabled on a Luna SA HSM
    
    6.4.4. Preparing for Installing Certificate System with an HSM
    
    Expand section "6.4.4. Preparing for Installing Certificate System with an HSM" Collapse section "6.4.4. Preparing for Installing Certificate System with an HSM"
    
    6.4.4.1. nCipher HSM Parameters
    
    6.4.4.2. SafeNet / Luna SA HSM Parameters
    
    6.4.5. Backing up Keys on Hardware Security Modules
  5. 6.5. Installing Red Hat Directory Server
    
    Expand section "6.5. Installing Red Hat Directory Server" Collapse section "6.5. Installing Red Hat Directory Server"
    
    6.5.1. Preparing a Directory Server Instance for Certificate System
    
    6.5.2. Enabling TLS Support in Directory Server
    
    Expand section "6.5.2. Enabling TLS Support in Directory Server" Collapse section "6.5.2. Enabling TLS Support in Directory Server"
    
    6.5.2.1. How to Enable LDAPS for new Red Hat Certificate System Subsystems Using Examples Values
    
    6.5.3. Preparing for Configuring Certificate System
  6. 6.6. Replacing a Temporary Self-Signed Certificate in Directory Server (CA)
  7. 6.7. Enabling TLS Client Authentication for the Internal LDAP Server
  8. 6.8. Attaching a Red Hat Subscription and Enabling the Certificate System Package Repository
  9. 6.9. Certificate System Operating System Users and Groups
2. 7. Installing and Configuring Certificate System
  Expand section "7. Installing and Configuring Certificate System" Collapse section "7. Installing and Configuring Certificate System"
  1. 7.1. Subsystem Configuration Order
  2. 7.2. Certificate System Packages
    
    Expand section "7.2. Certificate System Packages" Collapse section "7.2. Certificate System Packages"
    
    7.2.1. Installing Certificate System Packages
    
    7.2.2. Updating Certificate System Packages
    
    7.2.3. Determining Certificate System Product Version
  3. 7.3. Understanding the pkispawn Utility
  4. 7.4. Setting Up a Root Certificate Authority
  5. 7.5. Post-Installation
  6. 7.6. Setting up Additional Subsystems
  7. 7.7. Two-step Installation
    
    Expand section "7.7. Two-step Installation" Collapse section "7.7. Two-step Installation"
    
    7.7.1. When to Use the Two-Step Installation
    
    7.7.2. The Two Major Parts of the Two-step Installation
    
    7.7.3. Creating the Configuration File for the First Step of the Installation
    
    7.7.4. Starting the Installation Step
    
    7.7.5. Customizing the Configuration Between the Installation Steps
    
    Expand section "7.7.5. Customizing the Configuration Between the Installation Steps" Collapse section "7.7.5. Customizing the Configuration Between the Installation Steps"
    
    7.7.5.1. Configuring Certificate Profiles
    
    7.7.5.2. Enabling Signed Audit Logging
    
    7.7.5.3. Updating the Ciphers List
    
    7.7.5.4. Configuring the PKI Console Timeout
    
    7.7.5.5. Setting the KRA into Encryption Mode
    
    7.7.5.6. Enabling OCSP
    
    7.7.5.7. Configuring Ranges for Requests and Serial Numbers
    
    7.7.6. Starting the Configuration Step
    
    7.7.7. Post-Installation
  8. 7.8. Setting up Subsystems with an External CA
    
    Expand section "7.8. Setting up Subsystems with an External CA" Collapse section "7.8. Setting up Subsystems with an External CA"
    
    7.8.1. The Difference Between an Internal and External CA
    
    7.8.2. Installing a Subsystem with an External CA
    
    7.8.3. Post-Installation
  9. 7.9. Setting up a Standalone KRA or OCSP
  10. 7.10. Post-installation Tasks
    
    Expand section "7.10. Post-installation Tasks" Collapse section "7.10. Post-installation Tasks"
    
    7.10.1. Setting Date/Time for RHCS
    
    7.10.2. Replacing the Temporary Certificate
    
    7.10.3. Enabling TLS Client Authentication
    
    7.10.4. Configuring Session Timeout
    
    7.10.5. CRL or Certificate Publishing
    
    7.10.6. Configuring Certificate Enrollment Profiles (CA)
    
    7.10.7. Enabling Access Banner
    
    7.10.8. Enabling the Watchdog Service
    
    7.10.9. Configuration for CMC Enrollment and Revocation (CA)
    
    7.10.10. TLS client-authentication for the Java Console
    
    7.10.11. Creating a Role User
    
    7.10.12. Removing the Bootstrap User
    
    7.10.13. Disabling Multi-role Support
    
    7.10.14. KRA Configurations
    
    Expand section "7.10.14. KRA Configurations" Collapse section "7.10.14. KRA Configurations"
    
