7.9. Setting up a Standalone KRA or OCSP
This section describes how to install a standalone KRA and OCSP. A standalone installation provides the flexibility to use a non-Certificate System CA to issue the certificates, because the CSRs generated during the installation are not automatically submitted to the CA and imported into the subsystem. Additionally, a KRA or an OCSP installed in standalone mode is not part of the CA's security domain, and the connector in the CA for key archival will not be configured.
To install a standalone KRA or OCSP:
- Create a configuration file, such as
/root/config.txt, with the following content:[DEFAULT] pki_admin_password=password pki_client_database_password=password pki_client_pkcs12_password=password pki_ds_password=password pki_token_password=password pki_client_database_purge=False pki_security_domain_name=EXAMPLE pki_standalone=True pki_external_step_two=False
- For a standalone KRA, add the following section to the configuration file:
[KRA] pki_admin_email=kraadmin@example.com pki_ds_base_dn=dc=kra,dc=example,dc=com pki_ds_database=kra pki_admin_nickname=kraadmin pki_audit_signing_nickname=kra_audit_signing pki_sslserver_nickname=sslserver pki_storage_nickname=kra_storage pki_subsystem_nickname=subsystem pki_transport_nickname=kra_transport pki_standalone=True
- For a standalone OCSP, add the following section to the configuration file:
[OCSP] pki_admin_email=ocspadmin@example.com pki_ds_base_dn=dc=ocsp,dc=example,dc=com pki_ds_database=ocsp pki_admin_nickname=ocspadmin pki_audit_signing_nickname=ocsp_audit_signing pki_ocsp_signing_nickname=ocsp_signing pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem pki_standalone=True
- To use an LDAPS connection to Directory Server running on the same host, add the following parameters to the
DEFAULTsection in the configuration file:pki_ds_secure_connection=True pki_ds_secure_connection_ca_pem_file=path_to_CA_or_self-signed_certificate
Note
For security reasons, Red Hat recommends using an encrypted connection to Directory Server.If you use a self-signed certificate in Directory Server, use the following command to export it from the Directory Server's Network Security Services (NSS) database:# certutil -L -d /etc/dirsrv/slapd-instance_name/ \ -n "server-cert" -a -o /root/ds.crt - Proceed with the steps described in the section called “Starting the Installation of a Subsystem with an External CA”.
