16.3. Setting up Agent-Approved Key Recovery Schemes

Key recovery agents collectively authorize and retrieve private encryption keys and associated certificates in a PKCS #12 package. To authorize key recovery, the required number of recovery agents access the KRA agent services page and use the Authorize Recovery area to enter each authorization separately.
One of the agents initiates the key recovery process. For a synchronous recovery, each approving agent uses the reference number (which was returned with the initial request) to open the request and then authorizes key recovery separately. For an asynchronous recovery, the approving agents all search for the key recovery request and then authorize the key recovery. Either way, when all of the authorizations are entered, the KRA checks the information. If the information presented is correct, it retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS #12 package to the agent who initiated the key recovery process.
The key recovery agent scheme configures the KRA to recognize to which group the key recovery agents belong and specifies how many of these agents are required to authorize a key recovery request before the archived key is restored.

16.3.1. Configuring Agent-Approved Key Recovery in the Command Line

To set up agent-initiated key recovery, edit two parameters in the KRA configuration:
  • Set the number of recovery managers to require to approve a recovery.
  • Set the group to which these users must belong.
These parameters are set in the KRA's CS.cfg configuration file.
  1. Stop the server before editing the configuration file.
    systemctl stop pki-tomcatd@instance_name.service
    systemctl stop pki-tomcatd-nuxwdog@instance_name.service (if using nuxwdog watchdog)
  2. Open the KRA's CS.cfg file.
    vim /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
  3. Edit the two recovery scheme parameters.
    kra.recoveryAgentGroup=Key Recovery Authority Agents
  4. Restart the server.
    systemctl start pki-tomcatd@instance_name.service
    systemctl start pki-tomcatd-nuxwdog@instance_name.service


For more information on how to configure agent-approved key recovery in the console, see the see the Configuring Agent-Approved Key Recovery in the Console section in the Red Hat Certificate System Administration Guide.

16.3.2. Customizing the Key Recovery Form

The default key agent scheme requires a single agent from the Key Recovery Authority Agents group to be in charge of authorizing key recovery.
It is also possible to customize the appearance of the key recovery form. Key recovery agents need an appropriate page to initiate the key recovery process. By default, the KRA's agent services page includes the appropriate HTML form to allow key recovery agents to initiate key recovery, authorize key recovery requests, and retrieve the encryption keys. This form is located in the /var/lib/pki/pki-tomcat/kra/webapps/kra/agent/kra/ directory, called confirmRecover.html.


If the key recovery confirmation form is customized, do not to delete any of the information for generating the response. This is vital to the functioning of the form. Restrict any changes to the content in and appearance of the form.

16.3.3. Rewrapping Keys in a New Private Storage Key

Some private keys (mainly in older deployments) were wrapped in SHA-1, 1024-bit storage keys when they were archived in the KRA. These algorithms have become less secure as processor speeds improve and algorithms have been broken. As a security measure, it is possible to rewrap the private keys in a new, stronger storage key (SHA-256, 2048-bit keys). About KRATool

Rewrapping and moving keys and key enrollment and recovery requests is done using the KRATool utility (known in previous versions of Red Hat Certificate System as DRMTool).
The KRATool performs two operations: it can rewrap keys with a new private key, and it can renumber attributes in the LDIF file entries for key records, including enrollment and recovery requests. At least one operation (rewrap or renumber) must be performed and both can be performed in a single invocation.
For rewrapping keys, the tool accesses the key entries in an exported LDIF file for the original KRA, unwraps the keys using the original KRA storage key, and then rewraps the keys in the new KRA's stronger storage key.

Example 16.1. Rewrapping Keys

KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -source_pki_security_database_path "/tmp/files/" -source_storage_token_name "Internal Key Storage Token" -source_storage_certificate_nickname "storageCert cert-pki-tomcat KRA" -target_storage_certificate_file "/tmp/files/omega.cert"
When multiple KRA instances are being merged into a single instance, it is important to make sure that no key or request records have conflicting CNs, DNs, serial numbers, or request ID numbers. These values can be processed to append a new, larger number to the existing values.

Example 16.2. Renumbering Keys

KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -append_id_offset 100000000000 -source_kra_naming_context "pki-tomcat-KRA" -target_kra_naming_context "pki-tomcat-2-KRA" -process_requests_and_key_records_only
The KRATool options and its configuration file are discussed in more detail in the KRATool(1) man page. Rewrapping and Merging Keys from One or More KRAs into a Single KRA

This procedure rewraps the keys stored in one or more Certificate System KRA (for example, pki-tomcat on sourcekra.example.com) and stores them into another Certificate System KRA (for example, pki-tomcat-2 on targetkra.example.com). This is not the only use case; the tool can be run on the same instance as both the source and target, to rewrap existing keys, or it can be used simply to copy keys from multiple KRA instances into a single instance without rewrapping the keys at all.