    7.10.14.1. Adding Requirement for Multiple Agent Approval for Key Recovery Authority (KRA)
    
    7.10.14.2. Configuring KRA Encryption Settings
    
    7.10.15. Setting up Users to use User Interfaces
3. 8. Using Hardware Security Modules for Subsystem Security Databases
  Expand section "8. Using Hardware Security Modules for Subsystem Security Databases" Collapse section "8. Using Hardware Security Modules for Subsystem Security Databases"
  1. 8.1. Installing Certificate System with an HSM
  2. 8.2. Using Hardware Security Modules with Subsystems
    
    Expand section "8.2. Using Hardware Security Modules with Subsystems" Collapse section "8.2. Using Hardware Security Modules with Subsystems"
    
    8.2.1. Enabling the FIPS Mode on an HSM
    
    8.2.2. Verifying if FIPS Mode is Enabled on an HSM
    
    Expand section "8.2.2. Verifying if FIPS Mode is Enabled on an HSM" Collapse section "8.2.2. Verifying if FIPS Mode is Enabled on an HSM"
    
    8.2.2.1. Verifying if FIPS Mode is Enabled on an nCipher HSM
    
    8.2.2.2. Verifying if FIPS Mode is Enabled on a Luna SA HSM
    
    8.2.3. Adding or Managing the HSM Entry for a Subsystem
    
    8.2.4. Setting up SELinux for an HSM
    
    8.2.5. Installing a Subsystem Using nCipher nShield HSM
    
    8.2.6. Installing a Subsystem Using Gemalto Safenet LunaSA HSM
  3. 8.3. Backing up Keys on Hardware Security Modules
  4. 8.4. Installing a Clone Subsystem Using an HSM
  5. 8.5. Viewing Tokens
  6. 8.6. Detecting Tokens
  7. 8.7. Failover and Resilience
    
    Expand section "8.7. Failover and Resilience" Collapse section "8.7. Failover and Resilience"
    
    8.7.1. nCipher nShield HSM
    
    Expand section "8.7.1. nCipher nShield HSM" Collapse section "8.7.1. nCipher nShield HSM"
    
    8.7.1.1. Failover
    
    8.7.1.2. Resilience
    
    8.7.2. Gemalto Safenet LunaSA HSM
    
    Expand section "8.7.2. Gemalto Safenet LunaSA HSM" Collapse section "8.7.2. Gemalto Safenet LunaSA HSM"
    
    8.7.2.1. Failover
4. 9. Installing an Instance with ECC System Certificates
  Expand section "9. Installing an Instance with ECC System Certificates" Collapse section "9. Installing an Instance with ECC System Certificates"
  1. 9.1. Loading a Third-Party ECC Module
  2. 9.2. Using ECC with an HSM
5. 10. Cloning Subsystems
  Expand section "10. Cloning Subsystems" Collapse section "10. Cloning Subsystems"
  1. 10.1. Backing up Subsystem Keys from a Software Database
  2. 10.2. Cloning a CA
  3. 10.3. Updating CA-KRA Connector Information After Cloning
  4. 10.4. Cloning OCSP Subsystems
  5. 10.5. Cloning KRA Subsystems
  6. 10.6. Cloning TKS Subsystems
  7. 10.7. Converting Masters and Clones
    
    Expand section "10.7. Converting Masters and Clones" Collapse section "10.7. Converting Masters and Clones"
    
    10.7.1. Converting CA Clones and Masters
    
    10.7.2. Converting OCSP Clones
  8. 10.8. Cloning a CA That Has Been Re-Keyed
6. 11. Setting up PKI ACME Responder
  Expand section "11. Setting up PKI ACME Responder" Collapse section "11. Setting up PKI ACME Responder"
  1. 11.1. Installing PKI ACME Responder
  2. 11.2. Configuring an ACME Database
    
    Expand section "11.2. Configuring an ACME Database" Collapse section "11.2. Configuring an ACME Database"
    
    11.2.1. Configuring a DS Database
  3. 11.3. Configuring ACME Issuer
    
    Expand section "11.3. Configuring ACME Issuer" Collapse section "11.3. Configuring ACME Issuer"
    
    11.3.1. Configuring PKI Issuer
  4. 11.4. Configuring ACME Realm
    
    Expand section "11.4. Configuring ACME Realm" Collapse section "11.4. Configuring ACME Realm"
    
    11.4.1. Configuring DS Realm
  5. 11.5. Deploying ACME Responder
7. 12. Additional Installation Options
  Expand section "12. Additional Installation Options" Collapse section "12. Additional Installation Options"
  1. 12.1. Lightweight Sub-CAs
    
