7.7. Setting up Subsystems with an External CA

7.7.1. The Difference Between an Internal and External CA

In Red Hat Certificate System, when the pkispawn utility sends subsystem Certificate Signing Requests (CSR) to a previously installed Certificate System, and the resulting issued certificates are received and used by pkispawn, the CA the CSRs were sent to is called an Internal CA.
An External CA, by contrast, can be one of the following:
  • A non-Red Hat Certificate System CA that issues the signing certificate for a Certificate System subordinate CA.
  • A previously installed Red Hat Certificate System CA that does not allow direct submission of CSRs. For example, this is the case if your environment requires CSRs from a subordinate CA, KRA, OCSP, TKS, or TPS to be in other formats than PKCS #10.

7.7.2. Installing a Subsystem with an External CA

This section describes how to set up a subordinate CA or other subsystems whose certificate will be signed by an external CA.

Preparing the Configuration File for the External CA Installation

Prepare the configuration file depending on whether you want your subsystem to be integrated into Certificate System or standalone:
  • If you install a subsystem which is integrated into an existing Certificate System installation but which uses a certificate signed by an external CA:
    1. Add the following settings to your configuration file:
      • For a CA installation:
        pki_external=True
        pki_external_step_two=False
        
        pki_storage_csr_path=/home/user_name/kra_storage.csr
        pki_transport_csr_path=/home/user_name/kra_transport.csr
        pki_subsystem_csr_path=/home/user_name/subsystem.csr
        pki_sslserver_csr_path=/home/user_name/sslserver.csr
        pki_audit_signing_csr_path=/home/user_name/kra_audit_signing.csr
        pki_admin_csr_path=/home/user_name/kra_admin.csr
      • For a KRA installation:
        pki_external=True
        pki_external_step_two=False
        
        pki_storage_csr_path=/home/user_name/kra_storage.csr
        pki_transport_csr_path=/home/user_name/kra_transport.csr
        pki_subsystem_csr_path=/home/user_name/subsystem.csr
        pki_sslserver_csr_path=/home/user_name/sslserver.csr
        pki_audit_signing_csr_path=/home/user_name/kra_audit_signing.csr
        pki_admin_csr_path=/home/user_name/kra_admin.csr
      • For an OCSP installation:
        pki_external=True
        pki_external_step_two=False
        
        pki_ocsp_signing_csr_path=/home/user_name/ocsp_signing.csr
        pki_subsystem_csr_path=/home/user_name/subsystem.csr
        pki_sslserver_csr_path=/home/user_name/sslserver.csr
        pki_audit_signing_csr_path=/home/user_name/ocsp_audit_signing.csr
        pki_admin_csr_path=/home/user_name/ocsp_admin.csr
  • If you install a standalone KRA or OCSP, which is not integrated into an existing Certificate System installation, execute the steps described in Section 7.8, “Setting up a Standalone KRA or OCSP”.

Starting the Installation of a Subsystem with an External CA

To start the installation with the configuration file:
  1. Use the pkispawn utility to start the installation:
    # pkispawn -f /root/config.txt -s subsystem
    Replace subsystem with the subsystem you want to install: CA, KRA, or OCSP.
    During this step, the setup stores the CSRs in the files specified in the configuration.
  2. Submit the CSRs to the external CA. Proceed after the CA has issued the corresponding certificates.
    In certain environments, if the external CA is also a Certificate System instance, the CSR in PKCS#10 format needs to be converted into CMC format before being submitted to the CA. See the Issuing Certificates Using CMC section in the Red Hat Certificate System Administration Guide for details about issuing the certificates.
  3. Optionally, customize the installation. For details, see Section 7.6.5, “Customizing the Configuration Between the Installation Steps”.
  4. After the external CA has issued the certificates, edit the deployment configuration file:
    1. Set the pki_external_step_two to True:
      pki_external_step_two=True
    2. Add the following parameters, based on the subsystem you are installing:
      • For a CA, set the path to the certificate file. For example:
        pki_ca_signing_cert_path=/home/user_name/ca_signing.crt
        If the specified file does not contain the certificate including the certificate chain, additionally specify the path to the certificate chain file and its nickname. For example:
        pki_cert_chain_path=/home/user_name/cert_chain.p7b
        pki_cert_chain_nickname=CA Signing Certificate
      • For a KRA, set the paths to the certificate files. For example:
        pki_storage_cert_path=/home/user_name/kra_storage.crt
        pki_transport_cert_path=/home/user_name/kra_transport.crt
        pki_subsystem_cert_path=/home/user_name/subsystem.crt
        pki_sslserver_cert_path=/home/user_namesslserver.crt
        pki_audit_signing_cert_path=/home/user_name/kra_audit_signing.crt
        pki_admin_cert_path=/home/user_name/kra_admin.crt
        If the specified files do not contain the certificate including the certificate chain, additionally specify the paths to the signing certificate file and the certificate chain file together with their nicknames. For example:
        pki_ca_signing_nickname=CA Signing Certificate
        pki_ca_signing_cert_path=/home/user_name/ca_signing.crt
        pki_cert_chain_nickname=External Certificate Chain
        pki_cert_chain_path=/home/user_name/cert_chain.p7b
      • For an OCSP, set the paths to the certificate files. For example:
        pki_ocsp_signing_cert_path=/home/user_name/ocsp_signing.crt
        pki_subsystem_cert_path=/home/user_name/subsystem.crt
        pki_sslserver_cert_path=/home/user_name/sslserver.crt
        pki_audit_signing_cert_path=/home/user_name/ocsp_audit_signing.crt
        pki_admin_cert_path=/home/user_name/ocsp_admin.crt
        If the specified files do not contain the certificate including the certificate chain, additionally specify the paths to the signing certificate file and the certificate chain file together with their nicknames. For example:
        pki_ca_signing_nickname=CA Signing Certificate
        pki_ca_signing_cert_path=/home/user_name/ca_signing.crt
        pki_cert_chain_nickname=External Certificate Chain
        pki_cert_chain_path=/home/user_name/cert_chain.p7b
  5. Optionally, customize the configuration files. For examples, see Section 7.6.5, “Customizing the Configuration Between the Installation Steps”.
  6. Start the configuration step:
    # pkispawn -f /root/config.txt -s subsystem
    Replace subsystem with the subsystem you want to install: CA, KRA, or OCSP.