The storage key size and type in the pki-tomcat-2 KRA must be set to 2048-bit and RSA.
  1. Log in to targetkra.example.com.
  2. Stop the pki-tomcat-2 KRA.
    [root@targetkra ~]# systemctl stop pki-tomcatd@pki-tomcat-2.service
  3. Create a data directory to store the key data that will be imported from the pki-tomcat KRA instance residing on sourcekra.example.com.
    [root@targetkra ~]# mkdir -p /export/pki
  4. Export the public storage certificate for the pki-tomcat-2 KRA to a flat file in the new data directory.
    [root@targetkra ~]# certutil -L -d /var/lib/pki/pki-tomcat-2/alias -n "storageCert cert-pki-tomcat-2 KRA" -a > /export/pki/targetKRA.cert
  5. Stop the Directory Server instance for the pki-tomcat-2 KRA, if it is on the same machine.
    [root@newkra ~]# systemctl stop dirsrv.target
  6. Export the configuration information for the pki-tomcat-2 KRA.
    [root@targetkra ~]# grep nsslapd-localuser /etc/dirsrv/slapd-instanceName/dse.ldif
      nsslapd-localuser: dirsrv
      [root@targetkra ~]# chown dirsrv:dirsrv /export/pki
      [root@targetkra ~]# /usr/lib64/dirsrv/slapd-instanceName/db2ldif -n pki-tomcat-2-KRA -a /export/pki/pki-tomcat-2.ldif


    Make sure that the LDIF file contains a single blank line at the end.
  7. Log in to sourcekra.example.com.
  8. Stop the pki-tomcat KRA.
    [root@sourcekra ~]# systemctl stop pki-tomcatd@pki-tomcat.service
  9. Create a data directory to store the key data that will be exported to the pki-tomcat-2 KRA instance residing on targetkra.example.com.
    [root@sourcekra ~]# mkdir -p /export/pki
  10. Stop the Directory Server instance for the pki-tomcat KRA, if it is on the same machine.
    [root@sourcekra ~]# systemctl stop dirsrv.target
  11. Export the configuration information for the pki-tomcat KRA.
    [root@sourcekra ~]# grep nsslapd-localuser /etc/dirsrv/slapd-instanceName/dse.ldif
      nsslapd-localuser: dirsrv
      [root@sourcekra ~]# chown dirsrv:dirsrv /export/pki
      [root@sourcekra ~]# /usr/lib64/dirsrv/slapd-instanceName/db2ldif -n pki-tomcat-KRA -a /export/pki/pki-tomcat.ldif


    Make sure that the LDIF file contains a single blank line at the end.
  12. Copy the pki-tomcat KRA NSS security databases to this directory.
    [root@sourcekra ~]# cp -p /var/lib/pki/pki-tomcat/alias/cert8.db /export/pki
      [root@sourcekra ~]# cp -p /var/lib/pki/pki-tomcat/alias/key3.db /export/pki
      [root@sourcekra ~]# cp -p /var/lib/pki/pki-tomcat/alias/secmod.db /export/pki
  13. Copy the file with the public storage key from the pki-tomcat-2 KRA machine to this machine. For example:
    [root@sourcekra ~]# cd /export/pki
      [root@sourcekra ~]# sftp root@targetkra.example.com
      sftp> cd /export/pki
      sftp> get targetKRA.cert
      sftp> quit
  14. If necessary, edit the default KRATool.cfg file to use with the tool. The default file can also be used without changes.
  15. Run the KRATool; all of these parameters should be on a single line:
    [root@sourcekra ~]# KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg"
              -source_ldif_file /export/pki/pki-tomcat.ldif
              -target_ldif_file /export/pki/source2targetKRA.ldif
              -log_file /export/pki/kratool.log
              -source_pki_security_database_path /export/pki
              -source_storage_token_name 'Internal Key Storage Token'
              -source_storage_certificate_nickname 'storageCert cert-pki-tomcat KRA'
              -target_storage_certificate_file /export/pki/targetKRA.cert
              -append_id_offset 100000000000
              -source_kra_naming_context "pki-tomcat-KRA"
              -target_kra_naming_context "pki-tomcat-2-KRA"


    The command may prompt for the password to the token stored in the pki-tomcat KRA NSS security databases.
    When it is done, the command creates the file specified in the -target_ldif_file parameter, source2targetKRA.ldif.
  16. Copy this LDIF file over to the pki-tomcat-2 KRA machine. For example:
    [root@sourcekra ~]# scp /export/pki/source2targetKRA.ldif root@targetkra.example.com:/export/pki


    Make sure that the LDIF file contains a single blank line at the end.
  17. If multiple KRA instances are being merged, their data can be merged into a single import operation. Simply perform the same procedure for every KRA, which will be merged.


    Make sure to specify unique values for the -target_ldif_file parameter to create separate LDIF files, and to specify unique -append_id_offset values so that there are no conflicts when the LDIF files are concatenated.
  18. On the pki-tomcat-2 KRA machine, import the LDIF file(s) with the other key data by concatenating the pki-tomcat-2 KRA configuration LDIF file and every exported LDIF file for the other KRA instances. For example:
    [root@targetkra ~]# cd /export/pki
      [root@targetkra ~]# cat pki-tomcat-2.ldif source2targetKRA.ldif > combined.ldif
  19. Import this combined LDIF file into the Directory Server database for the pki-tomcat-2 KRA instance.
    [root@targetkra ~]# /usr/lib64/dirsrv/slapd-instanceName/ldif2db -n pki-tomcat-2-KRA -i /export/pki/combined.ldif
  20. Start the Directory Server instance for the pki-tomcat-2 KRA.
    [root@targetkra ~]# systemctl start dirsrv.target
  21. Start the pki-tomcat-2 KRA.
    [root@targetkra ~]# systemctl start pki-tomcatd@pki-tomcat-2.service

16.3.4. Updating CA-KRA Connector Information After Cloning

For more information on updating CA-KRA information after cloning, see Section 16.3.4, “Updating CA-KRA Connector Information After Cloning”.