    Expand section "12.1. Lightweight Sub-CAs" Collapse section "12.1. Lightweight Sub-CAs"
    
    12.1.1. Setting up a Lightweight Sub-CA
    
    12.1.2. Disabling the Creation of Lightweight Sub-CAs
    
    12.1.3. Re-enabling the Creation of Lightweight Sub-CAs
  2. 12.2. Enabling IPv6 for a Subsystem
  3. 12.3. Enabling LDAP-based Enrollment Profiles
  4. 12.4. Customizing TLS Ciphers
8. 13. Troubleshooting Installation and Cloning
III. Configuring Certificate System
Expand section "III. Configuring Certificate System" Collapse section "III. Configuring Certificate System"
1. 14. The Certificate System Configuration Files
  Expand section "14. The Certificate System Configuration Files" Collapse section "14. The Certificate System Configuration Files"
  1. 14.1. File and Directory Locations for Certificate System Subsystems
    
    Expand section "14.1. File and Directory Locations for Certificate System Subsystems" Collapse section "14.1. File and Directory Locations for Certificate System Subsystems"
    
    14.1.1. Instance-specific Information
    
    14.1.2. CA Subsystem Information
    
    14.1.3. KRA Subsystem Information
    
    14.1.4. OCSP Subsystem Information
    
    14.1.5. TKS Subsystem Information
    
    14.1.6. TPS Subsystem Information
    
    14.1.7. Shared Certificate System Subsystem File Locations
  2. 14.2. CS.cfg Files
    
    Expand section "14.2. CS.cfg Files" Collapse section "14.2. CS.cfg Files"
    
    14.2.1. Locating the CS.cfg File
    
    14.2.2. Editing the Configuration File
    
    14.2.3. Overview of the CS.cfg Configuration File
    
    Expand section "14.2.3. Overview of the CS.cfg Configuration File" Collapse section "14.2.3. Overview of the CS.cfg Configuration File"
    
    14.2.3.1. Basic Subsystem Settings
    
    14.2.3.2. Logging Settings
    
    14.2.3.3. Authentication and Authorization Settings
    
    14.2.3.4. Subsystem Certificate Settings
    
    14.2.3.5. Settings for Required Subsystems
    
    14.2.3.6. Database Settings
    
    14.2.3.7. Enabling and Configuring a Publishing Queue
    
    Expand section "14.2.3.7. Enabling and Configuring a Publishing Queue" Collapse section "14.2.3.7. Enabling and Configuring a Publishing Queue"
    
    14.2.3.7.1. Enabling and Configuring a Publishing Queue by editing the CS.cfg file
    
    14.2.3.8. Settings for PKI Tasks
    
    14.2.3.9. Changing DN Attributes in CA-Issued Certificates
    
    Expand section "14.2.3.9. Changing DN Attributes in CA-Issued Certificates" Collapse section "14.2.3.9. Changing DN Attributes in CA-Issued Certificates"
    
    14.2.3.9.1. Adding New or Custom Attributes
    
    14.2.3.9.2. Changing the DER-Encoding Order
    
    14.2.3.10. Setting a CA to Use a Different Certificate to Sign CRLs
    
    14.2.3.11. Configuring CRL Generation from Cache in CS.cfg
    
    14.2.3.12. Configuring Update Intervals for CRLs in CS.cfg
    
    14.2.3.13. Changing the Access Control Settings for the Subsystem
    
    14.2.3.14. Configuring Ranges for Requests and Serial Numbers
    
    14.2.3.15. Setting Requirement for pkiconsole to use TLS Client Certificate Authentication
  3. 14.3. Managing System Passwords
    
    Expand section "14.3. Managing System Passwords" Collapse section "14.3. Managing System Passwords"
    
    14.3.1. Configuring the password.conf File
    
    14.3.2. Using the Certificate System Watchdog Service
    
    Expand section "14.3.2. Using the Certificate System Watchdog Service" Collapse section "14.3.2. Using the Certificate System Watchdog Service"
    
    14.3.2.1. Enabling the Watchdog Service
    
    14.3.2.2. Starting and Stopping Certificate System with the Watchdog Enabled
    
    14.3.2.3. Verifying That the Certificate System Watchdog Service is Enabled
    
    14.3.2.4. Disabling the Watchdog Service
  4. 14.4. Configuration Files for the Tomcat Engine and Web Services
    
    Expand section "14.4. Configuration Files for the Tomcat Engine and Web Services" Collapse section "14.4. Configuration Files for the Tomcat Engine and Web Services"
    
    14.4.1. Tomcatjss
    
    Expand section "14.4.1. Tomcatjss" Collapse section "14.4.1. Tomcatjss"
    
    14.4.1.1. TLS Cipher Configuration
    
    Expand section "14.4.1.1. TLS Cipher Configuration" Collapse section "14.4.1.1. TLS Cipher Configuration"
    
    14.4.1.1.1. Client TLS cipher Configuration
    
    14.4.1.2. Enabling Automatic Revocation Checking on the CA
    
    14.4.1.3. Enabling Certificate Revocation Checking for Subsystems
    
    14.4.1.4. Adding an AIA Extension to an Enrollment Profile
    
    14.4.2. Session Timeout
    
    Expand section "14.4.2. Session Timeout" Collapse section "14.4.2. Session Timeout"
    
    14.4.2.1. TLS Session Timeout
    
    14.4.2.2. HTTP Session Timeout
    
    14.4.2.3. Session Timeout for PKI Web UI
    
    14.4.2.4. Session Timeout for PKI Console
    
    14.4.2.5. Session Timeout for PKI CLI
  5. 14.5. web.xml
    
    Expand section "14.5. web.xml" Collapse section "14.5. web.xml"
    
    14.5.1. Removing Unused Interfaces from web.xml (CA Only)
  6. 14.6. Customizing Web Services
    
    Expand section "14.6. Customizing Web Services" Collapse section "14.6. Customizing Web Services"
    
    14.6.1. Customizing Subsystem Web Applications
    
    14.6.2. Customizing the Web UI Theme
    
    14.6.3. Customizing TPS Token State Labels
  7. 14.7. Using an Access Banner
    
    Expand section "14.7. Using an Access Banner" Collapse section "14.7. Using an Access Banner"
    
    14.7.1. Enabling an Access Banner
    
    14.7.2. Disabling an Access Banner
    
    14.7.3. Displaying the Banner
    
    14.7.4. Validating the Banner
  8. 14.8. Configuration for CMC
    
    Expand section "14.8. Configuration for CMC" Collapse section "14.8. Configuration for CMC"
    
    14.8.1. Understanding How CMC Works
    
    14.8.2. Enabling the PopLinkWittnessV2 Feature
    
    14.8.3. Enabling the CMC Shared Secret Feature
    
    14.8.4. Enabling CMCRevoke for the Web User Interface
  9. 14.9. Configuration for Server-Side Key Generation for Certificate Enrollment using the CA EE Portal
    
    Expand section "14.9. Configuration for Server-Side Key Generation for Certificate Enrollment using the CA EE Portal" Collapse section "14.9. Configuration for Server-Side Key Generation for Certificate Enrollment using the CA EE Portal"
    
    14.9.1. Installation Configuration
    
    14.9.2. Profile Configuration
  10. 14.10. Configuring Certificate Transparency
    
    Expand section "14.10. Configuring Certificate Transparency" Collapse section "14.10. Configuring Certificate Transparency"
    
    14.10.1. ca.certTransparency.mode
    
    14.10.2. ca.certTransparency.log.num
    
    14.10.3. ca.certTransparency.log.<id>.*
2. 15. Managing Certificate/Key Crypto Token
  Expand section "15. Managing Certificate/Key Crypto Token" Collapse section "15. Managing Certificate/Key Crypto Token"
  1. 15.1. About certutil and PKICertImport
    
    Expand section "15.1. About certutil and PKICertImport" Collapse section "15.1. About certutil and PKICertImport"
    
    15.1.1. certutil Basic Usage
    
    15.1.2. PKICertImport Basic Usage
    
    15.1.3. certutil Common Commands
    
    15.1.4. Common certutil and PKICertImport Options
  2. 15.2. Importing a Root Certificate
  3. 15.3. Importing an Intermediate Certificate Chain
  4. 15.4. Importing a certificate into an HSM
  5. 15.5. Importing a certificate into an NSS Database
3. 16. Certificate Profiles Configuration
  Expand section "16. Certificate Profiles Configuration" Collapse section "16. Certificate Profiles Configuration"
  1. 16.1. Creating and Editing Certificate Profiles Directly on the File System
    
    Expand section "16.1. Creating and Editing Certificate Profiles Directly on the File System" Collapse section "16.1. Creating and Editing Certificate Profiles Directly on the File System"
    
    16.1.1. Configuring non-CA System Certificate Profiles
    
    Expand section "16.1.1. Configuring non-CA System Certificate Profiles" Collapse section "16.1.1. Configuring non-CA System Certificate Profiles"
    
    16.1.1.1. Profile Configuration Parameters
    
    16.1.1.2. Modifying Certificate Extensions Directly on the File System
    
    Expand section "16.1.1.2. Modifying Certificate Extensions Directly on the File System" Collapse section "16.1.1.2. Modifying Certificate Extensions Directly on the File System"
    
    16.1.1.2.1. Key Usage and Extended Key Usage Consistency
    
    16.1.1.2.2. Configuring Cross-Pair Profiles
    
    16.1.1.3. Adding Profile Inputs Directly on the File System
    
    16.1.2. Changing the Default Validity Time of Certificates
    
    16.1.3. Configuring CA System Certificate Profiles
    
    16.1.4. Managing Smart Card CA Profiles
    
    Expand section "16.1.4. Managing Smart Card CA Profiles" Collapse section "16.1.4. Managing Smart Card CA Profiles"
    
    16.1.4.1. Editing Enrollment Profiles for the TPS
    
    16.1.4.2. Creating Custom TPS Profiles
    
    16.1.4.3. Using the Windows Smart Card Logon Profile
    
    16.1.5. Disabling Certificate Enrolment Profiles
4. 17. Configuring the Key Recovery Authority
  Expand section "17. Configuring the Key Recovery Authority" Collapse section "17. Configuring the Key Recovery Authority"
  1. 17.1. Manually Setting up Key Archival
  2. 17.2. Encryption Of KRA Operations
    
    Expand section "17.2. Encryption Of KRA Operations" Collapse section "17.2. Encryption Of KRA Operations"
    
    17.2.1. How Clients Manage Key Operation Encryption
    
    17.2.2. Configuring the Encryption Algorithm in the KRA
    
    Expand section "17.2.2. Configuring the Encryption Algorithm in the KRA" Collapse section "17.2.2. Configuring the Encryption Algorithm in the KRA"
    
    17.2.2.1. Explanation of Parameters and their Values
    
    17.2.2.2. Solving Limitations of HSMs When Using AES Encryption in KRAs
  3. 17.3. Setting up Agent-Approved Key Recovery Schemes
    
    Expand section "17.3. Setting up Agent-Approved Key Recovery Schemes" Collapse section "17.3. Setting up Agent-Approved Key Recovery Schemes"
    
    17.3.1. Configuring Agent-Approved Key Recovery in the Command Line
    
    17.3.2. Customizing the Key Recovery Form
    
    17.3.3. Rewrapping Keys in a New Private Storage Key
    
    Expand section "17.3.3. Rewrapping Keys in a New Private Storage Key" Collapse section "17.3.3. Rewrapping Keys in a New Private Storage Key"
    
    17.3.3.1. About KRATool
    
    17.3.3.2. Rewrapping and Merging Keys from One or More KRAs into a Single KRA
    
    17.3.4. Updating CA-KRA Connector Information After Cloning
5. 18. Configuring Logs
  Expand section "18. Configuring Logs" Collapse section "18. Configuring Logs"
  1. 18.1. Certificate System Log Settings
    
    Expand section "18.1. Certificate System Log Settings" Collapse section "18.1. Certificate System Log Settings"
    
    18.1.1. Services That Are Logged
    
    18.1.2. Log Levels (Message Categories)
    
    18.1.3. Buffered and Unbuffered Logging
    
    18.1.4. Log File Rotation
  2. 18.2. Operating System (external to RHCS) Log Settings
    
    Expand section "18.2. Operating System (external to RHCS) Log Settings" Collapse section "18.2. Operating System (external to RHCS) Log Settings"
    
    18.2.1. Enabling OS-level Audit Logs
    
    Expand section "18.2.1. Enabling OS-level Audit Logs" Collapse section "18.2.1. Enabling OS-level Audit Logs"
    
    18.2.1.1. Auditing Certificate System Audit Log Deletion
    
    18.2.1.2. Auditing Unauthorized Certificate System Use of Secret Keys
    
    18.2.1.3. Auditing Time Change Events
    
    18.2.1.4. Auditing Access to Certificate System Configuration
  3. 18.3. Configuring Logs in the CS.cfg File
    
    Expand section "18.3. Configuring Logs in the CS.cfg File" Collapse section "18.3. Configuring Logs in the CS.cfg File"
    
    18.3.1. Enabling and Configuring Signed Audit Log
    
    Expand section "18.3.1. Enabling and Configuring Signed Audit Log" Collapse section "18.3.1. Enabling and Configuring Signed Audit Log"
    
    18.3.1.1. Enabling Signed Audit Logging
    
    18.3.1.2. Configuring Audit Events
    
    Expand section "18.3.1.2. Configuring Audit Events" Collapse section "18.3.1.2. Configuring Audit Events"
    
    18.3.1.2.1. Enabling and Disabling Audit Events
    
    18.3.1.2.2. Filtering Audit Events
    
    18.3.2. Configuring Self-Tests
    
    Expand section "18.3.2. Configuring Self-Tests" Collapse section "18.3.2. Configuring Self-Tests"
    
    18.3.2.1. Default Self-Tests at Startup
    
    18.3.2.2. Modifying Self-Test Configuration
    
    18.3.3. Additional Configuration for Debug Log
    
    Expand section "18.3.3. Additional Configuration for Debug Log" Collapse section "18.3.3. Additional Configuration for Debug Log"
    
    18.3.3.1. Enabling and Disabling Debug Logging
    
    18.3.3.2. Setting up Rotation of Debug Log Files
  4. 18.4. Audit Retention
    
    Expand section "18.4. Audit Retention" Collapse section "18.4. Audit Retention"
    
    18.4.1. Location of Audit Data
    
    Expand section "18.4.1. Location of Audit Data" Collapse section "18.4.1. Location of Audit Data"
    
    18.4.1.1. Location of Audit Logs
    
    18.4.1.2. Location of Certificate Requests and Certificate Records
6. 19. Creating a Role User
  Expand section "19. Creating a Role User" Collapse section "19. Creating a Role User"
  1. 19.1. Creating a PKI Administrative User on the Operating System
  2. 19.2. Creating a PKI Role User in Certificate System
7. 20. Deleting the Bootstrap User
  Expand section "20. Deleting the Bootstrap User" Collapse section "20. Deleting the Bootstrap User"
  1. 20.1. Disabling Multi-roles Support
IV. Upgrading to Certificate System 10.x
Expand section "IV. Upgrading to Certificate System 10.x" Collapse section "IV. Upgrading to Certificate System 10.x"
1. 21. Upgrading from Certificate System 9 to Certificate System 10
  Expand section "21. Upgrading from Certificate System 9 to Certificate System 10" Collapse section "21. Upgrading from Certificate System 9 to Certificate System 10"
  1. 21.1. Migrating a CA Using the Existing CA Files
    
    Expand section "21.1. Migrating a CA Using the Existing CA Files" Collapse section "21.1. Migrating a CA Using the Existing CA Files"
    
    21.1.1. Exporting Data from the Previous System
    
    21.1.2. Setting up the CA on the New Host
    
    21.1.3. Importing the Data into the New CA
    
    21.1.4. Reassigning Users to Default Groups
  2. 21.2. Using Leapp to Perform an In-place Upgrade
    
    Expand section "21.2. Using Leapp to Perform an In-place Upgrade" Collapse section "21.2. Using Leapp to Perform an In-place Upgrade"
    
    21.2.1. Preparing the System for the Upgrade
    
    21.2.2. Performing the Leapp Upgrade
2. 22. Upgrading Certificate System 10 to the latest minor version
V. Uninstalling Certificate System Subsystems
Expand section "V. Uninstalling Certificate System Subsystems" Collapse section "V. Uninstalling Certificate System Subsystems"
1. 23. Removing a Subsystem
2. 24. Removing Certificate System Subsystem Packages
Glossary
Index
A. Revision History
Legal Notice

Chapter 21. Upgrading from Certificate System 9 to Certificate System 10

Red Hat Certificate System supports two ways to upgrade from RHCS 9 on RHEL 7 to RHCS 10 on RHEL 8:

Migrating a CA using the existing certificate files. See Section 21.1, “Migrating a CA Using the Existing CA Files”
Using Leapp to perform an in-place upgrade. This method is not recommended to FIPS customers. See Section 21.2, “Using Leapp to Perform an In-place Upgrade”

21.1. Migrating a CA Using the Existing CA Files

A Certificate System migration using the existing certificate files requires the following steps:

Important

In case a HSM is in use, if the signing certificate has been renewed and reissued using the same keys, multiple certificates could exist in the HSM with the same nickname. This could cause pkispawn to fail to retrieve the correct certificate and prevent a successful migration. Therefore, before you start the migration, make sure you delete any old, duplicate certificate entries in the HSM.

21.1.1. Exporting Data from the Previous System

Before you set up the new Certificate System instance, export the data of the current certificate authority (CA) using the certutil tool.

Use the following procedure to export the CRT and CSR from the old CA:

Generate the CRT:

# certutil -L -d /var/lib/instance_name/alias/ -n "caSigningCert cert-instance_name" -a > ca_signing.crt

Generate the CSR:

	# echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
	# sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/instance_name/conf/CS.cfg >> ca_signing.csr
	# echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr

If the old CA is an intermediate CA (with a single root CA in the chain), extract the root CA from the NSS database:
```
# certutil -L -d /var/lib/pki/instance_name/alias/ -n "root_CA_nickname" -a > ca_rootca_signing.crt
```
Use the following procedure to back up the database:
1. Find the name of the CA database by checking the value of internaldb.database in the CA's CS.cfg:
```
# grep internaldb.database /etc/pki/instance_name/ca/CS.cfg \
	internaldb.database=CS_database_name
```
2. Export this database to a .ldif file using the instance-specific script generated by setup-ds.pl when the instance was created:
```
# cd /usr/lib64/dirsrv/instance_name
```
```
# ./db2ldif -n "CS_database_name" -a /tmp/old_ca.ldif
```
  Note
  The db2ldif command runs as the DB user, so it needs a destination folder where it has writing permissions.
Transfer the exported files (ca_signing.crt, ca_signing.csr, old_ca.ldif, and ca_rootca_signing.crt if this is an intermediate CA) to the RHEL 8 machine that will host the new CA instance.

21.1.2. Setting up the CA on the New Host

Once you have exported the data from the existing instance in Section 21.1.1, “Exporting Data from the Previous System”, set up the certificate authority (CA) on the new host:

Create a configuration file for pkispawn, for example CA.cfg, using the parameters of the old CA. For more information on the pkispawn parameters, see see Table 21.1, “pkispawn Parameter Descriptions” that follows this procedure.

[DEFAULT]
	pki_instance_name=new_instance_name
	pki_admin_password=caadmin_password
	pki_client_pkcs12_password=pkcs12_file_password
	pki_ds_password=DS_password
	pki_ds_ldap_port=389
	pki_hsm_enable=True
	pki_hsm_libfile=path_to_HSM_library
	pki_hsm_modulename=HSM_module_name
	pki_token_name=HSM_token_name
	pki_token_password=HSM_token_password
	pki_existing=True

	[CA]
	pki_ca_signing_csr_path=path/to/ca_signing.csr
	pki_ca_signing_cert_path=path/to/ca_signing.crt
	pki_ca_signing_nickname=caSigningCert cert-nickname
	pki_ca_signing_token=HSM_token_name
	pki_ds_base_dn=o=pki-tomcat-CA
	pki_ds_database=instance_name-CA
	pki_serial_number_range_start=4e
	pki_request_number_range_start=30
	pki_master_crl_enable=False
	pki_cert_chain_path=rootca_signing.crt
	pki_cert_chain_nickname=caSigningCert cert-pki-ca

Run pkispawn on the new host to create the new CA instance:
```
# pkispawn -s CA -f ca.cfg -vv
```

Table 21.1. pkispawn Parameter Descriptions

Parameters and Settings	Description
`pki_instance_name`	If you do not give a different name to the new instance, then you need to make sure to define the nicknames for all the system certificates so that there are no conflicts in the HSM with the old system certificates. In practice, you will probably want to define all the nicknames in any case. The CA signing cert nickname should be the same as the old CA.
`pki_hsm_`* and `pki_token_`*	These parameters enable communication with the HSM.
`pki_existing=True`	Sets to use the existing CA mechanism.
`pki_ca_signing_nickname`	The CA signing nickname must be exactly the same as used in the previous installation, otherwise the installer cannot find the signing key.
`pki_ca_signing_`*	Sets the paths to the certificate signing request (CSR) and the certificate files copied from the existing machine.
`pki_ds_base_dn`	Sets the Directory Server base distinguished name (DN). The value must be the same as on the previous CA, so that you can easily import the old data. You can find this value on the previous host in the `internaldb.basedn` parameter in the `/var/lib/instance_name/conf/CS.cfg` file of the old CA.
`pki_serial_number_range_start`	The serial number is critical. The value must be higher than the last number used in the previous CA. To display which numbers are already used, see the old CA's agent interface. This parameter is set in hex format without the leading `0x` prefix. The value used in the examples (`4e`) is `78` in decimal.
`pki_request_number_range_start`	The request number is critical. The value must be higher than the last number used in the previous CA. To display which numbers are already used, see the old CA's agent interface. The value is set in decimal format.
`pki_master_crl_enable=False`	Prevents the initial creation and publishing of a certificate revocation list (CRL) during the setup. Instead, the CRL will be imported from the old data during the database migration.
`pki_cert_chain_path` and `pki_cert_chain_nickname`	Set these parameters only if the old CA is an intermediate CA. In this case, set the parameters to the path to the root CA certificate file and the nickname to use when storing the certificate in the network security services (NSS) database.

For further details and parameter descriptions, see the pkispawn(8) man page.

21.1.3. Importing the Data into the New CA

After you have created the new CA instance in Section 21.1.2, “Setting up the CA on the New Host”, import the data into the new CA database:

When migrating from a previous version, it can be necessary to manually clean up the LDAP data interchange format (LDIF) file created in Section 21.1.1, “Exporting Data from the Previous System”. Syntax checking is now enabled by default, therefore old data may include entries which would be invalid in new databases. For example:
- You must set values of boolean attributes either to TRUE or FALSE (all capitalized).
  Important
  Do not automatically update all occurrences to uppercase by using a search and replace utility. Some attributes in the LDIF file contain these strings, but are not using the boolean type. Updating these attributes' values can cause the import to fail. Typically, boolean attributes are only used in the cn=CAList,ou=Security Domain,CS_instance_name security domain database entries.
- The syntax validation does not allow empty strings. The solution is simply to remove the line corresponding to that attribute.
  Empty strings often appear in userType and userState attributes in cmsUser entries in ou=People,CS_instance_name.
During the import, other entries may fail the syntax check as well. It is therefore important to verify the log file after the operation. Optionally, you can import the LDIF file into a temporary, empty database to find out which entries failed to be imported; or do a test import into an empty database beforehand.

Shut down the CA service:

# systemctl stop pki-tomcatd@instance_name.service

Optionally, back up the CA database on the new host:
```
# db2bak
```
The backup is stored in the /var/lib/dirsrv/instance_name/bak/host_name-time_stamp/ directory.
Run the ldapdeletecommand to remove the certificate entry for the signing certificate from the new RHEL 8 internal database, using the serial number of the imported signing certificate. Removing the entry from the new database ensures that this entry will be imported from the old data, so that the CRL attributes in that entry will point to the correct entries.
```
# ldapdelete -x -w password -D 'cn=Directory Manager' "cn={serial_number},ou=certificateRepository,ou=ca,o=pki-tomcat-CA"
```
Import the data into the new database, using the ldapmodify utility. For example:
```
# ldapmodify -x -W password -D 'cn=Directory Manager' -a -c -f path/to/old_ca.ldif
```
The ldapmodify utility only adds new entries and does not update existing entries, created when you installed the CA. For example:
- Top level entries. For example: o=pki-tomcat-CA.
- Default groups. For example: cn=Certificate Manager Agents,ou=groups,o=pki-tomcat-CA.
  Because the standard groups are not updated, the users are not automatically added to these groups. After the import, you must add members to each default group manually. See Section 21.1.4, “Reassigning Users to Default Groups”.
- Default access control lists (ACL) for the CA.
- Signing certificate: this entry was created as part of importing the old signing certificate and key.
As mentioned earlier, certain entries may fail syntax validation. Verify the output in the import.log file and search for failed actions, such as ldap_add: Invalid syntax (21). For further details, see Step 1.

Remove the directory entry for the old security domain. For example:

# ldapmodify -W password-x -D "cn=Directory Manager"
		dn: cn=server.example.com:9445,cn=CAList,ou=Security Domain,o=pki-tomcat-CA
		changetype: delete

Enable the ca.crl.MasterCRL.enable parameter in the /etc/pki/instance_name/ca/CS.cfg file, to have the CA act as the certificate revocation list (CRL) master:
```
ca.crl.MasterCRL.enable=true
```

Restart the CA service:

# systemctl start pki-tomcat@instance_name

21.1.4. Reassigning Users to Default Groups

As mentioned in Section 21.1.3, “Importing the Data into the New CA”, members of the default groups are not restored during the data import.

Add members to the default groups manually, using the ldapmodify utility or the pki utility. For example:

Set up the client:

# pki -c password client-init
	------------------
	Client initialized
	------------------
	# pk12util -i ~/.dogtag/instance_name/ca_admin_cert.p12 -d ~/.dogtag/nssdb/
	Enter Password or Pin for "NSS Certificate DB":
	Enter password for PKCS12 file:
	pk12util: PKCS12 IMPORT SUCCESSFUL

Add the user account to the Certificate Manager Agents, Administrators, and Security Domain Administrators groups:

# pki -n "PKI Administrator for example.com" -c password \
	     user-membership-add user_name "Certificate Manager Agents"

	# pki -n "PKI Administrator for example.com" -c password \
	     user-membership-add user "Administrators"

	# pki -n "PKI Administrator for example.com" -c password \
	     user-membership-add user "Security Domain Administrators"

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Chapter 21. Upgrading from Certificate System 9 to Certificate System 10

21.1. Migrating a CA Using the Existing CA Files

21.1.1. Exporting Data from the Previous System

21.1.2. Setting up the CA on the New Host

21.1.3. Importing the Data into the New CA

21.1.4. Reassigning Users to Default Groups